Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/10/2024, 11:30
Static task
static1
Behavioral task
behavioral1
Sample
17e83badf5d724560a8a2463ea52e916_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
17e83badf5d724560a8a2463ea52e916_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
17e83badf5d724560a8a2463ea52e916_JaffaCakes118.exe
-
Size
14KB
-
MD5
17e83badf5d724560a8a2463ea52e916
-
SHA1
0857485e02cd49c0c77a38788211e718f6129b78
-
SHA256
45f2db7fb385a0b897ced85ad47b0dfe282b217864cf8c30eac5b5c06b632b3d
-
SHA512
fc59563f2c43890d78ce3f53b83ea6b59f580b34707b8520961399ad35b6b078f3388be7393ded90646f08eb768a623e28c85251e9292946fef38cf4afb8a5de
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYi:hDXWipuE+K3/SSHgxmi
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 2744 DEM3C64.exe 2544 DEM93E6.exe 1876 DEMEA11.exe 1252 DEM40F6.exe 2168 DEM97EC.exe 2192 DEMEE07.exe -
Loads dropped DLL 6 IoCs
pid Process 2732 17e83badf5d724560a8a2463ea52e916_JaffaCakes118.exe 2744 DEM3C64.exe 2544 DEM93E6.exe 1876 DEMEA11.exe 1252 DEM40F6.exe 2168 DEM97EC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM93E6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMEA11.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM40F6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM97EC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 17e83badf5d724560a8a2463ea52e916_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM3C64.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2732 wrote to memory of 2744 2732 17e83badf5d724560a8a2463ea52e916_JaffaCakes118.exe 31 PID 2732 wrote to memory of 2744 2732 17e83badf5d724560a8a2463ea52e916_JaffaCakes118.exe 31 PID 2732 wrote to memory of 2744 2732 17e83badf5d724560a8a2463ea52e916_JaffaCakes118.exe 31 PID 2732 wrote to memory of 2744 2732 17e83badf5d724560a8a2463ea52e916_JaffaCakes118.exe 31 PID 2744 wrote to memory of 2544 2744 DEM3C64.exe 33 PID 2744 wrote to memory of 2544 2744 DEM3C64.exe 33 PID 2744 wrote to memory of 2544 2744 DEM3C64.exe 33 PID 2744 wrote to memory of 2544 2744 DEM3C64.exe 33 PID 2544 wrote to memory of 1876 2544 DEM93E6.exe 35 PID 2544 wrote to memory of 1876 2544 DEM93E6.exe 35 PID 2544 wrote to memory of 1876 2544 DEM93E6.exe 35 PID 2544 wrote to memory of 1876 2544 DEM93E6.exe 35 PID 1876 wrote to memory of 1252 1876 DEMEA11.exe 37 PID 1876 wrote to memory of 1252 1876 DEMEA11.exe 37 PID 1876 wrote to memory of 1252 1876 DEMEA11.exe 37 PID 1876 wrote to memory of 1252 1876 DEMEA11.exe 37 PID 1252 wrote to memory of 2168 1252 DEM40F6.exe 39 PID 1252 wrote to memory of 2168 1252 DEM40F6.exe 39 PID 1252 wrote to memory of 2168 1252 DEM40F6.exe 39 PID 1252 wrote to memory of 2168 1252 DEM40F6.exe 39 PID 2168 wrote to memory of 2192 2168 DEM97EC.exe 42 PID 2168 wrote to memory of 2192 2168 DEM97EC.exe 42 PID 2168 wrote to memory of 2192 2168 DEM97EC.exe 42 PID 2168 wrote to memory of 2192 2168 DEM97EC.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\17e83badf5d724560a8a2463ea52e916_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\17e83badf5d724560a8a2463ea52e916_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\DEM3C64.exe"C:\Users\Admin\AppData\Local\Temp\DEM3C64.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\DEM93E6.exe"C:\Users\Admin\AppData\Local\Temp\DEM93E6.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\DEMEA11.exe"C:\Users\Admin\AppData\Local\Temp\DEMEA11.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\DEM40F6.exe"C:\Users\Admin\AppData\Local\Temp\DEM40F6.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Users\Admin\AppData\Local\Temp\DEM97EC.exe"C:\Users\Admin\AppData\Local\Temp\DEM97EC.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\DEMEE07.exe"C:\Users\Admin\AppData\Local\Temp\DEMEE07.exe"7⤵
- Executes dropped EXE
PID:2192
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD50037ae6a6ac1664dc4c766f8ae82cae8
SHA104af201466bd71bef2d624dc91e6d003e1a9031e
SHA25627028c7c245d5b1567359ca35fa914b28252e87dc25d288433ff0a68b05750e1
SHA512c3a15394dce863d3e0d0455a521c0b97d8d44633c1136ff9087892dd0162fbc73ebbf2eff125aaa6d5274fc788db2cae87b2f2a5096aaf390e217975f28e367f
-
Filesize
14KB
MD5b21b6ad902e0c2d5da8d1e7cd63905f7
SHA19f258695ec0e03670fd4fba603bf3d562f6da0a1
SHA256e10d6deea810d315a648beb49fa7e91d57646c858757a196ce6f5ab3a7ef4152
SHA512990f76568e66db7db102bd6b8311045b71ae3b439857402babf95d5a755e04468220e04b95f19fa48d62fa40126dbde04a83e9bbb1ed6e3df1dbf3ac06107463
-
Filesize
14KB
MD5d35a0ad7a1b4fd0f069ea7aba684925f
SHA13679f8b306fd8dc5309201d2da18bc32e0849beb
SHA2565d39d3f90156261b1667d4e1e56d94bd6cfa4196d6e812992a41ee51ce88216e
SHA512778bb6ca67e17069c77304320fc73086586a1532be806efbe5b12910a5c337e98e210a86786483baba1e349aa1a40916be1054198164b15c5a84eabadc3ea9a7
-
Filesize
14KB
MD51a523fc868aac2975170698da9fc6741
SHA18f1e4554af631d4775efb886e37c356f127294af
SHA2568aaee84ef71a40047cf188c7f78b902396c1022e2717cab1d2c4da17f35228e1
SHA512d9aeadea71490c97b90484adcc14f987071ce6a880347f769faa2580ca909e97a3d9d6ced0b2317722579584de8e94763e2d1e0a4e52ca1fc5a9beba63dca068
-
Filesize
14KB
MD5971a5a7f17cec9b1ceaba4fa12ade234
SHA181838037439ce4ffb884fc52356aba9ba3a0659b
SHA256140a8ebb8981ce6d50196f4ed45ffa497278341915af0a0f007b35d74321bd00
SHA512d904512914397708eb16b717c2980d6e4f9fde71aa8ecfb817f88ad971f3c1f1fa1297f508b5574a59b4270fefa23f48cf460bfd0fce219adbdaa8b57ec7dd92
-
Filesize
14KB
MD5b7acd5e0138e7007d5b1676cf2c3b409
SHA13c8d0917eff5b52f86fa308b862456a53ef34c82
SHA25623e345dacb329ec8f7a62e860759fdd71a29058e4c132a618963ae5d5771fc15
SHA512203220c01d4fb0a9d884146ae8494e33bfee5d1821633f1ad50156d41fc5be0acc81200012e3890ad2f03335cb4c0aeaf2e1379bebabf9e8452c2f8d22086b3f