Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    130s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05/04/2024, 03:43

General

  • Target

    c9e277601c4bedaba072f547c145c3c5_JaffaCakes118.exe

  • Size

    14KB

  • MD5

    c9e277601c4bedaba072f547c145c3c5

  • SHA1

    a4b725665c0f7ce654989b80fdba168096de776d

  • SHA256

    39897d9370763b63b14ff3e57abd9bd7f590d7a19586ee32afe2f9df191ba009

  • SHA512

    dbbd47e998fce696d72efc82083537bc39eda85aad03d331b880959ef864ae66640680e895360d904a630c4db01fbd617dcb79bef8644e506fe1a4c1ec1a8495

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZXdH2Q:hDXWipuE+K3/SSHgx3NH2Q

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c9e277601c4bedaba072f547c145c3c5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c9e277601c4bedaba072f547c145c3c5_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Users\Admin\AppData\Local\Temp\DEM2AC8.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2AC8.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Users\Admin\AppData\Local\Temp\DEM7FF9.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM7FF9.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2460
        • C:\Users\Admin\AppData\Local\Temp\DEMD50B.exe
          "C:\Users\Admin\AppData\Local\Temp\DEMD50B.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2696
          • C:\Users\Admin\AppData\Local\Temp\DEM2A1C.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM2A1C.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1860
            • C:\Users\Admin\AppData\Local\Temp\DEM7F2E.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM7F2E.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:652
              • C:\Users\Admin\AppData\Local\Temp\DEMD450.exe
                "C:\Users\Admin\AppData\Local\Temp\DEMD450.exe"
                7⤵
                • Executes dropped EXE
                PID:2488

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM2AC8.exe

    Filesize

    14KB

    MD5

    3e148326935c9403a27fe2103207ebbd

    SHA1

    e0dbeb6ed7a7adf8a08a8d1ad1407b9b211d5abf

    SHA256

    9ccb1b6f3a6895bd43a2e30b4dbe36cbd0e1a05ae0212c666463260f87ba9427

    SHA512

    fdd5f95ccf48db569fda80081f292e747bb0da88e2c71b57952b2dfeef7cb146a94d58ba9fe73935705d9de74f568225a0cea13d4c27e0e6d41e813a37cca6eb

  • C:\Users\Admin\AppData\Local\Temp\DEM7F2E.exe

    Filesize

    14KB

    MD5

    5db526fad85bd2336f5d297c5ae7f2c8

    SHA1

    2eb970af251e13816c00306a208f126bb023eb81

    SHA256

    93964af5ddaee2fd5369629e6145e67118940eb04789e41d3e457f4828b352d1

    SHA512

    231fdf070527a7a66a3bed93e9b0c3e72b9a39a18d47c8e37bfd3530542a5e2f9ed1b810889a8bad2f8aa80b9f03ac9b47d5d9f9f7c745a5f9ca7d3b08472d3a

  • C:\Users\Admin\AppData\Local\Temp\DEM7FF9.exe

    Filesize

    14KB

    MD5

    eac1497901c5489b4749f487a1015d32

    SHA1

    3ea08d8a5fda285dc1613e86d07cbfa1e4102156

    SHA256

    e940981ad7c1900fc9e67a660087b3277a5426f628c4cbd7e4269252b30e9bee

    SHA512

    ccb2f47416611e2206905e74630dbbe065397badbeac11ec5075e79b986ad3080c97bbd2d8aec573789ed90a70e75cda8f8923d035840ba332fc6b7515a2ae89

  • \Users\Admin\AppData\Local\Temp\DEM2A1C.exe

    Filesize

    14KB

    MD5

    630ae070a71ee2928a6ec3b497d8f023

    SHA1

    4b59c5a66b89b3c5c27e509c48190d5e39b6bc36

    SHA256

    8cffce74aff40354e32126623f225895ae8985d5fee89a67e08714e889fb74cd

    SHA512

    ccc7b90692f4eadade730c70c8c4d6e6d89c724e1ceea02ef980966450befd9526e346663b6caac5ac938dac2e076a8ed59d8b1e2026a0fd25f6e5747486ad9f

  • \Users\Admin\AppData\Local\Temp\DEMD450.exe

    Filesize

    14KB

    MD5

    984f348a783d26aba77635f38ede889c

    SHA1

    b966417dbbb0a67f5044ea6e6645f554a3d6e8e0

    SHA256

    d01cd2dcdfcd694c88ed9f279fe8ca491ae110edce872e6ec117660f99b13902

    SHA512

    99a274e730995c43cd8d4fc8876ac19afc865103454c8bb2a24b37fead595b0e50e7969f7a0c063929d93e0339104daf39bf434a2413e7596f36d244593b554e

  • \Users\Admin\AppData\Local\Temp\DEMD50B.exe

    Filesize

    14KB

    MD5

    46679d227b78e055c11199214750481f

    SHA1

    e6211a4623614752cb05b1e787f4767594097d8d

    SHA256

    49ae6e0f8ac8b4b959dac8a78eb0734bdf3778e138e2c21b1d27accd17b68c5d

    SHA512

    f20afff30e8bf419feb2c67b0a6650b404524ec7682c36d4c51c4a6b4865875e3b515c13dc71ff5a9139f19744a12acb17c47be44e709188b9fab81ca89ff562