Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/09/2024, 15:23
Static task
static1
Behavioral task
behavioral1
Sample
020a66f7c7ca9542d434b5e38874fb0d_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
020a66f7c7ca9542d434b5e38874fb0d_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
020a66f7c7ca9542d434b5e38874fb0d_JaffaCakes118.exe
-
Size
13KB
-
MD5
020a66f7c7ca9542d434b5e38874fb0d
-
SHA1
d1e8b96e90f5cc0553517d839b7143e5b6292ebf
-
SHA256
7cdc7c3b1150d794ad0c84fb14757b8662aa522f8896abbd910f9f0d27a305fe
-
SHA512
8c409161640655ff9b278290a7f4627054a061d003618e6352d7fd22978adb2114e69240bc8dcaaed10de99689810675597b81bb65cfce0ce0a6bcb4ecd51e64
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh0:hDXWipuE+K3/SSHgx2
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 2324 DEM85C3.exe 1712 DEMDB42.exe 2212 DEM310F.exe 1580 DEM868E.exe 1956 DEMDC3C.exe 1632 DEM3228.exe -
Loads dropped DLL 6 IoCs
pid Process 2508 020a66f7c7ca9542d434b5e38874fb0d_JaffaCakes118.exe 2324 DEM85C3.exe 1712 DEMDB42.exe 2212 DEM310F.exe 1580 DEM868E.exe 1956 DEMDC3C.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 020a66f7c7ca9542d434b5e38874fb0d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM85C3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMDB42.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM310F.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM868E.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMDC3C.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2508 wrote to memory of 2324 2508 020a66f7c7ca9542d434b5e38874fb0d_JaffaCakes118.exe 32 PID 2508 wrote to memory of 2324 2508 020a66f7c7ca9542d434b5e38874fb0d_JaffaCakes118.exe 32 PID 2508 wrote to memory of 2324 2508 020a66f7c7ca9542d434b5e38874fb0d_JaffaCakes118.exe 32 PID 2508 wrote to memory of 2324 2508 020a66f7c7ca9542d434b5e38874fb0d_JaffaCakes118.exe 32 PID 2324 wrote to memory of 1712 2324 DEM85C3.exe 34 PID 2324 wrote to memory of 1712 2324 DEM85C3.exe 34 PID 2324 wrote to memory of 1712 2324 DEM85C3.exe 34 PID 2324 wrote to memory of 1712 2324 DEM85C3.exe 34 PID 1712 wrote to memory of 2212 1712 DEMDB42.exe 36 PID 1712 wrote to memory of 2212 1712 DEMDB42.exe 36 PID 1712 wrote to memory of 2212 1712 DEMDB42.exe 36 PID 1712 wrote to memory of 2212 1712 DEMDB42.exe 36 PID 2212 wrote to memory of 1580 2212 DEM310F.exe 38 PID 2212 wrote to memory of 1580 2212 DEM310F.exe 38 PID 2212 wrote to memory of 1580 2212 DEM310F.exe 38 PID 2212 wrote to memory of 1580 2212 DEM310F.exe 38 PID 1580 wrote to memory of 1956 1580 DEM868E.exe 40 PID 1580 wrote to memory of 1956 1580 DEM868E.exe 40 PID 1580 wrote to memory of 1956 1580 DEM868E.exe 40 PID 1580 wrote to memory of 1956 1580 DEM868E.exe 40 PID 1956 wrote to memory of 1632 1956 DEMDC3C.exe 42 PID 1956 wrote to memory of 1632 1956 DEMDC3C.exe 42 PID 1956 wrote to memory of 1632 1956 DEMDC3C.exe 42 PID 1956 wrote to memory of 1632 1956 DEMDC3C.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\020a66f7c7ca9542d434b5e38874fb0d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\020a66f7c7ca9542d434b5e38874fb0d_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Users\Admin\AppData\Local\Temp\DEM85C3.exe"C:\Users\Admin\AppData\Local\Temp\DEM85C3.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\DEMDB42.exe"C:\Users\Admin\AppData\Local\Temp\DEMDB42.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\DEM310F.exe"C:\Users\Admin\AppData\Local\Temp\DEM310F.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\DEM868E.exe"C:\Users\Admin\AppData\Local\Temp\DEM868E.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\DEMDC3C.exe"C:\Users\Admin\AppData\Local\Temp\DEMDC3C.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\DEM3228.exe"C:\Users\Admin\AppData\Local\Temp\DEM3228.exe"7⤵
- Executes dropped EXE
PID:1632
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD53882cd4d472e00e9ed218107d43ba4e7
SHA152fedad6cd4183588f10f22b3aaf6df5b18f8379
SHA2567753c7d1236136bf1f376799fe467c4be3c145f66a7b93fd48550fb1c1d48c51
SHA5128b5903dd4d97c47f382e09272aa8bc3c02287291ce8c8385adcd37bf7481b24f581fbbd9addff55ca67321c36fb0dc7a02763ce3c7adf8837d740fa14dbf5515
-
Filesize
14KB
MD5ee229477fa07ac503bacdba62f7c3172
SHA11cefb09e0376a7eac24fea1ccbbd24360198cea9
SHA25644c88c8f8ba06511d249eaf9b5d03538ae4d02c497fd59f475e8be7a5a98e4e5
SHA5120af02890ab55e538ef892ac946f9b8fd25025fbbd2ef18799e46bd4fb58613c91492231761c03fa879dc27f2443cef5ffebc580871f255c465727bd42b99caf7
-
Filesize
14KB
MD5dc83a981d766970bbd5c6b6117911009
SHA1c4ffecd96d19bd1ca365a856de943c539c4f38f8
SHA256c7d4805a80c481a27e4ef0a6ca9c7153b66ee1a8d9b2054b58e85bb1f97acfbc
SHA512738189fedef7280450e5f754d9edeb505c8f8f46a136fc65a44ea7686042f163de5c01d2dc5cf4e8b61693b64c96e37873513632e261634871c6bf1c3159b949
-
Filesize
13KB
MD543d7c2a8bf42128ca35be7865974cd98
SHA10f568884cc8b98c9076283abd3eb122f4905cdec
SHA2567e275171d7bced07d387492daeb2e054d014692a235e3063f1daab1e61155f79
SHA51219a9034629303c809b39949a0ef8934bf7079d14e0a42f64798cc4c47439aeede4e670cdcbf854d0acd8c0e8346b2663602be4b317c1649b83d9368ddb264ae5
-
Filesize
14KB
MD5b4a5a711a9924b04b49d70031bcfd231
SHA1d29c7b370e110e872d1c5894b7869ae88be87e1b
SHA256e93cb25d8e047bc6a9f62f77498aea1ad9c34df750320cf9a9a1a884b0c41dae
SHA512ca920d75e99dfce33f38c8e1de98bb1bfaa9d8d769be878cd1eb9d838beb3be34cd1e1f1433f09f0c2b8a76064bed089b762eb29322e0e4d354feb6c7b3b2c23
-
Filesize
14KB
MD52cfbbbbda01143ca6318d99d2340c40f
SHA1ffc259ca122b9526af927ec5393337f92bda3ec5
SHA256a44ed176eae0ec42bd60612637e2cec844653874da42a4437b8083ba941cc34a
SHA51230236f2352bb4a91ad99becb0ddd783e4032f5465a9596a38b0d6eb7a39aba9868cff4dec3ca463bbdeeff3fa441160f06593da5a8c78a9f0efb59e800b0fdac