Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    132s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/07/2024, 10:09

General

  • Target

    3cf247671286280afaeead77b0bb1cd2_JaffaCakes118.exe

  • Size

    15KB

  • MD5

    3cf247671286280afaeead77b0bb1cd2

  • SHA1

    85dda666303773e5cec415886a45a5ef565e897b

  • SHA256

    4c25447b768f8569e5f3651841f5cd1d9e60a88ea2c499256eee86ef7333d61f

  • SHA512

    d43a6108516e3a93aeaf91110150d59b59904c5a7a6643e778ec8c8883c6ae9e9808cf877416ffd5af6df26976fcdc761f4eec2744ac069544ca9128f82a34ad

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYln:hDXWipuE+K3/SSHgxmln

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3cf247671286280afaeead77b0bb1cd2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3cf247671286280afaeead77b0bb1cd2_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3344
    • C:\Users\Admin\AppData\Local\Temp\DEMBA95.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBA95.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3384
      • C:\Users\Admin\AppData\Local\Temp\DEM118F.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM118F.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1976
        • C:\Users\Admin\AppData\Local\Temp\DEM678F.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM678F.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:5076
          • C:\Users\Admin\AppData\Local\Temp\DEMBDAE.exe
            "C:\Users\Admin\AppData\Local\Temp\DEMBDAE.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4188
            • C:\Users\Admin\AppData\Local\Temp\DEM13AD.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM13AD.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:4144
              • C:\Users\Admin\AppData\Local\Temp\DEM69DC.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM69DC.exe"
                7⤵
                • Executes dropped EXE
                PID:708

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM118F.exe

    Filesize

    15KB

    MD5

    0a75bc1aef4a282fc2b71c4222334af5

    SHA1

    0be8f5310cbbad8dfcee9f1e9518b7c77defe3b6

    SHA256

    4c9196ba774f0575d8781c7f9389af619c60837f079770531ef4fe71191c80f4

    SHA512

    1f12897957f9aa5f330b0ccc1b12e70a3da4b809c0e39690426f0e252f7507f9f30074da56933d0c25bb174d8927618fa1debbf5bcaffa7a058435fc245a4184

  • C:\Users\Admin\AppData\Local\Temp\DEM13AD.exe

    Filesize

    15KB

    MD5

    d7c4a1c2861d56c7c547fef68c2814a1

    SHA1

    6cd19d0797e3e57197b4694ed553ee427a14d00d

    SHA256

    487759b3c661674702f18dec01f45ddd3563bd622f33cf1e22ab2994d2502421

    SHA512

    51dae8d2383010ffafdcc515cf1f98fa076bd5dd500824b307e823de22df701d98239ab16b6a80c07aa93ff1291b96e2f182add3f6fb1ba8593485969aaed2a3

  • C:\Users\Admin\AppData\Local\Temp\DEM678F.exe

    Filesize

    15KB

    MD5

    b7a55296870759351c99796e853a5b54

    SHA1

    f0f370d49e6630023f1760317fe46ec59c5c3e33

    SHA256

    7888bbbc8f60750d844d3350b3ef73a7ce92b5d43339d2a4cbd3feb20b03b209

    SHA512

    e39497ce7da1082a295425dc2c1f0a9bdfc2bb15b546004065e24b860f664727f5191cb4b4ae0951f0215dd5f9c1b9af17d3ddb1ec869814d7025b0684ee32cd

  • C:\Users\Admin\AppData\Local\Temp\DEM69DC.exe

    Filesize

    15KB

    MD5

    53a892c55163b86c6bff6ed72fadad88

    SHA1

    df6e5c1be741a1453974556998261aef28c2c1fe

    SHA256

    99036a8d306f433109b70f80f24add8ce23289c1e74c415e2e217886b1f72c5e

    SHA512

    aafff616e122d90d11b49f9597963608fe3bdae8761723d3e7d449021c68f663f54f42c00590c0f5704a2d47145d7e9307483bd2eccb0f72bb2ed3244cc11849

  • C:\Users\Admin\AppData\Local\Temp\DEMBA95.exe

    Filesize

    15KB

    MD5

    54ec9fa08f63b8e9ff2d2223e3d244d3

    SHA1

    26bd954f5751321c4f42f3269effeb49c1a877d7

    SHA256

    25d2766b4bd7272f485d0979d5079dd80680427b979f21289f7f20880da767e3

    SHA512

    5dd8daef606cad4d1ad461ba31f94a7eb604dba94e789fb3917242412ba65225e25de9f0d2907595ff2702308ffdda7bfd818ca270c6b649bb7663576247903d

  • C:\Users\Admin\AppData\Local\Temp\DEMBDAE.exe

    Filesize

    15KB

    MD5

    28827c3e71a5cc31c395d0515848f997

    SHA1

    22edbfdc9be9f5220eec49340d3cae0e17ce77ad

    SHA256

    3cdcb8aba3da980c538498b6898cedb54c4e2856f9f5f60c70540144efc226b6

    SHA512

    b9951628422b83adbcd98083814f4aa3875c26e653c796519c89e63e86226b1200832d570cd27166c41358528bd1d96c4587850b5a0365736c60a1f1fcb8c1b2