Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
10/08/2024, 06:42
Static task
static1
Behavioral task
behavioral1
Sample
8525ae55508a05a66bd491339c654110_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
8525ae55508a05a66bd491339c654110_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
8525ae55508a05a66bd491339c654110_JaffaCakes118.exe
-
Size
14KB
-
MD5
8525ae55508a05a66bd491339c654110
-
SHA1
93c1cdeb4e5994bf78d5a250c447e0dbe01b7cf7
-
SHA256
5f26590dc3d7a7896d2945a7d2e0f817f32aefe858412474470a9c2c0eb60501
-
SHA512
742e5033c0c2730f8766e07cd9238ae0dbee9006a54a40118c70939bb9cc872d7211f0459894b944ea858f9da481107f577e6d39e7f2ef02541cc096a1bf2d96
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhvu:hDXWipuE+K3/SSHgxlu
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 2856 DEMB490.exe 2864 DEM9C1.exe 2672 DEM5F9D.exe 1912 DEMB4ED.exe 2068 DEM9F0.exe 536 DEM5FEB.exe -
Loads dropped DLL 6 IoCs
pid Process 2316 8525ae55508a05a66bd491339c654110_JaffaCakes118.exe 2856 DEMB490.exe 2864 DEM9C1.exe 2672 DEM5F9D.exe 1912 DEMB4ED.exe 2068 DEM9F0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM5F9D.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMB4ED.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM9F0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8525ae55508a05a66bd491339c654110_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMB490.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM9C1.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2316 wrote to memory of 2856 2316 8525ae55508a05a66bd491339c654110_JaffaCakes118.exe 32 PID 2316 wrote to memory of 2856 2316 8525ae55508a05a66bd491339c654110_JaffaCakes118.exe 32 PID 2316 wrote to memory of 2856 2316 8525ae55508a05a66bd491339c654110_JaffaCakes118.exe 32 PID 2316 wrote to memory of 2856 2316 8525ae55508a05a66bd491339c654110_JaffaCakes118.exe 32 PID 2856 wrote to memory of 2864 2856 DEMB490.exe 34 PID 2856 wrote to memory of 2864 2856 DEMB490.exe 34 PID 2856 wrote to memory of 2864 2856 DEMB490.exe 34 PID 2856 wrote to memory of 2864 2856 DEMB490.exe 34 PID 2864 wrote to memory of 2672 2864 DEM9C1.exe 36 PID 2864 wrote to memory of 2672 2864 DEM9C1.exe 36 PID 2864 wrote to memory of 2672 2864 DEM9C1.exe 36 PID 2864 wrote to memory of 2672 2864 DEM9C1.exe 36 PID 2672 wrote to memory of 1912 2672 DEM5F9D.exe 38 PID 2672 wrote to memory of 1912 2672 DEM5F9D.exe 38 PID 2672 wrote to memory of 1912 2672 DEM5F9D.exe 38 PID 2672 wrote to memory of 1912 2672 DEM5F9D.exe 38 PID 1912 wrote to memory of 2068 1912 DEMB4ED.exe 40 PID 1912 wrote to memory of 2068 1912 DEMB4ED.exe 40 PID 1912 wrote to memory of 2068 1912 DEMB4ED.exe 40 PID 1912 wrote to memory of 2068 1912 DEMB4ED.exe 40 PID 2068 wrote to memory of 536 2068 DEM9F0.exe 42 PID 2068 wrote to memory of 536 2068 DEM9F0.exe 42 PID 2068 wrote to memory of 536 2068 DEM9F0.exe 42 PID 2068 wrote to memory of 536 2068 DEM9F0.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\8525ae55508a05a66bd491339c654110_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8525ae55508a05a66bd491339c654110_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\DEMB490.exe"C:\Users\Admin\AppData\Local\Temp\DEMB490.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\DEM9C1.exe"C:\Users\Admin\AppData\Local\Temp\DEM9C1.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Users\Admin\AppData\Local\Temp\DEM5F9D.exe"C:\Users\Admin\AppData\Local\Temp\DEM5F9D.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\DEMB4ED.exe"C:\Users\Admin\AppData\Local\Temp\DEMB4ED.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\DEM9F0.exe"C:\Users\Admin\AppData\Local\Temp\DEM9F0.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\DEM5FEB.exe"C:\Users\Admin\AppData\Local\Temp\DEM5FEB.exe"7⤵
- Executes dropped EXE
PID:536
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD56977afdf4eba5c82c05c7b7aed5e91a9
SHA12a3c136694c94797b0d3dd14a79f535b646acd19
SHA2565a4c5642d2cd92e50ee889602d5638d731259ab84aee11cc595783f2f3e4fd95
SHA512ec589dd67d2bc7582f2c43d977a96518219f89a6e8d271aa1cca59e1fcd5f898915fbf0eee76f55b6c5f130bcb8a2b4ab57293a6ea3416694e1ae9df2c58e02f
-
Filesize
14KB
MD5d972acfd3761da13b0fe7c7e12bf0a4e
SHA11221bdbbf23b6deecf039a983180ab0f0b6b9f2b
SHA256d02884bc7ecc0f4c305ab91bccf91cfbd4fbb32b1c6a0487efcb546994cf3bb1
SHA5121a9080d8879605af433d089f27cefb9fff4243a872119cf0a53ed49a436fe1b23cb094646eae52bec38c3fa1f70ba074c362f8f6e065014adaadbfde6bbdeb62
-
Filesize
14KB
MD5810fe41149de3616faac74540ccfe7c3
SHA1d665744707c85bebf8f49c0103811ad6c5718bc7
SHA256befd7ff4b18194e4fb793a881f50499b6f23adf1c3b7c3526bcca86d5afffe27
SHA512fcc2c1d6b3e2ac15637b298ab6377eab3997ba446b4a796a31d037d2968e50634213d01fb0c87700cfc34e751a345c9fb9ae14caf8caa2e2f07b5a1bd970cc48
-
Filesize
14KB
MD57b9c65063e5f464d9e031c9352aa3596
SHA1703812403e1d6c5db9e0ad7e52a260d8ad0d5a90
SHA25658e35e195cfa77ab43bdb1e878a76aee846698292b2b9f7094df87dc790ce830
SHA5120387b6a7c1b9158c39f52a6defdb62d00d38cdb78870d39a1a7273a8aba63d13b04fdd920f3ae44fa729b1f27d13da3cd811b9740655e926d787847690ef44af
-
Filesize
14KB
MD5289c9fe68da39190b75d473b2cc4e3c7
SHA1b0e62a79f7d887575649574cf40d9401d72d4b1f
SHA256092d7c56beb214fb5c22d69a65c3ba42966bd37e03ffeec854e0c08319818414
SHA512caeaa2a53101b56bfbd7012b0b1b63e972e468c1431d8d1ef1f429c34a5805252893b4083bf1a41d8f3d60d3e5afe4fecfcfa5344c19f59510f8ba957aaee7f2
-
Filesize
14KB
MD5482c86808a1999dc45ea0c0be41cd7c9
SHA1e7d463f1a19a8ca62bfd6f720e4b19cb9b6a6a0c
SHA2561773a58e526e0066022226f36f1b2b6c36832b2cc8f1439537b78b8272c0b102
SHA51296588540e70d4bda5eb25b7d194002e97d37f5bc905b6989fb9239a9f456a9e500e1b71271145f3af017d29aaadd600719d969652ade0c479bdfc2024306f5f0