Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
25/07/2024, 10:04
Static task
static1
Behavioral task
behavioral1
Sample
6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe
-
Size
14KB
-
MD5
6f2144faca22863ea5b92ebc6af77e14
-
SHA1
cbc04bfec881f63ca60ede00ad12e87d1dd27a96
-
SHA256
c5dd06bd644b18281fb1a83de17a7271cacc509aefb23c22604d54b8336a106d
-
SHA512
850f03d135ece20c49d253cce90a7cd582877b4545380df41f0e3c28865964c2b839796f6daa52a5e7085797b86c89fc15bec6d02e88b61a7efbdc127104faa1
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0m:hDXWipuE+K3/SSHgx9
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 2896 DEM739A.exe 576 DEMC909.exe 3028 DEM1E3A.exe 2392 DEM736B.exe 2220 DEMC89C.exe 2016 DEM1DFC.exe -
Loads dropped DLL 6 IoCs
pid Process 2752 6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe 2896 DEM739A.exe 576 DEMC909.exe 3028 DEM1E3A.exe 2392 DEM736B.exe 2220 DEMC89C.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM739A.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMC909.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM1E3A.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM736B.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMC89C.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2752 wrote to memory of 2896 2752 6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe 31 PID 2752 wrote to memory of 2896 2752 6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe 31 PID 2752 wrote to memory of 2896 2752 6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe 31 PID 2752 wrote to memory of 2896 2752 6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe 31 PID 2896 wrote to memory of 576 2896 DEM739A.exe 34 PID 2896 wrote to memory of 576 2896 DEM739A.exe 34 PID 2896 wrote to memory of 576 2896 DEM739A.exe 34 PID 2896 wrote to memory of 576 2896 DEM739A.exe 34 PID 576 wrote to memory of 3028 576 DEMC909.exe 36 PID 576 wrote to memory of 3028 576 DEMC909.exe 36 PID 576 wrote to memory of 3028 576 DEMC909.exe 36 PID 576 wrote to memory of 3028 576 DEMC909.exe 36 PID 3028 wrote to memory of 2392 3028 DEM1E3A.exe 38 PID 3028 wrote to memory of 2392 3028 DEM1E3A.exe 38 PID 3028 wrote to memory of 2392 3028 DEM1E3A.exe 38 PID 3028 wrote to memory of 2392 3028 DEM1E3A.exe 38 PID 2392 wrote to memory of 2220 2392 DEM736B.exe 40 PID 2392 wrote to memory of 2220 2392 DEM736B.exe 40 PID 2392 wrote to memory of 2220 2392 DEM736B.exe 40 PID 2392 wrote to memory of 2220 2392 DEM736B.exe 40 PID 2220 wrote to memory of 2016 2220 DEMC89C.exe 42 PID 2220 wrote to memory of 2016 2220 DEMC89C.exe 42 PID 2220 wrote to memory of 2016 2220 DEMC89C.exe 42 PID 2220 wrote to memory of 2016 2220 DEMC89C.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Users\Admin\AppData\Local\Temp\DEM739A.exe"C:\Users\Admin\AppData\Local\Temp\DEM739A.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Users\Admin\AppData\Local\Temp\DEMC909.exe"C:\Users\Admin\AppData\Local\Temp\DEMC909.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Users\Admin\AppData\Local\Temp\DEM1E3A.exe"C:\Users\Admin\AppData\Local\Temp\DEM1E3A.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\DEM736B.exe"C:\Users\Admin\AppData\Local\Temp\DEM736B.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Users\Admin\AppData\Local\Temp\DEMC89C.exe"C:\Users\Admin\AppData\Local\Temp\DEMC89C.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Users\Admin\AppData\Local\Temp\DEM1DFC.exe"C:\Users\Admin\AppData\Local\Temp\DEM1DFC.exe"7⤵
- Executes dropped EXE
PID:2016
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5944c3e7e2946e7c9407f278901086da0
SHA129a0847bfee07ef016ca888b0c77a2244ffa3267
SHA2563b186206e00d9afe076498b0b3aa7e2d442c91a70fae20dc316a89077f027fa5
SHA512e13c3026825f05c06f3c76cb6ed5f9b1b4333f92444c9d94372bf8381248d9d4a1289b5670455c7754c6e45bc85e92c22422af13aa9523ce0e620979bd87e634
-
Filesize
14KB
MD58e1ebc5d4b392c2561b84e764fd3cef8
SHA1d41657dfa53856def5dc612e7912c04a67ddca7d
SHA256ac10da42ae27b9fe38af10d1c9a25db37140e910ecd980a148a2c5ba434a6156
SHA5123cceff694a6a09b10dd070488585b3a96b729c50d90d30ab96fa7ef61261145b3f11e14b4424fb2ff06351cc79d5f254d8740a37e9f3c0b5d4147fe9b627c275
-
Filesize
14KB
MD576817db38cd6af980b8d0ae868f15f9e
SHA16848cedcce6157a1da4e6241f80e1088f5ce579b
SHA256065256ec1514ecf7e32d4380c1a71b8045f58882bc5e2b8c394b9988f07c5d4c
SHA51281383371e3dee986a6495fe66c4cd35b9b32dede6435aa0a04a53cc3e92243584fda5c2011cc29254bc18073743cddbe6ed7eb47d88f11ad8e6531267f414516
-
Filesize
14KB
MD568711a0776ed107377eea25800c1ff95
SHA1711f4b375715947e15f38433a2abaae2c60f5e21
SHA2569dfd60ac34cc4a1c08a804602afcd70275f05e68d3a96ae0261a782dc38b5e5e
SHA51213b9b08479eab0d451a573c80484bff61fd4d13f4b54bfb7e91e7d2283bd07a64229d848ed34abb75347d6f07c5120d311e23f72d47d59cd17c8b1f64670fd5b
-
Filesize
14KB
MD52430a5742d11cc13fa6b078cd80458a0
SHA103a34ada4275da9036412eed69259db56d413eb8
SHA2566baa634252a3d0b536974a0c70884c77e611cae9ca3779ac531ac640f305fcf5
SHA51239f90f3289647a7cfc1433c3481f8484befdc1d4c1836b8e5925a745b69e643bc600b0cd4795898dade98730f2ee6918c8b6e9262fdc9b0e8eb53b0c6320ddcc
-
Filesize
14KB
MD50af0cbbb10c0b4323e085b11defc2b79
SHA1e5c49c55cad4a66379977e9ba1c8dcc3e82d19bf
SHA2565154de62eb2df0251571094a5f21e01e92a9e826e1d8f1665862feef76c1d7a8
SHA512c0ced697771b01e39dde0e158826cd548d0625d825ef309d45bbba3ee854ffbeb51f4c632299799d3b5f4514e43794e0d9b6b106a4bf5cb469bafab9e5a31128