Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26/07/2024, 12:35
Static task
static1
Behavioral task
behavioral1
Sample
7414195f40555e41659f46399e6368e1_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
7414195f40555e41659f46399e6368e1_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
7414195f40555e41659f46399e6368e1_JaffaCakes118.exe
-
Size
15KB
-
MD5
7414195f40555e41659f46399e6368e1
-
SHA1
519ba935c1d454ba4e75804d507ad10f48408a8d
-
SHA256
9ead0f018f36b74089aeb744169e5f2bc04e522fcc005e291bedf3c57f48cb66
-
SHA512
df38f01dc61a1099a9f2d7952059375a764b1704dba16d1334c24cf6479d1e2c4f581c41b556c84c665613afe22127e63e74bf566cf7dc8edb21eda369625134
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYKB2HE:hDXWipuE+K3/SSHgxmKEk
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 2096 DEMDD06.exe 2584 DEM32F2.exe 2984 DEM8833.exe 1884 DEMDD83.exe 2472 DEM3302.exe 2180 DEM8871.exe -
Loads dropped DLL 6 IoCs
pid Process 2272 7414195f40555e41659f46399e6368e1_JaffaCakes118.exe 2096 DEMDD06.exe 2584 DEM32F2.exe 2984 DEM8833.exe 1884 DEMDD83.exe 2472 DEM3302.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7414195f40555e41659f46399e6368e1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMDD06.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM32F2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM8833.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMDD83.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM3302.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2272 wrote to memory of 2096 2272 7414195f40555e41659f46399e6368e1_JaffaCakes118.exe 32 PID 2272 wrote to memory of 2096 2272 7414195f40555e41659f46399e6368e1_JaffaCakes118.exe 32 PID 2272 wrote to memory of 2096 2272 7414195f40555e41659f46399e6368e1_JaffaCakes118.exe 32 PID 2272 wrote to memory of 2096 2272 7414195f40555e41659f46399e6368e1_JaffaCakes118.exe 32 PID 2096 wrote to memory of 2584 2096 DEMDD06.exe 34 PID 2096 wrote to memory of 2584 2096 DEMDD06.exe 34 PID 2096 wrote to memory of 2584 2096 DEMDD06.exe 34 PID 2096 wrote to memory of 2584 2096 DEMDD06.exe 34 PID 2584 wrote to memory of 2984 2584 DEM32F2.exe 36 PID 2584 wrote to memory of 2984 2584 DEM32F2.exe 36 PID 2584 wrote to memory of 2984 2584 DEM32F2.exe 36 PID 2584 wrote to memory of 2984 2584 DEM32F2.exe 36 PID 2984 wrote to memory of 1884 2984 DEM8833.exe 38 PID 2984 wrote to memory of 1884 2984 DEM8833.exe 38 PID 2984 wrote to memory of 1884 2984 DEM8833.exe 38 PID 2984 wrote to memory of 1884 2984 DEM8833.exe 38 PID 1884 wrote to memory of 2472 1884 DEMDD83.exe 40 PID 1884 wrote to memory of 2472 1884 DEMDD83.exe 40 PID 1884 wrote to memory of 2472 1884 DEMDD83.exe 40 PID 1884 wrote to memory of 2472 1884 DEMDD83.exe 40 PID 2472 wrote to memory of 2180 2472 DEM3302.exe 42 PID 2472 wrote to memory of 2180 2472 DEM3302.exe 42 PID 2472 wrote to memory of 2180 2472 DEM3302.exe 42 PID 2472 wrote to memory of 2180 2472 DEM3302.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\7414195f40555e41659f46399e6368e1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7414195f40555e41659f46399e6368e1_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Users\Admin\AppData\Local\Temp\DEMDD06.exe"C:\Users\Admin\AppData\Local\Temp\DEMDD06.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Users\Admin\AppData\Local\Temp\DEM32F2.exe"C:\Users\Admin\AppData\Local\Temp\DEM32F2.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Users\Admin\AppData\Local\Temp\DEM8833.exe"C:\Users\Admin\AppData\Local\Temp\DEM8833.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\DEMDD83.exe"C:\Users\Admin\AppData\Local\Temp\DEMDD83.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Users\Admin\AppData\Local\Temp\DEM3302.exe"C:\Users\Admin\AppData\Local\Temp\DEM3302.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\DEM8871.exe"C:\Users\Admin\AppData\Local\Temp\DEM8871.exe"7⤵
- Executes dropped EXE
PID:2180
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD5e82bd3dca4e19f18d79234cfad34846e
SHA15f9d606bd33d7a47c4d46ab549203aaca17b019a
SHA2564ae978cc073383a3a6b246d82c705618f52699954b7b64c0cbbbd0b59bf14efe
SHA512aea3720995b986d6bc3737bfe10719489205ae9b5fadae5e49761b4af9f34ac0ceddabbe430127191868043957c9eadc4a882e3966c94b289f2d3cb5a75fcbb4
-
Filesize
15KB
MD5654fb3788f8ae88c2d35cc24e269a075
SHA1d679aac889b52f69101601b656a09d21f3be059d
SHA25615e76dc5f259894869fea28c4eedc08ad94a330b0ef401a7e74138ff330f0e1c
SHA512294b0975dafa398b90a9277c930d2c147c73245f29c4e83720011ee95fbf2275d5a202dfac4c6240bb8da0c48d9bf333383b1800a6c0a01d189ec1d99e95ddbe
-
Filesize
15KB
MD569bfe0e87c4b237548553e586a68561f
SHA1cda3cf990ed8707ae4be83502cb3202b03c1f618
SHA256d201c410b0f0a7f5d97b0c524bf07e3749249fb74390586a62ad1f56c06b7ac8
SHA512b8ad13edc08c158702f8a63b8596baf72d5f163c7071f061db606844989b9a6627989b38b92d20c46d9d2526f0f3934e63f2f96a9e5973dde9e59a307639a107
-
Filesize
15KB
MD56644d883f51e08cce53a9496b3ecab17
SHA198ad3dfbff895bb07b2c93248c5fe15e0277399b
SHA2563fb7a89f0adf542b43653fb1c81949afe8e5f67b93a6c20135a91acdf200350a
SHA512b1247eeb7a202c8cc5023e12050fef5081d282e0c5060a253ee491ce92c9a07f96f597924fe1e61d41efe2b6ecca2a78864f263e4d74c9df07277dcda500554a
-
Filesize
15KB
MD5d1067510e261d9cec919d660bc53de0c
SHA1856f6cd532aeeb8bf0526db33016d08e96065fa5
SHA2561823cd2512630d85475d9fa02014eab04ac906f20903b123c20a94e762f6ead6
SHA51284a301e9c79267014b078f4e0dcace87932059528a2586f3ea91175ac18bf075c5866e617294619572ed9013583f41dd720b75773282fa94a3c22b10843cc4e3
-
Filesize
15KB
MD55b5a7e8a60c7540292f3b042604bbe5c
SHA15c2726daccc070407d752a79958fe6bcaa0e5993
SHA256f5e4c82d79248a401a4935c444e34e7321bbcec719f514144c4f7badde1786fa
SHA51234f1a0e1571dfb4ad2e9266421b8e63fb68bc26cb0236a313f8e883b3d25a765adadde1600b4b264bef0dd237c0814948f5f9b70cd0b8547671ff53b7dca63d8