Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    133s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/06/2024, 12:52

General

  • Target

    089db6727582e6e158b513367b561a46_JaffaCakes118.exe

  • Size

    14KB

  • MD5

    089db6727582e6e158b513367b561a46

  • SHA1

    d5b7e927cc79273771472132597b432a096797bd

  • SHA256

    675df4e95365007f3f3da8fd28b1e6687cfd513217718b01b8f0ea7562637a21

  • SHA512

    e914061db4383ca435323fbce02b923ba23b0f23cf1593c020331097fa73bd8d1a948971cdb29595a14be85f97848257902e721cc9a153d9b8c516d44d417298

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZXd2:hDXWipuE+K3/SSHgx3N2

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\089db6727582e6e158b513367b561a46_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\089db6727582e6e158b513367b561a46_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3536
    • C:\Users\Admin\AppData\Local\Temp\DEM49F9.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM49F9.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:384
      • C:\Users\Admin\AppData\Local\Temp\DEMA076.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMA076.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4740
        • C:\Users\Admin\AppData\Local\Temp\DEMF6A4.exe
          "C:\Users\Admin\AppData\Local\Temp\DEMF6A4.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3288
          • C:\Users\Admin\AppData\Local\Temp\DEM4CF2.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM4CF2.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2140
            • C:\Users\Admin\AppData\Local\Temp\DEMA37E.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMA37E.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:4380
              • C:\Users\Admin\AppData\Local\Temp\DEMF9DC.exe
                "C:\Users\Admin\AppData\Local\Temp\DEMF9DC.exe"
                7⤵
                • Executes dropped EXE
                PID:1752

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM49F9.exe

    Filesize

    14KB

    MD5

    5ee465a809a3442c85a3e41e74cc97ad

    SHA1

    1571fb1d44eb7cc2cddb1e75968dc521dc601741

    SHA256

    5c5be811f832985b0dbe4f407421548ea1fe73fe87d7658e13a42cd446cd32f0

    SHA512

    a5f3a58896cd8778a4950bbe828b881e56ff1a7745ecea4c083658f5abeff36d70c9e96d5b5b00e428f1c3e47a39257a21e06a838801659ca10fce5928865b85

  • C:\Users\Admin\AppData\Local\Temp\DEM4CF2.exe

    Filesize

    14KB

    MD5

    71cb0156d8b13bb648a18a070d998a23

    SHA1

    71f3e2ca0031f6da0bb25e92c3466d070f8c74af

    SHA256

    0d27f5d8a1c4d89fac014fbdacbfd12daada9cd1af413c9ec7d04d0a5d07ac8f

    SHA512

    59f38473f3cd34883c122eb45ea453a9d299867388a18e324f4718da3c4d2da831ea3f98bb2712a8f3615ef63442a0483b90d072e79317ee3bc6e796a7307c13

  • C:\Users\Admin\AppData\Local\Temp\DEMA076.exe

    Filesize

    14KB

    MD5

    eff567fb2517cf2a63fbecfde66b52ac

    SHA1

    e5939e8b0c8473c24c2bb7a0df04ae1cf9c29f6c

    SHA256

    6c1501b28f8bc12febed3a6026b783d143d3edf5e5c6c72669efd4b7c4985749

    SHA512

    4aacce345a5d9f198a02030e7cfce09157e197333c2607aeece434cfafa3072b0691d02d0f0cac1e96a1204f547223908a8da8bc73ffdc347fc1987de42faed7

  • C:\Users\Admin\AppData\Local\Temp\DEMA37E.exe

    Filesize

    14KB

    MD5

    4e74c0e407cd30d50a8ffa72ebd7e53a

    SHA1

    cc2028c058234aa291d1979a88364061d8129799

    SHA256

    aab3e9dd952eceafa38036a970364dae197dc5b94d04b8a9f767db88d9f32e99

    SHA512

    7c784f1a901f4f7c43522b0c28590ddc1cff7275e9781c5ae6a8ac505cde783b6528e968e2779647e1927bae6ad66727b2bcc3782eb7f01bb774af8e321f75bc

  • C:\Users\Admin\AppData\Local\Temp\DEMF6A4.exe

    Filesize

    14KB

    MD5

    2566c628ca0615cd8dfbb51a3ff7ddec

    SHA1

    4d3f7b00e4ac01cab8f9de714adfc2284dd1aa0a

    SHA256

    514ca71b1097310d120c597ced9577657059459d4b8c25a3bd680023b2b933dd

    SHA512

    7c3c2051383f354640de20aeb9c2dc86b012124536c7fbf222bfda899a378a2dc710daca169d60b64cf41e8e1757e6c8de7c545958d9807736ea9916920eb0c5

  • C:\Users\Admin\AppData\Local\Temp\DEMF9DC.exe

    Filesize

    14KB

    MD5

    ad573846b9d3fc044af79179b1a1a5e2

    SHA1

    0e3c0402f2892ccb4a99f8ff69b1f47bccac793f

    SHA256

    853a68d52894219e36d8e7033e9d54a70e87a75d80a32cae02d0b72dd0384f58

    SHA512

    790b7b20ddd4599a1364379148efc6268e6bc28aaa1bc07608a2ec549b738dd477e6f60c697232de77bccef2f97e5c5afd86e0ae3991b0e7a94f105e6a290720