Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/04/2024, 05:21

General

  • Target

    dc3cf8388b866c3b471ca69c285a1dc1_JaffaCakes118.exe

  • Size

    13KB

  • MD5

    dc3cf8388b866c3b471ca69c285a1dc1

  • SHA1

    455c0f474597214e46f85fdf9fbb22109e4ce54a

  • SHA256

    1062105e98743a8a45276d24f7ebce25565df818e8f2ad58d7a436a527beb921

  • SHA512

    b9ade17b402194a2c52899d4f825593782514da3b7b25c123723a7fd7671ad4655fe6ea8abe64e2664e0e1f428fe34e0619bddcdd26bcc0b404cd9815e9842c1

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhz0:hDXWipuE+K3/SSHgxx0

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dc3cf8388b866c3b471ca69c285a1dc1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\dc3cf8388b866c3b471ca69c285a1dc1_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1124
    • C:\Users\Admin\AppData\Local\Temp\DEM6254.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM6254.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3384
      • C:\Users\Admin\AppData\Local\Temp\DEMBBAF.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMBBAF.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3368
        • C:\Users\Admin\AppData\Local\Temp\DEM1383.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM1383.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:440
          • C:\Users\Admin\AppData\Local\Temp\DEM6B48.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM6B48.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1644
            • C:\Users\Admin\AppData\Local\Temp\DEMC261.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMC261.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:4100
              • C:\Users\Admin\AppData\Local\Temp\DEM19F7.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM19F7.exe"
                7⤵
                • Executes dropped EXE
                PID:1584

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM1383.exe

    Filesize

    13KB

    MD5

    ce641b26afaaaa2a7fe881db3e999c2f

    SHA1

    a7b8c6a5cd4a6e79ae2b95627d8af07279b7d8fa

    SHA256

    9352f2950b42a708ad97a10a268972a030ad94bbcecaef56aabb634715f680c1

    SHA512

    1c5d717f2131769108743df7a594a51b2eacd04371a80ff9fb429af9a1d0202009a1617af2eb671808f02957658e94aea252f1e841afe65f06569d0481bca9d8

  • C:\Users\Admin\AppData\Local\Temp\DEM19F7.exe

    Filesize

    13KB

    MD5

    5ce3449cd06d2c7e0ae9a0586fe63f25

    SHA1

    fed8ce8f85813dbca35550b2ce4cfa8652c10e82

    SHA256

    90bdb0a9b7d0650996353700a1b7594734e3c63b84373f3314ca4be1307b1ca5

    SHA512

    20704008935577bfd35fbdc6168c6534853b3f3cf317333f36bc9ff6c0d8633b9c707ad995a6c66438ffd239ba1d65fe0c46ef5cdcec9f01aaa8b590a5481b98

  • C:\Users\Admin\AppData\Local\Temp\DEM6254.exe

    Filesize

    13KB

    MD5

    8faea36f31cdc08e3ce8b996d238b710

    SHA1

    9df3f971402150413a6852dc3aa2fe47a0938cc6

    SHA256

    86ade246754996c2b49b798435ec6937cdf7c71fdca614a45058e46ed8bb5610

    SHA512

    ad86c80c5da6e2aaa891f91b3b547c9bb0c768a47b1dd728f8c8d9d41b669f7fe14e03c745b45f1c66be43ed8b5a69cb3fc3dff5c47e5effb9472f7ab2e5c107

  • C:\Users\Admin\AppData\Local\Temp\DEM6B48.exe

    Filesize

    13KB

    MD5

    344a1edc2393a90069462cb6e8b4afd1

    SHA1

    92a9bb57efe8aaab704aca888e963bfeb40d7db5

    SHA256

    330ff1b8f49a9682b7929780be9a047946dbb11e6cbf8cd99f798b6d384eb9c3

    SHA512

    24a4eefc731530652152c316de0926e1eee98638cb06ab28e22cd57abb3cc54d8411e5db857e7a49d75614a7aeee300856a2eccbb7e3d461a49361baf0bc776c

  • C:\Users\Admin\AppData\Local\Temp\DEMBBAF.exe

    Filesize

    13KB

    MD5

    ca1d81f878927cda38ae7ecf8f3c5697

    SHA1

    53daa5743187729a8e01cd82aa434f2f48605136

    SHA256

    feaa4e39bf3f880e91ec6a8adc0fcc8f39f4b8c2e9c00fd85f4d094894fa6808

    SHA512

    ae74211e7f53c4a3aedf9756a1a670e755df69898a0f5dd9a232bf09c7f30c3c33eb3fe0d8ab3ad9b338b8f490b26411f729aafe59c953594cf2c57169c83029

  • C:\Users\Admin\AppData\Local\Temp\DEMC261.exe

    Filesize

    13KB

    MD5

    2e854b69a68f1b0f12402e7c6ff898bf

    SHA1

    b5c858ed685890a34ed16490c8e15318e98cf153

    SHA256

    d494dfbeed5ab6b218338aefa0720bfda9c7be82d2198cd28c61389d3adfde92

    SHA512

    fb71a7151397b6c202c07b7546dbe18dd05afb108a9398fa06be31ba8ede917437756bbf3b96b6093c3d8ec436a7bafc74e66f1cb29157d0e613e58aad21af36