Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    131s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    29/08/2024, 04:17

General

  • Target

    c8367169b75166b43f8cdc9464ada72e_JaffaCakes118.exe

  • Size

    15KB

  • MD5

    c8367169b75166b43f8cdc9464ada72e

  • SHA1

    a90d22340bc0147537003f4776991964920b6ff8

  • SHA256

    1730317f3ddf55d364e16a17c635cd42bdc8bb4187a550a4c0ecdf59ee1c51a9

  • SHA512

    e4a7af837fe793af3d2e2c89bcf8708ee92dd41946ea9cb2cb97b1e2cb69f9b789f0370d07128fc046ae3f6d9c33475c7fc15a6ef8d670edb48c146f9e0c120e

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhv5JB:hDXWipuE+K3/SSHgxl5L

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c8367169b75166b43f8cdc9464ada72e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c8367169b75166b43f8cdc9464ada72e_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Users\Admin\AppData\Local\Temp\DEM78F7.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM78F7.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\Users\Admin\AppData\Local\Temp\DEMCE57.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMCE57.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2196
        • C:\Users\Admin\AppData\Local\Temp\DEM2368.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM2368.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:480
          • C:\Users\Admin\AppData\Local\Temp\DEM78F8.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM78F8.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1632
            • C:\Users\Admin\AppData\Local\Temp\DEMCE37.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMCE37.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1924
              • C:\Users\Admin\AppData\Local\Temp\DEM2378.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM2378.exe"
                7⤵
                • Executes dropped EXE
                PID:2192

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM2378.exe

    Filesize

    15KB

    MD5

    8f84babb936a2a834938eae17c555560

    SHA1

    85d42e62711ef02e71639a4e7aeb01beb8d0cec5

    SHA256

    b264f571b30d9aef4ab013ce40b934e78a2c75027bf36181e4c1fa4119481c32

    SHA512

    86cdc18327010b6e17ceaa882d8e048637a63923f78eb81e63f0e28da4d7e655243e5aacaf47a3322e4ef67ae81ac764bc266b2ea60d16139f20cdc2890ae3fb

  • C:\Users\Admin\AppData\Local\Temp\DEMCE57.exe

    Filesize

    15KB

    MD5

    d38a3db5d3cb7fc8e0596f82abc78826

    SHA1

    3127cc270ceef40e76ad1ab1d445b3cc46bcc19e

    SHA256

    f5b40e1310bb01e16d65638962d370fabf2abb78f5fe559e275861c574970963

    SHA512

    82a8d0f0cfa5a9b80e8302a086150c3a3851a61092725d32279dffda9bb08c5de29603c270d51f0ea48bd867bff5ca8b90a73ad173e2e2a85d5e4a4ba8ddc8f2

  • \Users\Admin\AppData\Local\Temp\DEM2368.exe

    Filesize

    15KB

    MD5

    ed0af5bc68b33292ebac30b1dc305669

    SHA1

    5ce4794751fab8f5d9ab3a49f8fb1941498b6a44

    SHA256

    8eac139e6f5c326e6bd8a94438cbe34cf7b2f9733fa2b019f9bc4e424271916c

    SHA512

    31fb04bc7ec2b2f9a148ac4d11e62111292d21a3116c44ed7ba68c2c186b1a5f6a478e6d7b70480020df105217e53d9636fcd4d8c2cdab61c46abdb03d65ef7e

  • \Users\Admin\AppData\Local\Temp\DEM78F7.exe

    Filesize

    15KB

    MD5

    6466566809ed0308be297e7ce22b1223

    SHA1

    b4fcecef285c96303365ec39974ad877e1904567

    SHA256

    2929540780499669c39dc1a920e3ad31cc4076d7de7a63df025569326edd753a

    SHA512

    16c4ecbc940a6210440cf9736c46e3175d1c6828e917daae7cad289c7b5da34023d8080190d45a0b75c7d582c7502f09bdbbf97d6fc1d7886e2eaf4d4370a35d

  • \Users\Admin\AppData\Local\Temp\DEM78F8.exe

    Filesize

    15KB

    MD5

    45f2a1e7e4514b28c3fa427ae46fe426

    SHA1

    2b8b7cd5500e6d1cb16d6450383842b254d7715b

    SHA256

    ac3927a274eeb62937221b2b70e832f3941c56e0a3ccab82d96df99df027fffb

    SHA512

    6af7ebb15485a87b6580ed8f5a07194c7c6a53ff49fab55accd00e10232f8640ff411d5fd60309cff036db8115e2b5be01041812d8259f73048c3789c17b6355

  • \Users\Admin\AppData\Local\Temp\DEMCE37.exe

    Filesize

    15KB

    MD5

    4216c35dcb975d3f9a20f3cfbeded49e

    SHA1

    826ec06a893ef49b5c7cc2d8ab25d8fcfc812ce0

    SHA256

    c5e939d1fc26525539b886ebce0bcbccef6db5deee7159404f6e3c257af89eac

    SHA512

    cf52c2efe87c4255f71368804abe19d836dbda6ce35d99e2bbe23648a31b473148eb4ab39c656538347593f935dbfe1f6d4f2d3881fa84032e4dab954c8596e7