Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/04/2024, 03:43

General

  • Target

    c9e277601c4bedaba072f547c145c3c5_JaffaCakes118.exe

  • Size

    14KB

  • MD5

    c9e277601c4bedaba072f547c145c3c5

  • SHA1

    a4b725665c0f7ce654989b80fdba168096de776d

  • SHA256

    39897d9370763b63b14ff3e57abd9bd7f590d7a19586ee32afe2f9df191ba009

  • SHA512

    dbbd47e998fce696d72efc82083537bc39eda85aad03d331b880959ef864ae66640680e895360d904a630c4db01fbd617dcb79bef8644e506fe1a4c1ec1a8495

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZXdH2Q:hDXWipuE+K3/SSHgx3NH2Q

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c9e277601c4bedaba072f547c145c3c5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c9e277601c4bedaba072f547c145c3c5_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4004
    • C:\Users\Admin\AppData\Local\Temp\DEM61D7.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM61D7.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3620
      • C:\Users\Admin\AppData\Local\Temp\DEMBB70.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMBB70.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2964
        • C:\Users\Admin\AppData\Local\Temp\DEM1354.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM1354.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:832
          • C:\Users\Admin\AppData\Local\Temp\DEM6B19.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM6B19.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3760
            • C:\Users\Admin\AppData\Local\Temp\DEMC31C.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMC31C.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:3684
              • C:\Users\Admin\AppData\Local\Temp\DEM1B10.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM1B10.exe"
                7⤵
                • Executes dropped EXE
                PID:920

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM1354.exe

    Filesize

    14KB

    MD5

    ce280ed8be3abc90f7afe6ebe7cebe76

    SHA1

    2c382169e13dd25dcf0a9deb4e439b5e428b824b

    SHA256

    067efe206d85249fed614c427e645bd6858066fbd6e30e14bff32ea47b84efa5

    SHA512

    54fd6b1ea2f327056b4d4e50ab7407c6b153957f4f13a3a0a163221b4ec12aa91d4067673ca3f11d159daac8d0805225a1310ba0cb13a5f7c35986ac385051bb

  • C:\Users\Admin\AppData\Local\Temp\DEM1B10.exe

    Filesize

    14KB

    MD5

    e3f6cae6dca2d6b745a965ac6533e179

    SHA1

    488a6f83e799e39852330000983fd6a3b33899fa

    SHA256

    e9414c293e95491e007f858d47dc90bcb7e370fa3c82553a417655ca52d06b0e

    SHA512

    d73132020fab3da753bcd917790ba3b845858b83635eb6b93ccfa43b21b3bc9b88ef0d5c588e04494d814c0053299da3bff719f51bca9fe3b30f291ad9618f4b

  • C:\Users\Admin\AppData\Local\Temp\DEM61D7.exe

    Filesize

    14KB

    MD5

    ad4543877e0019077c73ebe4d39f3269

    SHA1

    8bdffd0c4c43333cb56f03e7a5c983eaae063760

    SHA256

    6e01b2f6364e2f9be213600f0fc98f1d345979a46abcd3da6e87443597881c6e

    SHA512

    b54e56233b7b11b04bbd69e1db395dc2f6d597750f084733b6835594ea071c0a86c03a4cfad4880a2a464ed1fa1f228bf2c590b284f29356c00f3c6e0624494f

  • C:\Users\Admin\AppData\Local\Temp\DEM6B19.exe

    Filesize

    14KB

    MD5

    a84dfb4d611e425678151dddec66e063

    SHA1

    023d046c7b8dd355e6b402b44a9241a05d3778af

    SHA256

    6579e99403a585838f59e66e3a0331b4a243e9c37ce198da8caff8e382634c21

    SHA512

    cf77b2c066fbfbdd777b33a7a12d051124cc56ad1a66e63301317b25176ba5cff792d3124f474d3f2553c2bbac8673f499e8a670460475c330335bc37c492fa5

  • C:\Users\Admin\AppData\Local\Temp\DEMBB70.exe

    Filesize

    14KB

    MD5

    c0c022f467801e0b78e8468dfd72da32

    SHA1

    3d818ffb413689a5fb0c77e81e486b6429fa182f

    SHA256

    df2fc795bcf34380f1f48bce5907f72ac639bccce9d22f232eaeb3f2785420b8

    SHA512

    8abe141a19696a46faf21f7d9e83e4361efbe73e3b01e0f14841ce9bdb7036ae72c27ecf80ecff0b62724f369c5a2e1d9d3411a7a050c3a327bd0d1b246b2ff2

  • C:\Users\Admin\AppData\Local\Temp\DEMC31C.exe

    Filesize

    14KB

    MD5

    784a8642f7673e5d908c5896c715d772

    SHA1

    bad168ecfde8399e89c299b6b8333ed18d118862

    SHA256

    1a0921c63349150ec70dc88bdc907995aee9759b43f73d9e59a2cea1e53ce6da

    SHA512

    e67478cb911816a07bdcf834d272b0b25d6f44a453dbcf0796898983542ab120545ea82d8279e6db81de78b2070092376bf523791a689553c226d17295dba491