Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    131s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06/04/2024, 05:21

General

  • Target

    dc3cf8388b866c3b471ca69c285a1dc1_JaffaCakes118.exe

  • Size

    13KB

  • MD5

    dc3cf8388b866c3b471ca69c285a1dc1

  • SHA1

    455c0f474597214e46f85fdf9fbb22109e4ce54a

  • SHA256

    1062105e98743a8a45276d24f7ebce25565df818e8f2ad58d7a436a527beb921

  • SHA512

    b9ade17b402194a2c52899d4f825593782514da3b7b25c123723a7fd7671ad4655fe6ea8abe64e2664e0e1f428fe34e0619bddcdd26bcc0b404cd9815e9842c1

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhz0:hDXWipuE+K3/SSHgxx0

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dc3cf8388b866c3b471ca69c285a1dc1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\dc3cf8388b866c3b471ca69c285a1dc1_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2944
    • C:\Users\Admin\AppData\Local\Temp\DEM13B0.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM13B0.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2284
      • C:\Users\Admin\AppData\Local\Temp\DEM6900.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM6900.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2484
        • C:\Users\Admin\AppData\Local\Temp\DEMBE5F.exe
          "C:\Users\Admin\AppData\Local\Temp\DEMBE5F.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1624
          • C:\Users\Admin\AppData\Local\Temp\DEM13CF.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM13CF.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2000
            • C:\Users\Admin\AppData\Local\Temp\DEM690F.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM690F.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:1648
              • C:\Users\Admin\AppData\Local\Temp\DEMBE7F.exe
                "C:\Users\Admin\AppData\Local\Temp\DEMBE7F.exe"
                7⤵
                • Executes dropped EXE
                PID:2800

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM6900.exe

    Filesize

    13KB

    MD5

    73668f5218e55224a6587c1beff6709f

    SHA1

    985ae3dc411b4fd2de0533e2fdfb7ea61d84b28c

    SHA256

    2131d1c601d3cacce153f9997fa0a1b87f76c33edd2780ee1e82e3a9dbdd0c36

    SHA512

    966076230044c1949cddbfe22b3fadaba1a81fa599a4284f443cf75b2accf5d024755a98a96da1f5b5c4a28748fbb8437237d7cf17de52c61ca9687d3a042216

  • \Users\Admin\AppData\Local\Temp\DEM13B0.exe

    Filesize

    13KB

    MD5

    d951be9e4de76efbc9f7a3b4cc08e0c7

    SHA1

    787fca9a8b9ce63193e02feb463537002b55f9f7

    SHA256

    af69ff6b0968e85301d3a1c4e00bbd15b3c12cd8a3c59263ce1c8542f60dfd1e

    SHA512

    7259d4db479937fc4994fe2993589e26eed7c872c94063df3f61a7d9df222bdd66cca0118fe45f151cfba0a97437cff27831dc099f55b82e0695f60510f45c2a

  • \Users\Admin\AppData\Local\Temp\DEM13CF.exe

    Filesize

    13KB

    MD5

    933b0fd9be1b400266e6b0b130785b44

    SHA1

    0e87f4863b66d0ff4c0cad589124ba22865cbff3

    SHA256

    1b2794f3935e80e07e96abe9516e46fcf56c3e2e89a864590ca5dfb32a3e80ca

    SHA512

    210da963bd433a4635362719e318b170c90b43ec2e6874c7f0cbdde4a7a7d6a16af64a47efb95a5956dc83e9709ed2fac9378ad9cc5cae0ee1488faf3dbe80e5

  • \Users\Admin\AppData\Local\Temp\DEM690F.exe

    Filesize

    13KB

    MD5

    c7715a6d7c3ad68bd0000166dd02bae6

    SHA1

    987a73fb6e44ee221309232bdb6616763e138358

    SHA256

    fa33448e5c605a0695250102291b75927804edd1f3d7e26d0cdcefe0786d571d

    SHA512

    f5b51a352f7279a71f1da5b25d3bacf07e38bb849b60d4503292b15b69f995981d477ad878a8d0772fbe9afa5eb6a967ea5870d9683c6b084d3a1d8e3321acf4

  • \Users\Admin\AppData\Local\Temp\DEMBE5F.exe

    Filesize

    13KB

    MD5

    1b7385d1410419d74849ebbc40f0e1c7

    SHA1

    358743919274c1d5606d223c04ebde4ec55484bc

    SHA256

    861e0165bd35035615b46d8a82446a8943f9c45e9197b6b3d7a06dc55d2d8171

    SHA512

    0a01b5ad8c808886f345850918bad566e172372230d5e0c87c47ec4a52aca9915efd1bc5f740adaadf7a2b64fb320ae1b799bb272baccbda2fcd76eae0f7992c

  • \Users\Admin\AppData\Local\Temp\DEMBE7F.exe

    Filesize

    13KB

    MD5

    2ee4246481a7529271a26e972145ee6c

    SHA1

    77f14e92afc6cf124e1a3299375f3ae90686bb00

    SHA256

    60ff72217a6d3aee2d29f8f2819c732a7f8101d76b3ab058b98a078bca9d1445

    SHA512

    78ce57d520b7fd973c40ff91bdd7df9940fc85eae544ff57a29b822cba1ec0ba09920be35ca3fda06c787c054283cc1fc2770c34b5cb76e191dd104cf916d53d