Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05/04/2024, 01:46
Static task
static1
Behavioral task
behavioral1
Sample
c77589d49fba08a129ff3fa1012d2709_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c77589d49fba08a129ff3fa1012d2709_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
c77589d49fba08a129ff3fa1012d2709_JaffaCakes118.exe
-
Size
14KB
-
MD5
c77589d49fba08a129ff3fa1012d2709
-
SHA1
30c5618c55d226880493435e823b1e01cf27b023
-
SHA256
266ae15d7eb24bbeadae42e9a7ed31dd99c1ea954197a762547b6d85cc7be86d
-
SHA512
f280c69eaadfdab581ef354067d182c77b114af823b335c99647281a1372a6aa5f2f90b6de4b3e0e1faa6a4fd2df6b60a2a17ee015f306478746b5bef3630d5c
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY5u:hDXWipuE+K3/SSHgxm8
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 2852 DEM4A0B.exe 2808 DEMA18D.exe 1820 DEMF834.exe 2604 DEM4EEB.exe 576 DEMA5B1.exe 2796 DEMFD24.exe -
Loads dropped DLL 6 IoCs
pid Process 2236 c77589d49fba08a129ff3fa1012d2709_JaffaCakes118.exe 2852 DEM4A0B.exe 2808 DEMA18D.exe 1820 DEMF834.exe 2604 DEM4EEB.exe 576 DEMA5B1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2236 wrote to memory of 2852 2236 c77589d49fba08a129ff3fa1012d2709_JaffaCakes118.exe 29 PID 2236 wrote to memory of 2852 2236 c77589d49fba08a129ff3fa1012d2709_JaffaCakes118.exe 29 PID 2236 wrote to memory of 2852 2236 c77589d49fba08a129ff3fa1012d2709_JaffaCakes118.exe 29 PID 2236 wrote to memory of 2852 2236 c77589d49fba08a129ff3fa1012d2709_JaffaCakes118.exe 29 PID 2852 wrote to memory of 2808 2852 DEM4A0B.exe 33 PID 2852 wrote to memory of 2808 2852 DEM4A0B.exe 33 PID 2852 wrote to memory of 2808 2852 DEM4A0B.exe 33 PID 2852 wrote to memory of 2808 2852 DEM4A0B.exe 33 PID 2808 wrote to memory of 1820 2808 DEMA18D.exe 35 PID 2808 wrote to memory of 1820 2808 DEMA18D.exe 35 PID 2808 wrote to memory of 1820 2808 DEMA18D.exe 35 PID 2808 wrote to memory of 1820 2808 DEMA18D.exe 35 PID 1820 wrote to memory of 2604 1820 DEMF834.exe 37 PID 1820 wrote to memory of 2604 1820 DEMF834.exe 37 PID 1820 wrote to memory of 2604 1820 DEMF834.exe 37 PID 1820 wrote to memory of 2604 1820 DEMF834.exe 37 PID 2604 wrote to memory of 576 2604 DEM4EEB.exe 39 PID 2604 wrote to memory of 576 2604 DEM4EEB.exe 39 PID 2604 wrote to memory of 576 2604 DEM4EEB.exe 39 PID 2604 wrote to memory of 576 2604 DEM4EEB.exe 39 PID 576 wrote to memory of 2796 576 DEMA5B1.exe 41 PID 576 wrote to memory of 2796 576 DEMA5B1.exe 41 PID 576 wrote to memory of 2796 576 DEMA5B1.exe 41 PID 576 wrote to memory of 2796 576 DEMA5B1.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\c77589d49fba08a129ff3fa1012d2709_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c77589d49fba08a129ff3fa1012d2709_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\DEM4A0B.exe"C:\Users\Admin\AppData\Local\Temp\DEM4A0B.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Users\Admin\AppData\Local\Temp\DEMA18D.exe"C:\Users\Admin\AppData\Local\Temp\DEMA18D.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\DEMF834.exe"C:\Users\Admin\AppData\Local\Temp\DEMF834.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Users\Admin\AppData\Local\Temp\DEM4EEB.exe"C:\Users\Admin\AppData\Local\Temp\DEM4EEB.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Users\Admin\AppData\Local\Temp\DEMA5B1.exe"C:\Users\Admin\AppData\Local\Temp\DEMA5B1.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Users\Admin\AppData\Local\Temp\DEMFD24.exe"C:\Users\Admin\AppData\Local\Temp\DEMFD24.exe"7⤵
- Executes dropped EXE
PID:2796
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD5d34c1bd5ea3a0c35b9a493808a353792
SHA14c475afe77c142da0dc6b6b38d0073b312ca1f62
SHA256b0d42fdcc548776273aa8872c41792a2348493da840aa5728341d157e2706a57
SHA51267dba2e972f3e40a0730f798ac406102c44f6d8d0547f9f78dca3fd9348889c520b05df2b68e0909fea19634a64ce4bff822ad15b4f73f708b10161ae8b10be9
-
Filesize
15KB
MD536a05777f2e4dae032d1cbca7ce5027f
SHA1be93f09c204484f29bfd148717df59656e13f25c
SHA2560aada2382e70bf081bcae54c9c524f4b133671fcc0a5dfad85f3b67bb4eaefce
SHA512b72ce131d7078c6efb65a03c80f2ef5786ee0c4c98df16c4f57200fd81a987250bb77c6cbab2a085c04145dc4a7825d6c71a86e8cf69754b5c13d1badfe69fc1
-
Filesize
15KB
MD5f1678ded344ed4e26abfc9d4a1b9630c
SHA1bc7698a9d0f330e3f5fda8465bfaeecf6eba9f2f
SHA2564346c2ae2956f7bd8563a8babca5a1c275235862e128eba93133554db7fd89bd
SHA5127091af7aff52144478d7c0dccd58e748b003e6434b324a0a64dba5424b5e4457da2c8ccd952d4c9067429c08ef7d60bf59d6bd50dfb62b503433564bb40387a8
-
Filesize
15KB
MD508660aa37a1c675203690230cff201fd
SHA1a234ecb9ec50680fbfeae13ecb7d66fea79b24c9
SHA256c18cf58517beb101139f95f6dcbbbebaa1aa19bc399fbbe79770d51663810af3
SHA512ec5574eadf2fffbb17d59f4eac5b1a592607169dc06a96bdbe3ed39c1367e0a4b8fe68312bda646cdfb6408128c0cf828921b645f4f4f9933671a2028117a68e
-
Filesize
15KB
MD5cb3ce50fcf38767878409cff9c36673e
SHA13a9e8d364cd03145d5da6353935f98081e5a05ac
SHA25694fe994fd9d85a4cab269e7dbc7f9966eeb3e0d214f4da4254726e5d08525969
SHA5120f20620c35fd6a3746898ef787fd7e8da48550c05564f80440d78ec04f873ef48f7dea4b927aaf89bf8db18712008b04f59673e912259903296397bd514e5737
-
Filesize
15KB
MD5f3c53b69e720508f1be029719ca33cc2
SHA1b4ec2316c55e66cd39abe09f501c08f1d6c0d2f8
SHA256cd4f2591bee46a000ae13579751e4adab3713afc38aaeb3e9a5e14cf2c7adf1b
SHA5122e910baf6f674fdd8edef1fff41a0f33e49104d69aae94986106a558dc7887b1c7eab8258b828241cdf64302f90ebfdfa591d854e1ffd2ab4130eda5c43e66ed