Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/04/2024, 09:14

General

  • Target

    e1083124cfdc87844d334cf6ff13d855_JaffaCakes118.exe

  • Size

    15KB

  • MD5

    e1083124cfdc87844d334cf6ff13d855

  • SHA1

    1bdf971aec527214edd01eb31b4d93b2f3a783f4

  • SHA256

    b05612ac84cc9812362d85e3c1a0495163e6eb5c552aacbacfb4af94c4753758

  • SHA512

    cdda7b338b2c0a0ce23a1371448ad981af9bea138a8268d583024ded3f695d85ef45907073c04de9553cbabbc7721dfd3ae97e237e37b202d7d5fb231414f2a2

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYJBK:hDXWipuE+K3/SSHgxmbK

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e1083124cfdc87844d334cf6ff13d855_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e1083124cfdc87844d334cf6ff13d855_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3136
    • C:\Users\Admin\AppData\Local\Temp\DEM5275.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5275.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4124
      • C:\Users\Admin\AppData\Local\Temp\DEMAA1B.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMAA1B.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:940
        • C:\Users\Admin\AppData\Local\Temp\DEMC6.exe
          "C:\Users\Admin\AppData\Local\Temp\DEMC6.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4484
          • C:\Users\Admin\AppData\Local\Temp\DEM5704.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM5704.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3040
            • C:\Users\Admin\AppData\Local\Temp\DEMAD91.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMAD91.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:4476
              • C:\Users\Admin\AppData\Local\Temp\DEM3EE.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM3EE.exe"
                7⤵
                • Executes dropped EXE
                PID:4768

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM3EE.exe

    Filesize

    15KB

    MD5

    9aa6309f6a71063172adaad6c870193a

    SHA1

    948421ac6d6a80a574c34081ea3abfcf774dd450

    SHA256

    430fece1ded0e78b6fff40ff8d6c3ef5384aa8418c9d683961dd4b27a86d99ab

    SHA512

    bea25dbbcd86df22f95193ca4f7fdc4bf4a212db836410ed6ffe1fccf9d2811ad6982ceb5ad39d6c8dd1bc6c5115536706e932d712aa0d50fdfe2f6a3b16e9bd

  • C:\Users\Admin\AppData\Local\Temp\DEM5275.exe

    Filesize

    15KB

    MD5

    08fbb9e3c2540711de3286293980ef3b

    SHA1

    89614e91210e7f0a906a91a8168e3b1155c2aa7e

    SHA256

    99b1b0941e3aea612a937119dc9e73384a93688c7e982ea8c97809ff23dc3df5

    SHA512

    ae3fc5ef7eaa18030188b96c2b68e7dc304eb4616e285fd4895b0400b202ac4eb12f27dec1eccbfaa1fef930ad709fdcb0c16118610a02f14a7da2f991151640

  • C:\Users\Admin\AppData\Local\Temp\DEM5704.exe

    Filesize

    15KB

    MD5

    318bb424738502633d52e6293374f98b

    SHA1

    50c92859536c3255eca2e2595d0cf79cc830bc36

    SHA256

    89b37cdbc214ebcd78d4a63a0ed532ea9b33d5bb43385c75f3b52498efc52ae8

    SHA512

    019abbacac318adccc58e9f3d71138034b578855dbfbd5b8988c02898e47024d20af65a6675e6bc2299ca978023a1e0a23a7bbfd84a6059d58376c7c5aeec33b

  • C:\Users\Admin\AppData\Local\Temp\DEMAA1B.exe

    Filesize

    15KB

    MD5

    00ab97a8a649b13ad70808a08bdc9089

    SHA1

    9414433a949c63ea42deddf4e7841a7ea4a4c5b4

    SHA256

    ec2933916cbdddb4bec00f7b948e69c8a6c8b12ca50399bccc7741bcafc6ff23

    SHA512

    5e6b1d0d2ab31c633a8970e15420ada53d46af2ef3eb70e8473171c881f43d448c1b5ecf2429d42547a6b942ce973c7ca7ef019e0e322effe99e41d7ddfca311

  • C:\Users\Admin\AppData\Local\Temp\DEMAD91.exe

    Filesize

    15KB

    MD5

    85542f35cbd2f18c61381c1c66babdce

    SHA1

    0c51469b48b8bdbeb2831c5425924a8b972156d6

    SHA256

    ce16ff9be02ca56dda6b11cd13b4f4a4cb8241780c2dc3505b96d752559a0cc4

    SHA512

    ee66567777f9a48d1d39ea70400791fac1f2265ae3d2d1b2eb4f3330156d97d660a68fba45d709a925174c029de3c27506b24d8ad3a97c9c5091e85327915634

  • C:\Users\Admin\AppData\Local\Temp\DEMC6.exe

    Filesize

    15KB

    MD5

    a6caa81a96ac8923851f3ac45aa61537

    SHA1

    ae4e44e01bffb0b7aa398dfa565bd37ba50837a0

    SHA256

    2669d0bb6d1b5e666882e7d72fdeabd124460d217e224698cea248c9c5a4f5d6

    SHA512

    d7673ad56280bc05e9a1496bf4047859436e1a2becebac413313bc0169170fef538434ade50b73e7ee1db5b6a86b62cb72ec60c662d9d01e8b295cda57be02ef