Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    131s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/09/2024, 15:23

General

  • Target

    020a66f7c7ca9542d434b5e38874fb0d_JaffaCakes118.exe

  • Size

    13KB

  • MD5

    020a66f7c7ca9542d434b5e38874fb0d

  • SHA1

    d1e8b96e90f5cc0553517d839b7143e5b6292ebf

  • SHA256

    7cdc7c3b1150d794ad0c84fb14757b8662aa522f8896abbd910f9f0d27a305fe

  • SHA512

    8c409161640655ff9b278290a7f4627054a061d003618e6352d7fd22978adb2114e69240bc8dcaaed10de99689810675597b81bb65cfce0ce0a6bcb4ecd51e64

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh0:hDXWipuE+K3/SSHgx2

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\020a66f7c7ca9542d434b5e38874fb0d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\020a66f7c7ca9542d434b5e38874fb0d_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2508
    • C:\Users\Admin\AppData\Local\Temp\DEM85C3.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM85C3.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2324
      • C:\Users\Admin\AppData\Local\Temp\DEMDB42.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMDB42.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1712
        • C:\Users\Admin\AppData\Local\Temp\DEM310F.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM310F.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2212
          • C:\Users\Admin\AppData\Local\Temp\DEM868E.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM868E.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1580
            • C:\Users\Admin\AppData\Local\Temp\DEMDC3C.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMDC3C.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1956
              • C:\Users\Admin\AppData\Local\Temp\DEM3228.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM3228.exe"
                7⤵
                • Executes dropped EXE
                PID:1632

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM310F.exe

    Filesize

    14KB

    MD5

    3882cd4d472e00e9ed218107d43ba4e7

    SHA1

    52fedad6cd4183588f10f22b3aaf6df5b18f8379

    SHA256

    7753c7d1236136bf1f376799fe467c4be3c145f66a7b93fd48550fb1c1d48c51

    SHA512

    8b5903dd4d97c47f382e09272aa8bc3c02287291ce8c8385adcd37bf7481b24f581fbbd9addff55ca67321c36fb0dc7a02763ce3c7adf8837d740fa14dbf5515

  • C:\Users\Admin\AppData\Local\Temp\DEM3228.exe

    Filesize

    14KB

    MD5

    ee229477fa07ac503bacdba62f7c3172

    SHA1

    1cefb09e0376a7eac24fea1ccbbd24360198cea9

    SHA256

    44c88c8f8ba06511d249eaf9b5d03538ae4d02c497fd59f475e8be7a5a98e4e5

    SHA512

    0af02890ab55e538ef892ac946f9b8fd25025fbbd2ef18799e46bd4fb58613c91492231761c03fa879dc27f2443cef5ffebc580871f255c465727bd42b99caf7

  • C:\Users\Admin\AppData\Local\Temp\DEMDB42.exe

    Filesize

    14KB

    MD5

    dc83a981d766970bbd5c6b6117911009

    SHA1

    c4ffecd96d19bd1ca365a856de943c539c4f38f8

    SHA256

    c7d4805a80c481a27e4ef0a6ca9c7153b66ee1a8d9b2054b58e85bb1f97acfbc

    SHA512

    738189fedef7280450e5f754d9edeb505c8f8f46a136fc65a44ea7686042f163de5c01d2dc5cf4e8b61693b64c96e37873513632e261634871c6bf1c3159b949

  • \Users\Admin\AppData\Local\Temp\DEM85C3.exe

    Filesize

    13KB

    MD5

    43d7c2a8bf42128ca35be7865974cd98

    SHA1

    0f568884cc8b98c9076283abd3eb122f4905cdec

    SHA256

    7e275171d7bced07d387492daeb2e054d014692a235e3063f1daab1e61155f79

    SHA512

    19a9034629303c809b39949a0ef8934bf7079d14e0a42f64798cc4c47439aeede4e670cdcbf854d0acd8c0e8346b2663602be4b317c1649b83d9368ddb264ae5

  • \Users\Admin\AppData\Local\Temp\DEM868E.exe

    Filesize

    14KB

    MD5

    b4a5a711a9924b04b49d70031bcfd231

    SHA1

    d29c7b370e110e872d1c5894b7869ae88be87e1b

    SHA256

    e93cb25d8e047bc6a9f62f77498aea1ad9c34df750320cf9a9a1a884b0c41dae

    SHA512

    ca920d75e99dfce33f38c8e1de98bb1bfaa9d8d769be878cd1eb9d838beb3be34cd1e1f1433f09f0c2b8a76064bed089b762eb29322e0e4d354feb6c7b3b2c23

  • \Users\Admin\AppData\Local\Temp\DEMDC3C.exe

    Filesize

    14KB

    MD5

    2cfbbbbda01143ca6318d99d2340c40f

    SHA1

    ffc259ca122b9526af927ec5393337f92bda3ec5

    SHA256

    a44ed176eae0ec42bd60612637e2cec844653874da42a4437b8083ba941cc34a

    SHA512

    30236f2352bb4a91ad99becb0ddd783e4032f5465a9596a38b0d6eb7a39aba9868cff4dec3ca463bbdeeff3fa441160f06593da5a8c78a9f0efb59e800b0fdac