Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/06/2024, 05:16

General

  • Target

    18e89d4d859a4b25523ded273b70dfd8_JaffaCakes118.exe

  • Size

    15KB

  • MD5

    18e89d4d859a4b25523ded273b70dfd8

  • SHA1

    6ece8775a2efe99c7cbf6801de747d198b983cc5

  • SHA256

    eb27d1687bb5a5ff2f6a33fee9afbd1cca5864152c36baaec046e8b1870ab006

  • SHA512

    bd2b95f150ec8b38a53f5c9c9c023ca5512788d452ddd61691cb91346887b218f1d7ecedfe4021cedde5ce976ec75ba51cda591ed097aaf0f518d3112c62d0cf

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMxw:hDXWipuE+K3/SSHgxmHi

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18e89d4d859a4b25523ded273b70dfd8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\18e89d4d859a4b25523ded273b70dfd8_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4456
    • C:\Users\Admin\AppData\Local\Temp\DEM3D47.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3D47.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:5056
      • C:\Users\Admin\AppData\Local\Temp\DEM9385.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM9385.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4676
        • C:\Users\Admin\AppData\Local\Temp\DEME9F2.exe
          "C:\Users\Admin\AppData\Local\Temp\DEME9F2.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:936
          • C:\Users\Admin\AppData\Local\Temp\DEM405F.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM405F.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1152
            • C:\Users\Admin\AppData\Local\Temp\DEM969E.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM969E.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:3812
              • C:\Users\Admin\AppData\Local\Temp\DEMECFB.exe
                "C:\Users\Admin\AppData\Local\Temp\DEMECFB.exe"
                7⤵
                • Executes dropped EXE
                PID:4716

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM3D47.exe

    Filesize

    15KB

    MD5

    47cd6c652a3fff986255d6046a9f0289

    SHA1

    9e3d09ae19a1da578ced89b168aa084bd69738d9

    SHA256

    8eaf55fe9d7ac98b0e18d5628aa06ec06df4b419450b40d9000dd67a150ac8af

    SHA512

    79945688893d8bb38774b894649797c28464fef8367940558683244bc8b2eb8161ecb887b5d2d91469dad5122d1890a5205e5355a384fc21c35dd61621666694

  • C:\Users\Admin\AppData\Local\Temp\DEM405F.exe

    Filesize

    15KB

    MD5

    5217e034cad2daaa6ba5996498300b35

    SHA1

    2443d7cadd351d83f8864369bbd3e74e65215efd

    SHA256

    2c2fb4dbc1e655ac184ec9f7cc9a11eeb75d07103f6ed4acea07c2adf2469d99

    SHA512

    b2bb15d18311a10eebe45840b28b75f5f864a632704d41b5e8f721ca1324440f87ceedaf04a1086f97ca2634a00651678efb66460032e9d421ca961b4d8dbc49

  • C:\Users\Admin\AppData\Local\Temp\DEM9385.exe

    Filesize

    15KB

    MD5

    d4ff59cb242af434d20752d6298b1cb8

    SHA1

    c7e1ac95d784258248acd826b5d3a9dfa930af81

    SHA256

    eb68969afac79f07744aa0fd70b98e64f8bacacfcf23150c40e8667d4cdf7c77

    SHA512

    c4f49b108e8f58737aa8649b1a5a8017d804657e5d6327637cdff50cd90342e9348d59829ce80124aa6096d8c7f3e1b22eb7508abdd291f320143786214881da

  • C:\Users\Admin\AppData\Local\Temp\DEM969E.exe

    Filesize

    15KB

    MD5

    9b1b88fe4d2c223ae6b133c7adeefbd0

    SHA1

    dccc4d83ced772543b58a996c78af0ef37305080

    SHA256

    16705aee9efdf8c958ad7d590bf3e36b7bdc7f102036b2daf1d342043d1a1976

    SHA512

    8365d200b39d9ddaf7b05d4637b71f241fcb28010402e6028c97d779b72efdc1fd6661485fa044354e65719867be16e2b1259a2bd790f513c1cb66c7aba47095

  • C:\Users\Admin\AppData\Local\Temp\DEME9F2.exe

    Filesize

    15KB

    MD5

    49706f93eef0f06d5044c25f74027455

    SHA1

    5f5b74516bfff83722fd6c74ca3be3694f38f750

    SHA256

    3c795aff701d6fcea90f22713b2e383059866defef6089d354f95f2b78547ed1

    SHA512

    ca5e35139223d4c159a6defe98ff2703f97e185b749966df85d9f257cb4667078ea0fcf14f7a85aa6da499f50a573843c4a50c3c4bc7d5c5f51721e4d78a941c

  • C:\Users\Admin\AppData\Local\Temp\DEMECFB.exe

    Filesize

    15KB

    MD5

    d06ad177caec4512f005d6b7e0d93ede

    SHA1

    41d4fdc4c8c91ea05e2e1a47b5b3cdbb3b83928c

    SHA256

    fbddcb962a82a8a58a415c343ec02cbd4d92d944c57daf56854a948d646975c2

    SHA512

    2dca5c7d1403a43652665e6bf532412326ed00ca283dbf70af670ab206bd0bed70342ab959fd5fbe237863178180b01184c39e9b29eda7825a9f48694dca0e46