Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    133s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/07/2024, 22:52

General

  • Target

    471f65487a818945830a75387a9e8d12_JaffaCakes118.exe

  • Size

    14KB

  • MD5

    471f65487a818945830a75387a9e8d12

  • SHA1

    bf7bd83d25fe095c19c6baa588c484523fdaf719

  • SHA256

    1d07e755bd3d332526e6d172018ac3e887ced44753bb6fe209a0634b974989d0

  • SHA512

    2b47f1f74ac41410d0cff8c7b8849d86a6df51b79354e132e9552d313e9d0ef83b8769320a5f8ff5b7be96c9ab3a9feed53e64d111dada15b31c6e377e0881e3

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY41b:hDXWipuE+K3/SSHgxmM

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\471f65487a818945830a75387a9e8d12_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\471f65487a818945830a75387a9e8d12_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:544
    • C:\Users\Admin\AppData\Local\Temp\DEM900B.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM900B.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4008
      • C:\Users\Admin\AppData\Local\Temp\DEME704.exe
        "C:\Users\Admin\AppData\Local\Temp\DEME704.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1052
        • C:\Users\Admin\AppData\Local\Temp\DEM3D33.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM3D33.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4696
          • C:\Users\Admin\AppData\Local\Temp\DEM93A0.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM93A0.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2784
            • C:\Users\Admin\AppData\Local\Temp\DEMEA1D.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMEA1D.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:3848
              • C:\Users\Admin\AppData\Local\Temp\DEM403B.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM403B.exe"
                7⤵
                • Executes dropped EXE
                PID:4920

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM3D33.exe

    Filesize

    14KB

    MD5

    04937e08bf9999e710df7fd13dda3454

    SHA1

    bc1020542c54b3b056f2d82b51470168afb06be8

    SHA256

    53264710b67ffc23dc70b549ac20a3cba3ef8e668014a89e60279aac132fb554

    SHA512

    798d3615cae618d06c33c569100898ed0a092e40ce506d5c94f2aa2467fc245ecd640a75caed263a759ab4f3ddf8ee472a0e924f22289e85844fba408ae03360

  • C:\Users\Admin\AppData\Local\Temp\DEM403B.exe

    Filesize

    14KB

    MD5

    77b33485a7b8065079381f753f4d229c

    SHA1

    038652391111b37e25b695b85887f233615ddc8e

    SHA256

    5cc0dc46cae2908bd0568210428beef6b734998061fcb806bff6210fb6014887

    SHA512

    56ff8c95a225541412d0c3c15dc3ae745d51e4ecf1d075b3f0028375947676bc539be1b4c231ef1f5d05596193d1e9e79bd8b571a3691911012b0386a34a2ba4

  • C:\Users\Admin\AppData\Local\Temp\DEM900B.exe

    Filesize

    14KB

    MD5

    f431de407abe581c3e2462a58302db5a

    SHA1

    80728f50e47157343bd51a1983b7b0950bf3eea5

    SHA256

    948c0c64521a94e1fb9cf721ed1a30583762e7b72797a53ef49a87bbe52c94ca

    SHA512

    4f833c25ca9c1a3a7c56d5e3c7629f3649f309b9921f4180911c14cacd1455ae1fc983621aed3d62bf457bd3cc89478fa3d9151d4c3674674451f13c4a94e852

  • C:\Users\Admin\AppData\Local\Temp\DEM93A0.exe

    Filesize

    14KB

    MD5

    255d388d13f2d65595e12b277dba254d

    SHA1

    74104a3f8f32a8ff42eaed1c662906dec1b47714

    SHA256

    69fe3069dd254267ddbf33a7b6fa5c9d6d1cbfc6f98486fb162f0801dc72780d

    SHA512

    c9a138794f086ee077195f29391b9dd73c893e45559cfac15554180f2e6c020aa05b2c2bb17723d501854f425bc9f52114baa55f1e8a7bd229fd15d24c7d49e3

  • C:\Users\Admin\AppData\Local\Temp\DEME704.exe

    Filesize

    14KB

    MD5

    1cb1d1a3f61c9a0c64f4ec218d356615

    SHA1

    b567c62c6687ecc4d1e10ded1b9aa1c8b4c18adf

    SHA256

    d1dabd78484b44ad5a518b022645ed87fda7951d7bcdf508722e900a943643ef

    SHA512

    4602cfca7266cef76fd6e4e816cd79fa14091f2e592c4404eac3df7567424da5dccb6fd7b24f19891ad991c787c70040cd85c5544d3c979dcfe509b399460148

  • C:\Users\Admin\AppData\Local\Temp\DEMEA1D.exe

    Filesize

    14KB

    MD5

    eed79a28ae474bfbd31cbde649221cff

    SHA1

    95caa78460ba35eed61a167965b5868903ed9038

    SHA256

    fcf53db5c76f9d91408de4b9e53acde535f51d81cae938dc0a4260a9e1ecc577

    SHA512

    557e4feab126d291ca9ac19706873ba48317e662e2c4d7e81050cdd853a179fc65a9f0ad1fee21da8beda9fe458861b749d5e05e03a6d40f2aa2b229fbd6c319