Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    131s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    26/07/2024, 12:35

General

  • Target

    7414195f40555e41659f46399e6368e1_JaffaCakes118.exe

  • Size

    15KB

  • MD5

    7414195f40555e41659f46399e6368e1

  • SHA1

    519ba935c1d454ba4e75804d507ad10f48408a8d

  • SHA256

    9ead0f018f36b74089aeb744169e5f2bc04e522fcc005e291bedf3c57f48cb66

  • SHA512

    df38f01dc61a1099a9f2d7952059375a764b1704dba16d1334c24cf6479d1e2c4f581c41b556c84c665613afe22127e63e74bf566cf7dc8edb21eda369625134

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYKB2HE:hDXWipuE+K3/SSHgxmKEk

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7414195f40555e41659f46399e6368e1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7414195f40555e41659f46399e6368e1_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Users\Admin\AppData\Local\Temp\DEMDD06.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMDD06.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2096
      • C:\Users\Admin\AppData\Local\Temp\DEM32F2.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM32F2.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2584
        • C:\Users\Admin\AppData\Local\Temp\DEM8833.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM8833.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2984
          • C:\Users\Admin\AppData\Local\Temp\DEMDD83.exe
            "C:\Users\Admin\AppData\Local\Temp\DEMDD83.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1884
            • C:\Users\Admin\AppData\Local\Temp\DEM3302.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM3302.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2472
              • C:\Users\Admin\AppData\Local\Temp\DEM8871.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM8871.exe"
                7⤵
                • Executes dropped EXE
                PID:2180

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM32F2.exe

    Filesize

    15KB

    MD5

    e82bd3dca4e19f18d79234cfad34846e

    SHA1

    5f9d606bd33d7a47c4d46ab549203aaca17b019a

    SHA256

    4ae978cc073383a3a6b246d82c705618f52699954b7b64c0cbbbd0b59bf14efe

    SHA512

    aea3720995b986d6bc3737bfe10719489205ae9b5fadae5e49761b4af9f34ac0ceddabbe430127191868043957c9eadc4a882e3966c94b289f2d3cb5a75fcbb4

  • C:\Users\Admin\AppData\Local\Temp\DEM8871.exe

    Filesize

    15KB

    MD5

    654fb3788f8ae88c2d35cc24e269a075

    SHA1

    d679aac889b52f69101601b656a09d21f3be059d

    SHA256

    15e76dc5f259894869fea28c4eedc08ad94a330b0ef401a7e74138ff330f0e1c

    SHA512

    294b0975dafa398b90a9277c930d2c147c73245f29c4e83720011ee95fbf2275d5a202dfac4c6240bb8da0c48d9bf333383b1800a6c0a01d189ec1d99e95ddbe

  • \Users\Admin\AppData\Local\Temp\DEM3302.exe

    Filesize

    15KB

    MD5

    69bfe0e87c4b237548553e586a68561f

    SHA1

    cda3cf990ed8707ae4be83502cb3202b03c1f618

    SHA256

    d201c410b0f0a7f5d97b0c524bf07e3749249fb74390586a62ad1f56c06b7ac8

    SHA512

    b8ad13edc08c158702f8a63b8596baf72d5f163c7071f061db606844989b9a6627989b38b92d20c46d9d2526f0f3934e63f2f96a9e5973dde9e59a307639a107

  • \Users\Admin\AppData\Local\Temp\DEM8833.exe

    Filesize

    15KB

    MD5

    6644d883f51e08cce53a9496b3ecab17

    SHA1

    98ad3dfbff895bb07b2c93248c5fe15e0277399b

    SHA256

    3fb7a89f0adf542b43653fb1c81949afe8e5f67b93a6c20135a91acdf200350a

    SHA512

    b1247eeb7a202c8cc5023e12050fef5081d282e0c5060a253ee491ce92c9a07f96f597924fe1e61d41efe2b6ecca2a78864f263e4d74c9df07277dcda500554a

  • \Users\Admin\AppData\Local\Temp\DEMDD06.exe

    Filesize

    15KB

    MD5

    d1067510e261d9cec919d660bc53de0c

    SHA1

    856f6cd532aeeb8bf0526db33016d08e96065fa5

    SHA256

    1823cd2512630d85475d9fa02014eab04ac906f20903b123c20a94e762f6ead6

    SHA512

    84a301e9c79267014b078f4e0dcace87932059528a2586f3ea91175ac18bf075c5866e617294619572ed9013583f41dd720b75773282fa94a3c22b10843cc4e3

  • \Users\Admin\AppData\Local\Temp\DEMDD83.exe

    Filesize

    15KB

    MD5

    5b5a7e8a60c7540292f3b042604bbe5c

    SHA1

    5c2726daccc070407d752a79958fe6bcaa0e5993

    SHA256

    f5e4c82d79248a401a4935c444e34e7321bbcec719f514144c4f7badde1786fa

    SHA512

    34f1a0e1571dfb4ad2e9266421b8e63fb68bc26cb0236a313f8e883b3d25a765adadde1600b4b264bef0dd237c0814948f5f9b70cd0b8547671ff53b7dca63d8