Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/07/2024, 18:24

General

  • Target

    35dd25c590ee4de5137c3b36a1af1c66_JaffaCakes118.exe

  • Size

    14KB

  • MD5

    35dd25c590ee4de5137c3b36a1af1c66

  • SHA1

    bdc36e0effb2fe58c79be5be25117781d75850e4

  • SHA256

    5c0d3b8c26b55ea82e432bd5b125f5a0659f99fb459e77629a8a84c2c1a2de7e

  • SHA512

    f5231281046e94e73015172724935b4a9726d83ebfc531b23613b105dede4ac5e3bcaf8814f46907b74dfea32dfbbe1638dd0926ff3206f4e7e9dedb5c839b33

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlp:hDXWipuE+K3/SSHgxmlp

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\35dd25c590ee4de5137c3b36a1af1c66_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\35dd25c590ee4de5137c3b36a1af1c66_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1880
    • C:\Users\Admin\AppData\Local\Temp\DEMAECE.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMAECE.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:620
      • C:\Users\Admin\AppData\Local\Temp\DEM73E.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM73E.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2972
        • C:\Users\Admin\AppData\Local\Temp\DEM5DBB.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM5DBB.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3560
          • C:\Users\Admin\AppData\Local\Temp\DEMB438.exe
            "C:\Users\Admin\AppData\Local\Temp\DEMB438.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1980
            • C:\Users\Admin\AppData\Local\Temp\DEMA95.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMA95.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:544
              • C:\Users\Admin\AppData\Local\Temp\DEM6102.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM6102.exe"
                7⤵
                • Executes dropped EXE
                PID:316

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM5DBB.exe

    Filesize

    14KB

    MD5

    c1a1bc53e2204d1bbd46f49e2305be4f

    SHA1

    6ccaac54970bc6f17b905d43e53fc5625e4d73b7

    SHA256

    af14b0fc458514e84e1f897c500c9c810c02aebd2b6c36e4a28f0d9193b518ec

    SHA512

    5f3927cd55d8bbc8dce8f97e7cf1cf84c0bd515abf7d58fddf76f816c5fb58d51e56dfa5412f62746d878e3a8eed4e0b5e7af13d320267dec4eae576b9868b8a

  • C:\Users\Admin\AppData\Local\Temp\DEM6102.exe

    Filesize

    15KB

    MD5

    4a0adcace75a5a681beeae3d11ab2753

    SHA1

    ae657353d5c41437c90d893c1d11e8733e666080

    SHA256

    6e8e07218e280fad6dfe6548eacbc123359df9c88161518b3b456b7df5d0ad0f

    SHA512

    763e0e2c4c5be0242bfd7b3bab4412db56a9d9ebe2fd870a7be4c29f05a82761f32d3a8ba32779d9cc71a2339208858abb32dc72e3a218323260e21c5c3d9f49

  • C:\Users\Admin\AppData\Local\Temp\DEM73E.exe

    Filesize

    14KB

    MD5

    e44b77528f7ecfdbd91d5407d33373e4

    SHA1

    670218429a3cad22879812447c7c7dff923d91b8

    SHA256

    15b7e80bfe8e3f7615d1019d5b28dda75e4596958dd9e5e8c546e5530a2d4124

    SHA512

    b7bf797b0ad8245aa52c0dcce3b97eace23c3aff5407e0e27ebd883b76529ea0bbcd49dfc42997d39379591461f21545e2f9dd729fbe33cc710229a673962c52

  • C:\Users\Admin\AppData\Local\Temp\DEMA95.exe

    Filesize

    15KB

    MD5

    995b589a749cf7ffa8e599da82484343

    SHA1

    a6f61521cf23af1865c1c7cda140da7dc3d9b0a1

    SHA256

    1475bcf83a477b9f117063588b4be8f35413cd9f7bb5feaf2830d900439fc070

    SHA512

    2f2ed8b15bbbef66c196366e3d6b1b8d3a0f8157cc452804082fba47ca66e046d45db8060db2a0dd362f1e36237cc66cb23b534ec99a7776ed04ec914e9f6540

  • C:\Users\Admin\AppData\Local\Temp\DEMAECE.exe

    Filesize

    14KB

    MD5

    784c595a100f671eb585d9b7f35ece63

    SHA1

    ec8bd392869db5a3f6a51ebd94393865a82e9b38

    SHA256

    72101c9aaa04a25a6e929d3f82437e389580f5ea00070b71e414ec8afffc861f

    SHA512

    da1975e2a237ff0faf35a01da00c7382797e088986815d9e119dc73bd6b819c490a2d6b361dabb928caca1ae8352648575a6282639edfda2d08b8bb8c5103b4c

  • C:\Users\Admin\AppData\Local\Temp\DEMB438.exe

    Filesize

    15KB

    MD5

    d3dc6036cf081c77fbc51aea9e1704cc

    SHA1

    aae63a40584d63444078365f83ccb066940c5168

    SHA256

    943819dd6dd7d0c53b9bdf2dc120eca141cd0e2af08ea56aab1453437183e440

    SHA512

    f8142f769da1fa5515f7c4bc268615af97706fbd11de40aefbf00dcf435940bff28d9e53178c78231add9187e603496d8908d08476ea490a1572f52224bf45b9