Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/04/2024, 15:10

General

  • Target

    ff8fc259ff0fa909675f4bff59c38568_JaffaCakes118.exe

  • Size

    15KB

  • MD5

    ff8fc259ff0fa909675f4bff59c38568

  • SHA1

    b1b66f7bdc8885c50b47e3de9a70d254cd50f886

  • SHA256

    c89b736c4e7a4d989271a2a8217904fdcae3fa52abecd8a688ec2177ecff22d7

  • SHA512

    3bb78bbfa9860a781debef5b97f5c5882c379c61629fb0c1ade3c3f32b9a2e8471d5adcf5ab48e4189f999936a181f0a6ab3f6732786d9c9710c503afc870a1b

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhhG:hDXWipuE+K3/SSHgxzG

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ff8fc259ff0fa909675f4bff59c38568_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ff8fc259ff0fa909675f4bff59c38568_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:936
    • C:\Users\Admin\AppData\Local\Temp\DEM5E3D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5E3D.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2140
      • C:\Users\Admin\AppData\Local\Temp\DEMB4B9.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMB4B9.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1688
        • C:\Users\Admin\AppData\Local\Temp\DEMAB9.exe
          "C:\Users\Admin\AppData\Local\Temp\DEMAB9.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2188
          • C:\Users\Admin\AppData\Local\Temp\DEM6126.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM6126.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:5116
            • C:\Users\Admin\AppData\Local\Temp\DEMB774.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMB774.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2568
              • C:\Users\Admin\AppData\Local\Temp\DEMD54.exe
                "C:\Users\Admin\AppData\Local\Temp\DEMD54.exe"
                7⤵
                • Executes dropped EXE
                PID:116

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM5E3D.exe

    Filesize

    15KB

    MD5

    e9ec10a2e78bfa8b85ffd7e3bbb87856

    SHA1

    e8d21540a730613e593bff8073753298eab10bb4

    SHA256

    f4336502a4931a5b96318acfbcc7a3528a179e2bf3fd00176389bb0855ddba28

    SHA512

    4fe9b7950e0e69a4ef2d993efe6c408a8fa690466716c9252f7a0992dfc990331cc6975cd3a54d4706b000e8ca4515d3883b0c31bd5e930ca9598664f04e73ea

  • C:\Users\Admin\AppData\Local\Temp\DEM6126.exe

    Filesize

    15KB

    MD5

    1210db792548559d09e9d9ab68941035

    SHA1

    c770fec6ab85f8f65921909f671916213668c5ce

    SHA256

    e53c9555f4b3db50b717be9d1b2c5c20e68750ad3658f540d497f5ef7791e9b8

    SHA512

    d41ecb6b5af975a2ae8f8e9574f875bfa248575168377a64f7a96c82e8bc90ca9c046758f81786e09cf6a9218264a66b48ccaed57d32e9eac2701c864b3b7be0

  • C:\Users\Admin\AppData\Local\Temp\DEMAB9.exe

    Filesize

    15KB

    MD5

    e0574cb5519a88142ceb503c834c25f1

    SHA1

    955c08fe3a9eda3cb6e0483c3be1fa2f315777e0

    SHA256

    e49328ca115b50f55c0e64e4e59b1a12eaa183dc12e820fd9d7347a4813aa243

    SHA512

    669c9b7ad12483e88c718ea9c2379f748c9d185d52581867342d6aa2173f02ad5f890013f7ffe2215383f176db530adeba4ecc625816529dae43bb6490b91aa5

  • C:\Users\Admin\AppData\Local\Temp\DEMB4B9.exe

    Filesize

    15KB

    MD5

    1d1a82a8f4d55122ac3dc80dff39c37d

    SHA1

    ed104f05442908de7d21a1becff27d12581a24d7

    SHA256

    df93a606d1003481b22c800dd910275dfb8866b83af16f52b6c83a2080cb169d

    SHA512

    b5a57715ef39ea7eb609b36cab179a08d91854242343781919b6008edf41434aeb83c57b7ed09113be965647f1b44232bf67792f04b2bfbe52126f65d33c1eac

  • C:\Users\Admin\AppData\Local\Temp\DEMB774.exe

    Filesize

    15KB

    MD5

    e1083561868088a6c2c2f9ea15e04f0f

    SHA1

    ec9094ed2678f4fafeb91662f44ba89ba47723d6

    SHA256

    b6dec9a9a6ace80d2aadba256a801eeee2e5ac6b0689b2b48e769e539b93d59d

    SHA512

    b1e2894c40421bbb92e469d752f73a36ee0cce98ea9558873e82169d10ea1fc0543e076f906be78efcbd7cc819234e26113cf7f418790d6cbd9b44cbbad53f03

  • C:\Users\Admin\AppData\Local\Temp\DEMD54.exe

    Filesize

    15KB

    MD5

    a902b1348bb6b6df1807619254683c01

    SHA1

    6ddcc926041492b42e9dc33fc2f911371d5be82b

    SHA256

    57a32c47731f0d67ba8f4e6ea58440fc834a9c39a195075f01496c0d424274a0

    SHA512

    c8ab907d39a47eb039026306ebe1c5acb209ff545ded87f91d1e71ae17a6b84d88fb5983634bd0d2ae76c065b1117e0255689a928df28479f13e1c40151f1295