Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    131s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05/04/2024, 01:51

General

  • Target

    c7914dbe9884a7e18ac279033e5020fc_JaffaCakes118.exe

  • Size

    14KB

  • MD5

    c7914dbe9884a7e18ac279033e5020fc

  • SHA1

    0d8d0bb22079b88f253ec28e32153f8da50b36df

  • SHA256

    31dacb0e4b58b7d12e82ca3991afe7462ec64359a4f7ef9f51f4a47123a99cda

  • SHA512

    a501d9ae505f64199165da4541b48ca2d14cfa52ff9528a716fc761397c299963a3daf627340ed9a3ae8631052d7fd0b57e797cd947bb253faa15b7123633706

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh5RAnCg:hDXWipuE+K3/SSHgxfg

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c7914dbe9884a7e18ac279033e5020fc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c7914dbe9884a7e18ac279033e5020fc_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Users\Admin\AppData\Local\Temp\DEM23A7.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM23A7.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2600
      • C:\Users\Admin\AppData\Local\Temp\DEM7974.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM7974.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:500
        • C:\Users\Admin\AppData\Local\Temp\DEMCF12.exe
          "C:\Users\Admin\AppData\Local\Temp\DEMCF12.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2756
          • C:\Users\Admin\AppData\Local\Temp\DEM2491.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM2491.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1900
            • C:\Users\Admin\AppData\Local\Temp\DEM7A4E.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM7A4E.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:2940
              • C:\Users\Admin\AppData\Local\Temp\DEMD02B.exe
                "C:\Users\Admin\AppData\Local\Temp\DEMD02B.exe"
                7⤵
                • Executes dropped EXE
                PID:1232

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM23A7.exe

    Filesize

    14KB

    MD5

    90ac4ecb92d76467448edd0aa5f7b98c

    SHA1

    24bbf09eed184753b9267821595549beee61d300

    SHA256

    94b77cce9b6d96771ccdb22d08f54b6f26712a4b01603fb2e7ba02a2714bd78f

    SHA512

    45fc88df340f8eaaf2edc3e31a381fea40c18f90a2c3ad4d218b8c7512f866744adf5801b8ce8d080ef6368f5c427934048332497eecdb3af6fa7408504c1fd3

  • C:\Users\Admin\AppData\Local\Temp\DEM7974.exe

    Filesize

    14KB

    MD5

    aa30e4d1963f43de2faabd1718e3f28a

    SHA1

    784b8e1e9e7cda8edf8fa2f4de935643758cd282

    SHA256

    aa2c5843a79833e9dc4032778faa7d12a1bed8fa289f868b99a4477fa73c74f2

    SHA512

    8726b58e01aa371da157ed8b691e40ba76fa6ac4a15e5317ffd7d0de9731559059791a4838f7765488eb85df56a49b562587f55a48763eaccf2cc353d0e37074

  • C:\Users\Admin\AppData\Local\Temp\DEMD02B.exe

    Filesize

    14KB

    MD5

    560cae4f0298d20a2ec35f5f3ff785ae

    SHA1

    67011d9e9babe5d7a59cf1037cb4d17317efeeaa

    SHA256

    b3c2c9dd4a22248b1051f9be5682da76363fa942d1d06a101017451d7d7330a1

    SHA512

    86bebca097b9dd0a6b631bf7593bf4f2e6febb53f0b1f7554ba76a36306bca813739e5744d5750af90f82750f71185ba2751cd8cd949144d1aec9d39720b04e6

  • \Users\Admin\AppData\Local\Temp\DEM2491.exe

    Filesize

    14KB

    MD5

    6b1928951198670791da053bffe2e3ee

    SHA1

    07e40334b7bfa161df14053578ba7933abeaa8c3

    SHA256

    8767d07cff774c75394242e7fa2b00fd82812bd43eea1c49cc3937cf3e33520f

    SHA512

    8fd57608268fbfc7a9639b67b39c725a8487fb3c58860443708b183cba31fc61dcb11a21e2e37d7d0c578f121b4e3d6249afd2e9e3d00aecc7560923ee008455

  • \Users\Admin\AppData\Local\Temp\DEM7A4E.exe

    Filesize

    14KB

    MD5

    47418811a670e3daa385a588ad5667a8

    SHA1

    cf7bf43a43acc5f7bdabdcdc663b6a138181fe0d

    SHA256

    9804e4e85bb74fcded27f5b0459c878463a00c81ccd61e87a984d2be95349f7e

    SHA512

    095f14b113d9569194e4460afbe26d7f392e2964b7f0b07209ff8fa6a8a5e8f3dbaa28f82ea46146450fa7bc37847a64779454fb0cc38d3b98aa0f63c42ddd97

  • \Users\Admin\AppData\Local\Temp\DEMCF12.exe

    Filesize

    14KB

    MD5

    8d41c3bd29e49914af27014ed01aa4ba

    SHA1

    2bb98169ac12750c3f853927512dce6b8335065e

    SHA256

    12c45b9f0ddc989e8af94350e7bf774b56c08dc09838c45bd6257d9763ede40b

    SHA512

    35e0f8f897bbfcf69f7840a2491397685486047ddbf200a77f49c903bb5471b7f4364997894debcfd6efd221b760436547a73014e81581854df0e518a344ba21