Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    133s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/06/2024, 06:46

General

  • Target

    150905c22aba1839292edc2a59e4b2f8_JaffaCakes118.exe

  • Size

    14KB

  • MD5

    150905c22aba1839292edc2a59e4b2f8

  • SHA1

    22df283ac4a6b45d33f738bcf5ed1370a974448d

  • SHA256

    71a6f5ce884e108ee0a02d453e91beca10021ce4d56a1cea16994ce732e3de74

  • SHA512

    2074a83ab71afdfb936d6bf5d68515ccec8f616e78651d832c12ae04f486cafa3f459f3baf03657252083a54c9305f4e881c3c9a9c3fbfb4d1377d0b2d079801

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlbv:hDXWipuE+K3/SSHgxmlbv

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\150905c22aba1839292edc2a59e4b2f8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\150905c22aba1839292edc2a59e4b2f8_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3860
    • C:\Users\Admin\AppData\Local\Temp\DEM4BFD.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM4BFD.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4796
      • C:\Users\Admin\AppData\Local\Temp\DEMA27A.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMA27A.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1536
        • C:\Users\Admin\AppData\Local\Temp\DEMF8E7.exe
          "C:\Users\Admin\AppData\Local\Temp\DEMF8E7.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3936
          • C:\Users\Admin\AppData\Local\Temp\DEM4F73.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM4F73.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3644
            • C:\Users\Admin\AppData\Local\Temp\DEMA5EF.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMA5EF.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:4776
              • C:\Users\Admin\AppData\Local\Temp\DEMFC5C.exe
                "C:\Users\Admin\AppData\Local\Temp\DEMFC5C.exe"
                7⤵
                • Executes dropped EXE
                PID:3328

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM4BFD.exe

    Filesize

    14KB

    MD5

    7695c8688d81360ee7dcd8681102760a

    SHA1

    4b49ef66c7438c1d18e571c7d3a4a47f24b14d23

    SHA256

    696c43ce3250470df1bf533dc37582042228761b1c3d208776f605598853a0be

    SHA512

    9ef125ba9e1630c5c4fde4be98fd75b7f4535d6ed2a1ae7f5b2ca3b5e3100b54da355c5f393e76f1fa52ed346284ace26383d9bfd8a66cd60feb21b3f2623349

  • C:\Users\Admin\AppData\Local\Temp\DEM4F73.exe

    Filesize

    14KB

    MD5

    411588a5832869bd909f8ba840286c57

    SHA1

    08dd4411100d20e86f9805a4bfc1e67906d44e4c

    SHA256

    0ab89a28675458d9ecf3fbc4ab5508d8cb389312760ec61146b6f31cc76bedb5

    SHA512

    2eeb08b0581cf75a889d8c455f71b613e638003262932a70189826a45b3771ba87ff2359bc20421d535314bc35534f083fbafe03a59bd870b1b53722186b830e

  • C:\Users\Admin\AppData\Local\Temp\DEMA27A.exe

    Filesize

    14KB

    MD5

    1d616885af36c8cb63057d637c7e871b

    SHA1

    d8d25405056e5faa5218aee2d20cbdfdaf75b51a

    SHA256

    6af03e9d93f93f1e6388e583254f7ee39a43fdc2d33e7836df59ac1a8457b5bb

    SHA512

    86bf351f692b66660ca7ebf7d500749034eedc73265c75381389961d41adf2724e2812a002acb7f289a78221946ff7ccf1a83b0488ca7e09a0fa0d995ba9ef75

  • C:\Users\Admin\AppData\Local\Temp\DEMA5EF.exe

    Filesize

    14KB

    MD5

    2665648d61ab2c2eac9785d806c578e2

    SHA1

    47123cb47368a0f1e73960030353f31f16f20089

    SHA256

    6bd623f3e62873a240a5101205484e192f39a961b744eca9341d9d0786671c83

    SHA512

    9e3c38c56d1af721f53f6b9a7fadecff573fa833662036447f6695d91478ec1959273b4cb4f789a3175fc68586771939916cbf26b8beb06269cfa4e06860ccfd

  • C:\Users\Admin\AppData\Local\Temp\DEMF8E7.exe

    Filesize

    14KB

    MD5

    0ea3dd68e1f8ac42502fcde9db31f8f4

    SHA1

    30d009ad738f0d068c8116cf30d0dd7a328228e5

    SHA256

    cdf95c6bf7695a159c9bc528c9e9a747e8336f7f411ab0a1b80c3e324ce66697

    SHA512

    a676786df02fbaa121ff5b483239c2d2ca75731ddb87de7e117f2f1823520617462292391ed1fbe975d88f40285446230e04a69a2771a8275b0fb06ca9ed408d

  • C:\Users\Admin\AppData\Local\Temp\DEMFC5C.exe

    Filesize

    15KB

    MD5

    44e53b10870e06855300c51aa72836ec

    SHA1

    6fb4084619f9edf26b84db5352a505710279c685

    SHA256

    fd7c70d2805c3f027d7f081c4ad5599e57e84561d25db2eabda574aeb5b173b4

    SHA512

    1b4969e9d1ac3156aa78441fe71038c40b9b7d769719e780ef64599cdb9ff3bd83d774b48183ac1db44974de16d13e13d960769e6885009e34f4aa5c71435bed