Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    133s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/10/2024, 11:30

General

  • Target

    17e83badf5d724560a8a2463ea52e916_JaffaCakes118.exe

  • Size

    14KB

  • MD5

    17e83badf5d724560a8a2463ea52e916

  • SHA1

    0857485e02cd49c0c77a38788211e718f6129b78

  • SHA256

    45f2db7fb385a0b897ced85ad47b0dfe282b217864cf8c30eac5b5c06b632b3d

  • SHA512

    fc59563f2c43890d78ce3f53b83ea6b59f580b34707b8520961399ad35b6b078f3388be7393ded90646f08eb768a623e28c85251e9292946fef38cf4afb8a5de

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYi:hDXWipuE+K3/SSHgxmi

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\17e83badf5d724560a8a2463ea52e916_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\17e83badf5d724560a8a2463ea52e916_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2732
    • C:\Users\Admin\AppData\Local\Temp\DEM3C64.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3C64.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Users\Admin\AppData\Local\Temp\DEM93E6.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM93E6.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2544
        • C:\Users\Admin\AppData\Local\Temp\DEMEA11.exe
          "C:\Users\Admin\AppData\Local\Temp\DEMEA11.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1876
          • C:\Users\Admin\AppData\Local\Temp\DEM40F6.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM40F6.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1252
            • C:\Users\Admin\AppData\Local\Temp\DEM97EC.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM97EC.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2168
              • C:\Users\Admin\AppData\Local\Temp\DEMEE07.exe
                "C:\Users\Admin\AppData\Local\Temp\DEMEE07.exe"
                7⤵
                • Executes dropped EXE
                PID:2192

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM93E6.exe

    Filesize

    14KB

    MD5

    0037ae6a6ac1664dc4c766f8ae82cae8

    SHA1

    04af201466bd71bef2d624dc91e6d003e1a9031e

    SHA256

    27028c7c245d5b1567359ca35fa914b28252e87dc25d288433ff0a68b05750e1

    SHA512

    c3a15394dce863d3e0d0455a521c0b97d8d44633c1136ff9087892dd0162fbc73ebbf2eff125aaa6d5274fc788db2cae87b2f2a5096aaf390e217975f28e367f

  • C:\Users\Admin\AppData\Local\Temp\DEMEE07.exe

    Filesize

    14KB

    MD5

    b21b6ad902e0c2d5da8d1e7cd63905f7

    SHA1

    9f258695ec0e03670fd4fba603bf3d562f6da0a1

    SHA256

    e10d6deea810d315a648beb49fa7e91d57646c858757a196ce6f5ab3a7ef4152

    SHA512

    990f76568e66db7db102bd6b8311045b71ae3b439857402babf95d5a755e04468220e04b95f19fa48d62fa40126dbde04a83e9bbb1ed6e3df1dbf3ac06107463

  • \Users\Admin\AppData\Local\Temp\DEM3C64.exe

    Filesize

    14KB

    MD5

    d35a0ad7a1b4fd0f069ea7aba684925f

    SHA1

    3679f8b306fd8dc5309201d2da18bc32e0849beb

    SHA256

    5d39d3f90156261b1667d4e1e56d94bd6cfa4196d6e812992a41ee51ce88216e

    SHA512

    778bb6ca67e17069c77304320fc73086586a1532be806efbe5b12910a5c337e98e210a86786483baba1e349aa1a40916be1054198164b15c5a84eabadc3ea9a7

  • \Users\Admin\AppData\Local\Temp\DEM40F6.exe

    Filesize

    14KB

    MD5

    1a523fc868aac2975170698da9fc6741

    SHA1

    8f1e4554af631d4775efb886e37c356f127294af

    SHA256

    8aaee84ef71a40047cf188c7f78b902396c1022e2717cab1d2c4da17f35228e1

    SHA512

    d9aeadea71490c97b90484adcc14f987071ce6a880347f769faa2580ca909e97a3d9d6ced0b2317722579584de8e94763e2d1e0a4e52ca1fc5a9beba63dca068

  • \Users\Admin\AppData\Local\Temp\DEM97EC.exe

    Filesize

    14KB

    MD5

    971a5a7f17cec9b1ceaba4fa12ade234

    SHA1

    81838037439ce4ffb884fc52356aba9ba3a0659b

    SHA256

    140a8ebb8981ce6d50196f4ed45ffa497278341915af0a0f007b35d74321bd00

    SHA512

    d904512914397708eb16b717c2980d6e4f9fde71aa8ecfb817f88ad971f3c1f1fa1297f508b5574a59b4270fefa23f48cf460bfd0fce219adbdaa8b57ec7dd92

  • \Users\Admin\AppData\Local\Temp\DEMEA11.exe

    Filesize

    14KB

    MD5

    b7acd5e0138e7007d5b1676cf2c3b409

    SHA1

    3c8d0917eff5b52f86fa308b862456a53ef34c82

    SHA256

    23e345dacb329ec8f7a62e860759fdd71a29058e4c132a618963ae5d5771fc15

    SHA512

    203220c01d4fb0a9d884146ae8494e33bfee5d1821633f1ad50156d41fc5be0acc81200012e3890ad2f03335cb4c0aeaf2e1379bebabf9e8452c2f8d22086b3f