Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    133s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/04/2024, 06:07

General

  • Target

    dd2f062d812c42e8a40619000f228f44_JaffaCakes118.exe

  • Size

    14KB

  • MD5

    dd2f062d812c42e8a40619000f228f44

  • SHA1

    2bd8b306cf27e98a97e32a5d8409f1ea552b999c

  • SHA256

    1d11d2ce13f507d927522309e4e618a46c7708cbfbe10f6f3a9fe38b2902aeb3

  • SHA512

    771eda2cbb5d019c146645c831e01e1a23fe1bf3301c06f0a0bc685601f962a8adbcfd5903ee722f20cd63ceca607fe211463b9acce2ab13be1f47008f59a365

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhRl5l:hDXWipuE+K3/SSHgxXl

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd2f062d812c42e8a40619000f228f44_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\dd2f062d812c42e8a40619000f228f44_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Users\Admin\AppData\Local\Temp\DEM5544.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5544.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3320
      • C:\Users\Admin\AppData\Local\Temp\DEMAC3E.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMAC3E.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2116
        • C:\Users\Admin\AppData\Local\Temp\DEM2AB.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM2AB.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:988
          • C:\Users\Admin\AppData\Local\Temp\DEM5918.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM5918.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2288
            • C:\Users\Admin\AppData\Local\Temp\DEMAFA4.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMAFA4.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:4032
              • C:\Users\Admin\AppData\Local\Temp\DEM6CC.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM6CC.exe"
                7⤵
                • Executes dropped EXE
                PID:4620

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM2AB.exe

    Filesize

    14KB

    MD5

    f40e99397607384871637ed58a630b03

    SHA1

    74c52f3b17834bc2569df0299400e71de5ad9f1e

    SHA256

    a478ad8dc8895a8aded8cb691badabbb0bdd2c87cddd21d90286fefdecf2d076

    SHA512

    c09f9a7e5bfbbeec9a079749e328d16d69a6127e737de810d0a3242daebb47d70c7e89f79d805624372e7b7dec4a0c8394184cd5c5c10cb49474b4c6d7a7b69a

  • C:\Users\Admin\AppData\Local\Temp\DEM5544.exe

    Filesize

    14KB

    MD5

    95d588eacb04e97fb885cd33a91fd8d0

    SHA1

    9749ef8b214da35fae398bfab5f074a76207c73e

    SHA256

    3bfbb9d5980b2eaa6f1e9ecf0793c52278189fd068c6b3fe0994a757eebc773b

    SHA512

    4fe2ef207de8bb26b7484f74d91ad866d5d89f835a1e1775958d09e37a153005429765e4c43335bef3cc4761cb408767ca72603e3e4ba598bd3999b04c518082

  • C:\Users\Admin\AppData\Local\Temp\DEM5918.exe

    Filesize

    14KB

    MD5

    de10cbe94f4ab006f82516374ba3ee41

    SHA1

    7924a9b22c1aa63ddaf2b9d79b9d2c707ab89d23

    SHA256

    5305b682858363d3fa25de511bd4387285bd58b596db326655848a709fbc0a3d

    SHA512

    39cabaed19d96246ebdcc168823304aef708b19c7fa223d0a6a8f85322f0dea361832c59dedcb186649bcb0dc2e4a8f2ffae5d1fad102949ef4b80e57671ee0a

  • C:\Users\Admin\AppData\Local\Temp\DEM6CC.exe

    Filesize

    14KB

    MD5

    d801508ebf4d24e78905ff51c26a9808

    SHA1

    9e6f90945121e66b27241f034802b18233400eea

    SHA256

    60226f79ae001cc8f43379b6bb8d2a9eee91c44daebd3525cf022b230592a990

    SHA512

    7cbeec7b846aeaa1b8f662df2f51dd73364966fa759238c80f9ca315840d37f70f75b15b76df8e243003f029a1483a041bf977c185acc705abd3764d145a9cf3

  • C:\Users\Admin\AppData\Local\Temp\DEMAC3E.exe

    Filesize

    14KB

    MD5

    68818dc48e9ca6f77ea4c29c4885970d

    SHA1

    5a4db2ef924c5e58fd6bd53b464e0d1d65e19da7

    SHA256

    370fc2400c1735facace84902a13a968883d0339d0d87c4e750370b8e7cf035b

    SHA512

    8004b81a0016f3c5b789cd9b43f0191b9e3795a763e18b092d6bb0e77fe456fb32a104cab4e05ed27c097365866e7e860acfd0be79c1578d13d0551b0d1b45df

  • C:\Users\Admin\AppData\Local\Temp\DEMAFA4.exe

    Filesize

    14KB

    MD5

    1860fc442fde7f783cb0028c1456e48e

    SHA1

    f36c73c8859a86de0612bdfd87f4cc602a28ad83

    SHA256

    88aa9a0f3a94d3c10cb585495b79c43e953014322e118b07836d3b5bfcbd2078

    SHA512

    9e0aef2e29553e093c748490dcdb916ba8ee23270fc86fbac24df33936c314fc588768c89686bbd6ac9f2b2e51d04bbcc698e149d5bf88db23d90f555d31c457