Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/04/2024, 14:38

General

  • Target

    d68c702351756d970a4f81c64823fd4b_JaffaCakes118.exe

  • Size

    15KB

  • MD5

    d68c702351756d970a4f81c64823fd4b

  • SHA1

    f42d712a0a5e05209462fc7ce0f4eb8e250d8f6e

  • SHA256

    a56235728ba2871b53b27ea41139b183c4a5d11a76f3187beaca63730df5b560

  • SHA512

    cdae8b5720d96b1d2c3f7f0146f06c97cca1bc18f3d53aabd4ba4260727071a24016f9dc9d2badd9fe7c67e175ac666f165b2b12561386dd33baf6abc1f02f7c

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJdS:hDXWipuE+K3/SSHgxhS

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d68c702351756d970a4f81c64823fd4b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d68c702351756d970a4f81c64823fd4b_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1716
    • C:\Users\Admin\AppData\Local\Temp\DEM5FC3.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5FC3.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4244
      • C:\Users\Admin\AppData\Local\Temp\DEMB8E0.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMB8E0.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3596
        • C:\Users\Admin\AppData\Local\Temp\DEM10E3.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM10E3.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4144
          • C:\Users\Admin\AppData\Local\Temp\DEM68A8.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM68A8.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4316
            • C:\Users\Admin\AppData\Local\Temp\DEMC00F.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMC00F.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:1212
              • C:\Users\Admin\AppData\Local\Temp\DEM1718.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM1718.exe"
                7⤵
                • Executes dropped EXE
                PID:4892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM10E3.exe

    Filesize

    15KB

    MD5

    07f24eb9df0697e0c10b35f94062d681

    SHA1

    d5024782e135a0b0ebd9d99b8fa83a137016b44a

    SHA256

    18c4c8aca3801909da44b775fb92a79a4c35e485b8cde1efdbfd19c8dac5140c

    SHA512

    990ced637df80319ae92cc16a0528f0f43a3640d5cc15d60ff4e4ced0acb6946179ed0efb50acfe7af7bc37838c21ff9b3cabb25c5194f869bf0d21e9409e858

  • C:\Users\Admin\AppData\Local\Temp\DEM1718.exe

    Filesize

    15KB

    MD5

    2ac0c4754b6a5dbdccd62285c0dbf4b3

    SHA1

    32ca2c909574078ec949b5686d539e254d7d3e64

    SHA256

    473cb4b5a9e71c26989757effdd0deda4cc122368ca24985093c5520e01f42c6

    SHA512

    b72a16bf54b78e09d6ad9a5fcc08f8e5a8f4975b1fd55d20f2e19a2e3636bf57394e9ee1c91461689cf50e564d33043ba5381a17e36dfb2b3fb22a615f5d2e0c

  • C:\Users\Admin\AppData\Local\Temp\DEM5FC3.exe

    Filesize

    15KB

    MD5

    287e728c5b2dac38e0af0ea0831a7908

    SHA1

    169cb9cab0e07f0b955bebd631b09da2822c25f0

    SHA256

    559888fc7b3bd75deb082e6b18ac022d1e8d1f3dd5ff53750ffb5f04485e44cf

    SHA512

    edfe3b41466d3900c185c3c4eb38179db7b80a0064e686e51887e10a5f8c40b9dcdd860903497d02c6197504f4488df36fb7fcf9cd596732278caca92b3a34dd

  • C:\Users\Admin\AppData\Local\Temp\DEM68A8.exe

    Filesize

    15KB

    MD5

    9b0e247f35f0387b246e61155d3e8f0e

    SHA1

    91c2244f83798717d3ebc0d7400bbbf0e77ad0eb

    SHA256

    83cbec7ae88821bf234cabae71625e7dacafd19b0b473b40e22cb653fdcb60c3

    SHA512

    072494a8560c2b24852adf19814209b13b2b16e7f34d334b1b42d2cbdd02de0e3f3b2f5edda0116e8a82611f362221d9eea874a4dd289ce3edc2180e8c0b808d

  • C:\Users\Admin\AppData\Local\Temp\DEMB8E0.exe

    Filesize

    15KB

    MD5

    67646e47cdc19841445d87599bd2749b

    SHA1

    a250cadb16111814b9a6ce19bc55ff4d7ab6f17a

    SHA256

    74d6b9382b8a91dc70f88e83a36fc6984c83e588c3dd005e9f58cda69dfed7a2

    SHA512

    30008dc2712aa500d9ac0fa82efa9e697fb73a2bb72c036e6d6ad9917aa766799190f88d6aeea5c82a147aa459c6b3642afab9867cde6ec1d744621d05da1eb8

  • C:\Users\Admin\AppData\Local\Temp\DEMC00F.exe

    Filesize

    15KB

    MD5

    d58a1364cd4b4e73511f312e2911dbb1

    SHA1

    a79ecd73eb3a7fbbeb217aa25461a471f12753a3

    SHA256

    87903ec8e2c059fbd192014b1fa4fe135181e48ee3cc24b92b1f3c07e571e47c

    SHA512

    2b85f57f46082b15e9fcd5cebd1c16979750bbc523243f3459b3beb59831348133d20ef16a5c62eddfe3a5500311297bad1923530b928d28b1b8b68bc555b3a7