Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    131s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    25/07/2024, 10:04

General

  • Target

    6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe

  • Size

    14KB

  • MD5

    6f2144faca22863ea5b92ebc6af77e14

  • SHA1

    cbc04bfec881f63ca60ede00ad12e87d1dd27a96

  • SHA256

    c5dd06bd644b18281fb1a83de17a7271cacc509aefb23c22604d54b8336a106d

  • SHA512

    850f03d135ece20c49d253cce90a7cd582877b4545380df41f0e3c28865964c2b839796f6daa52a5e7085797b86c89fc15bec6d02e88b61a7efbdc127104faa1

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0m:hDXWipuE+K3/SSHgx9

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2752
    • C:\Users\Admin\AppData\Local\Temp\DEM739A.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM739A.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2896
      • C:\Users\Admin\AppData\Local\Temp\DEMC909.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMC909.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:576
        • C:\Users\Admin\AppData\Local\Temp\DEM1E3A.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM1E3A.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3028
          • C:\Users\Admin\AppData\Local\Temp\DEM736B.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM736B.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2392
            • C:\Users\Admin\AppData\Local\Temp\DEMC89C.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMC89C.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2220
              • C:\Users\Admin\AppData\Local\Temp\DEM1DFC.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM1DFC.exe"
                7⤵
                • Executes dropped EXE
                PID:2016

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM739A.exe

    Filesize

    14KB

    MD5

    944c3e7e2946e7c9407f278901086da0

    SHA1

    29a0847bfee07ef016ca888b0c77a2244ffa3267

    SHA256

    3b186206e00d9afe076498b0b3aa7e2d442c91a70fae20dc316a89077f027fa5

    SHA512

    e13c3026825f05c06f3c76cb6ed5f9b1b4333f92444c9d94372bf8381248d9d4a1289b5670455c7754c6e45bc85e92c22422af13aa9523ce0e620979bd87e634

  • C:\Users\Admin\AppData\Local\Temp\DEMC909.exe

    Filesize

    14KB

    MD5

    8e1ebc5d4b392c2561b84e764fd3cef8

    SHA1

    d41657dfa53856def5dc612e7912c04a67ddca7d

    SHA256

    ac10da42ae27b9fe38af10d1c9a25db37140e910ecd980a148a2c5ba434a6156

    SHA512

    3cceff694a6a09b10dd070488585b3a96b729c50d90d30ab96fa7ef61261145b3f11e14b4424fb2ff06351cc79d5f254d8740a37e9f3c0b5d4147fe9b627c275

  • \Users\Admin\AppData\Local\Temp\DEM1DFC.exe

    Filesize

    14KB

    MD5

    76817db38cd6af980b8d0ae868f15f9e

    SHA1

    6848cedcce6157a1da4e6241f80e1088f5ce579b

    SHA256

    065256ec1514ecf7e32d4380c1a71b8045f58882bc5e2b8c394b9988f07c5d4c

    SHA512

    81383371e3dee986a6495fe66c4cd35b9b32dede6435aa0a04a53cc3e92243584fda5c2011cc29254bc18073743cddbe6ed7eb47d88f11ad8e6531267f414516

  • \Users\Admin\AppData\Local\Temp\DEM1E3A.exe

    Filesize

    14KB

    MD5

    68711a0776ed107377eea25800c1ff95

    SHA1

    711f4b375715947e15f38433a2abaae2c60f5e21

    SHA256

    9dfd60ac34cc4a1c08a804602afcd70275f05e68d3a96ae0261a782dc38b5e5e

    SHA512

    13b9b08479eab0d451a573c80484bff61fd4d13f4b54bfb7e91e7d2283bd07a64229d848ed34abb75347d6f07c5120d311e23f72d47d59cd17c8b1f64670fd5b

  • \Users\Admin\AppData\Local\Temp\DEM736B.exe

    Filesize

    14KB

    MD5

    2430a5742d11cc13fa6b078cd80458a0

    SHA1

    03a34ada4275da9036412eed69259db56d413eb8

    SHA256

    6baa634252a3d0b536974a0c70884c77e611cae9ca3779ac531ac640f305fcf5

    SHA512

    39f90f3289647a7cfc1433c3481f8484befdc1d4c1836b8e5925a745b69e643bc600b0cd4795898dade98730f2ee6918c8b6e9262fdc9b0e8eb53b0c6320ddcc

  • \Users\Admin\AppData\Local\Temp\DEMC89C.exe

    Filesize

    14KB

    MD5

    0af0cbbb10c0b4323e085b11defc2b79

    SHA1

    e5c49c55cad4a66379977e9ba1c8dcc3e82d19bf

    SHA256

    5154de62eb2df0251571094a5f21e01e92a9e826e1d8f1665862feef76c1d7a8

    SHA512

    c0ced697771b01e39dde0e158826cd548d0625d825ef309d45bbba3ee854ffbeb51f4c632299799d3b5f4514e43794e0d9b6b106a4bf5cb469bafab9e5a31128