Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
29/08/2024, 04:17
Static task
static1
Behavioral task
behavioral1
Sample
c8367169b75166b43f8cdc9464ada72e_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
c8367169b75166b43f8cdc9464ada72e_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
c8367169b75166b43f8cdc9464ada72e_JaffaCakes118.exe
-
Size
15KB
-
MD5
c8367169b75166b43f8cdc9464ada72e
-
SHA1
a90d22340bc0147537003f4776991964920b6ff8
-
SHA256
1730317f3ddf55d364e16a17c635cd42bdc8bb4187a550a4c0ecdf59ee1c51a9
-
SHA512
e4a7af837fe793af3d2e2c89bcf8708ee92dd41946ea9cb2cb97b1e2cb69f9b789f0370d07128fc046ae3f6d9c33475c7fc15a6ef8d670edb48c146f9e0c120e
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhv5JB:hDXWipuE+K3/SSHgxl5L
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 2760 DEM78F7.exe 2196 DEMCE57.exe 480 DEM2368.exe 1632 DEM78F8.exe 1924 DEMCE37.exe 2192 DEM2378.exe -
Loads dropped DLL 6 IoCs
pid Process 2092 c8367169b75166b43f8cdc9464ada72e_JaffaCakes118.exe 2760 DEM78F7.exe 2196 DEMCE57.exe 480 DEM2368.exe 1632 DEM78F8.exe 1924 DEMCE37.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM2368.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM78F8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMCE37.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c8367169b75166b43f8cdc9464ada72e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM78F7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMCE57.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2092 wrote to memory of 2760 2092 c8367169b75166b43f8cdc9464ada72e_JaffaCakes118.exe 32 PID 2092 wrote to memory of 2760 2092 c8367169b75166b43f8cdc9464ada72e_JaffaCakes118.exe 32 PID 2092 wrote to memory of 2760 2092 c8367169b75166b43f8cdc9464ada72e_JaffaCakes118.exe 32 PID 2092 wrote to memory of 2760 2092 c8367169b75166b43f8cdc9464ada72e_JaffaCakes118.exe 32 PID 2760 wrote to memory of 2196 2760 DEM78F7.exe 34 PID 2760 wrote to memory of 2196 2760 DEM78F7.exe 34 PID 2760 wrote to memory of 2196 2760 DEM78F7.exe 34 PID 2760 wrote to memory of 2196 2760 DEM78F7.exe 34 PID 2196 wrote to memory of 480 2196 DEMCE57.exe 36 PID 2196 wrote to memory of 480 2196 DEMCE57.exe 36 PID 2196 wrote to memory of 480 2196 DEMCE57.exe 36 PID 2196 wrote to memory of 480 2196 DEMCE57.exe 36 PID 480 wrote to memory of 1632 480 DEM2368.exe 38 PID 480 wrote to memory of 1632 480 DEM2368.exe 38 PID 480 wrote to memory of 1632 480 DEM2368.exe 38 PID 480 wrote to memory of 1632 480 DEM2368.exe 38 PID 1632 wrote to memory of 1924 1632 DEM78F8.exe 40 PID 1632 wrote to memory of 1924 1632 DEM78F8.exe 40 PID 1632 wrote to memory of 1924 1632 DEM78F8.exe 40 PID 1632 wrote to memory of 1924 1632 DEM78F8.exe 40 PID 1924 wrote to memory of 2192 1924 DEMCE37.exe 42 PID 1924 wrote to memory of 2192 1924 DEMCE37.exe 42 PID 1924 wrote to memory of 2192 1924 DEMCE37.exe 42 PID 1924 wrote to memory of 2192 1924 DEMCE37.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\c8367169b75166b43f8cdc9464ada72e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c8367169b75166b43f8cdc9464ada72e_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\DEM78F7.exe"C:\Users\Admin\AppData\Local\Temp\DEM78F7.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Users\Admin\AppData\Local\Temp\DEMCE57.exe"C:\Users\Admin\AppData\Local\Temp\DEMCE57.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\DEM2368.exe"C:\Users\Admin\AppData\Local\Temp\DEM2368.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:480 -
C:\Users\Admin\AppData\Local\Temp\DEM78F8.exe"C:\Users\Admin\AppData\Local\Temp\DEM78F8.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\DEMCE37.exe"C:\Users\Admin\AppData\Local\Temp\DEMCE37.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Users\Admin\AppData\Local\Temp\DEM2378.exe"C:\Users\Admin\AppData\Local\Temp\DEM2378.exe"7⤵
- Executes dropped EXE
PID:2192
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD58f84babb936a2a834938eae17c555560
SHA185d42e62711ef02e71639a4e7aeb01beb8d0cec5
SHA256b264f571b30d9aef4ab013ce40b934e78a2c75027bf36181e4c1fa4119481c32
SHA51286cdc18327010b6e17ceaa882d8e048637a63923f78eb81e63f0e28da4d7e655243e5aacaf47a3322e4ef67ae81ac764bc266b2ea60d16139f20cdc2890ae3fb
-
Filesize
15KB
MD5d38a3db5d3cb7fc8e0596f82abc78826
SHA13127cc270ceef40e76ad1ab1d445b3cc46bcc19e
SHA256f5b40e1310bb01e16d65638962d370fabf2abb78f5fe559e275861c574970963
SHA51282a8d0f0cfa5a9b80e8302a086150c3a3851a61092725d32279dffda9bb08c5de29603c270d51f0ea48bd867bff5ca8b90a73ad173e2e2a85d5e4a4ba8ddc8f2
-
Filesize
15KB
MD5ed0af5bc68b33292ebac30b1dc305669
SHA15ce4794751fab8f5d9ab3a49f8fb1941498b6a44
SHA2568eac139e6f5c326e6bd8a94438cbe34cf7b2f9733fa2b019f9bc4e424271916c
SHA51231fb04bc7ec2b2f9a148ac4d11e62111292d21a3116c44ed7ba68c2c186b1a5f6a478e6d7b70480020df105217e53d9636fcd4d8c2cdab61c46abdb03d65ef7e
-
Filesize
15KB
MD56466566809ed0308be297e7ce22b1223
SHA1b4fcecef285c96303365ec39974ad877e1904567
SHA2562929540780499669c39dc1a920e3ad31cc4076d7de7a63df025569326edd753a
SHA51216c4ecbc940a6210440cf9736c46e3175d1c6828e917daae7cad289c7b5da34023d8080190d45a0b75c7d582c7502f09bdbbf97d6fc1d7886e2eaf4d4370a35d
-
Filesize
15KB
MD545f2a1e7e4514b28c3fa427ae46fe426
SHA12b8b7cd5500e6d1cb16d6450383842b254d7715b
SHA256ac3927a274eeb62937221b2b70e832f3941c56e0a3ccab82d96df99df027fffb
SHA5126af7ebb15485a87b6580ed8f5a07194c7c6a53ff49fab55accd00e10232f8640ff411d5fd60309cff036db8115e2b5be01041812d8259f73048c3789c17b6355
-
Filesize
15KB
MD54216c35dcb975d3f9a20f3cfbeded49e
SHA1826ec06a893ef49b5c7cc2d8ab25d8fcfc812ce0
SHA256c5e939d1fc26525539b886ebce0bcbccef6db5deee7159404f6e3c257af89eac
SHA512cf52c2efe87c4255f71368804abe19d836dbda6ce35d99e2bbe23648a31b473148eb4ab39c656538347593f935dbfe1f6d4f2d3881fa84032e4dab954c8596e7