Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    131s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    10/08/2024, 06:42

General

  • Target

    8525ae55508a05a66bd491339c654110_JaffaCakes118.exe

  • Size

    14KB

  • MD5

    8525ae55508a05a66bd491339c654110

  • SHA1

    93c1cdeb4e5994bf78d5a250c447e0dbe01b7cf7

  • SHA256

    5f26590dc3d7a7896d2945a7d2e0f817f32aefe858412474470a9c2c0eb60501

  • SHA512

    742e5033c0c2730f8766e07cd9238ae0dbee9006a54a40118c70939bb9cc872d7211f0459894b944ea858f9da481107f577e6d39e7f2ef02541cc096a1bf2d96

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhvu:hDXWipuE+K3/SSHgxlu

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8525ae55508a05a66bd491339c654110_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8525ae55508a05a66bd491339c654110_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Users\Admin\AppData\Local\Temp\DEMB490.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB490.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2856
      • C:\Users\Admin\AppData\Local\Temp\DEM9C1.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM9C1.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2864
        • C:\Users\Admin\AppData\Local\Temp\DEM5F9D.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM5F9D.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2672
          • C:\Users\Admin\AppData\Local\Temp\DEMB4ED.exe
            "C:\Users\Admin\AppData\Local\Temp\DEMB4ED.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1912
            • C:\Users\Admin\AppData\Local\Temp\DEM9F0.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM9F0.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2068
              • C:\Users\Admin\AppData\Local\Temp\DEM5FEB.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM5FEB.exe"
                7⤵
                • Executes dropped EXE
                PID:536

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM9C1.exe

    Filesize

    14KB

    MD5

    6977afdf4eba5c82c05c7b7aed5e91a9

    SHA1

    2a3c136694c94797b0d3dd14a79f535b646acd19

    SHA256

    5a4c5642d2cd92e50ee889602d5638d731259ab84aee11cc595783f2f3e4fd95

    SHA512

    ec589dd67d2bc7582f2c43d977a96518219f89a6e8d271aa1cca59e1fcd5f898915fbf0eee76f55b6c5f130bcb8a2b4ab57293a6ea3416694e1ae9df2c58e02f

  • \Users\Admin\AppData\Local\Temp\DEM5F9D.exe

    Filesize

    14KB

    MD5

    d972acfd3761da13b0fe7c7e12bf0a4e

    SHA1

    1221bdbbf23b6deecf039a983180ab0f0b6b9f2b

    SHA256

    d02884bc7ecc0f4c305ab91bccf91cfbd4fbb32b1c6a0487efcb546994cf3bb1

    SHA512

    1a9080d8879605af433d089f27cefb9fff4243a872119cf0a53ed49a436fe1b23cb094646eae52bec38c3fa1f70ba074c362f8f6e065014adaadbfde6bbdeb62

  • \Users\Admin\AppData\Local\Temp\DEM5FEB.exe

    Filesize

    14KB

    MD5

    810fe41149de3616faac74540ccfe7c3

    SHA1

    d665744707c85bebf8f49c0103811ad6c5718bc7

    SHA256

    befd7ff4b18194e4fb793a881f50499b6f23adf1c3b7c3526bcca86d5afffe27

    SHA512

    fcc2c1d6b3e2ac15637b298ab6377eab3997ba446b4a796a31d037d2968e50634213d01fb0c87700cfc34e751a345c9fb9ae14caf8caa2e2f07b5a1bd970cc48

  • \Users\Admin\AppData\Local\Temp\DEM9F0.exe

    Filesize

    14KB

    MD5

    7b9c65063e5f464d9e031c9352aa3596

    SHA1

    703812403e1d6c5db9e0ad7e52a260d8ad0d5a90

    SHA256

    58e35e195cfa77ab43bdb1e878a76aee846698292b2b9f7094df87dc790ce830

    SHA512

    0387b6a7c1b9158c39f52a6defdb62d00d38cdb78870d39a1a7273a8aba63d13b04fdd920f3ae44fa729b1f27d13da3cd811b9740655e926d787847690ef44af

  • \Users\Admin\AppData\Local\Temp\DEMB490.exe

    Filesize

    14KB

    MD5

    289c9fe68da39190b75d473b2cc4e3c7

    SHA1

    b0e62a79f7d887575649574cf40d9401d72d4b1f

    SHA256

    092d7c56beb214fb5c22d69a65c3ba42966bd37e03ffeec854e0c08319818414

    SHA512

    caeaa2a53101b56bfbd7012b0b1b63e972e468c1431d8d1ef1f429c34a5805252893b4083bf1a41d8f3d60d3e5afe4fecfcfa5344c19f59510f8ba957aaee7f2

  • \Users\Admin\AppData\Local\Temp\DEMB4ED.exe

    Filesize

    14KB

    MD5

    482c86808a1999dc45ea0c0be41cd7c9

    SHA1

    e7d463f1a19a8ca62bfd6f720e4b19cb9b6a6a0c

    SHA256

    1773a58e526e0066022226f36f1b2b6c36832b2cc8f1439537b78b8272c0b102

    SHA512

    96588540e70d4bda5eb25b7d194002e97d37f5bc905b6989fb9239a9f456a9e500e1b71271145f3af017d29aaadd600719d969652ade0c479bdfc2024306f5f0