Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    131s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18/10/2024, 07:14

General

  • Target

    561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe

  • Size

    14KB

  • MD5

    561d055cc6c0da0756a01748ce967058

  • SHA1

    8303f42074385c1a54302b4a785c90953b7250cc

  • SHA256

    ac1f4f128ad130f141e12d109b3e3d9394982611630987818bc19b5a0a2ce7fd

  • SHA512

    44e3b821fb1005865036b3f9d1c418c6c016ec09fde394c725706ce7d96fbe3625190177eae784561198a772c05821a31ec7f34f6be059a3d112481e4e98ead1

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4bCl:hDXWipuE+K3/SSHgxm0O

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2668
    • C:\Users\Admin\AppData\Local\Temp\DEMD153.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD153.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2228
      • C:\Users\Admin\AppData\Local\Temp\DEM26E2.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM26E2.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2704
        • C:\Users\Admin\AppData\Local\Temp\DEM7C41.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM7C41.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2360
          • C:\Users\Admin\AppData\Local\Temp\DEMD192.exe
            "C:\Users\Admin\AppData\Local\Temp\DEMD192.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2392
            • C:\Users\Admin\AppData\Local\Temp\DEM27BC.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM27BC.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2800
              • C:\Users\Admin\AppData\Local\Temp\DEM7D0C.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM7D0C.exe"
                7⤵
                • Executes dropped EXE
                PID:1108

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM26E2.exe

    Filesize

    14KB

    MD5

    3fd6bd3ec8d4904e66ab1c8ba77ed9bc

    SHA1

    7904197d24e28ea985770aa072aaf4bbcdace6b6

    SHA256

    b0c2050798487c4eea58ca8f1cb85dd2a850c048ce10c8b4e24d663a876f8225

    SHA512

    52842b858f9c30feea15d54b133d0560e519e0538ff3fee49ed452d7db7d55e1f5928194fd1a1d5b473d56cc710660e728b7209cd06ee5b11632853aa8a6b3b2

  • \Users\Admin\AppData\Local\Temp\DEM27BC.exe

    Filesize

    14KB

    MD5

    dd0257a7aaf7a5a75cb641cb18001c88

    SHA1

    06878e142c4e2a4cc52c99c3fee1b35b7272491e

    SHA256

    308c9a3d3145da31d60b5abc12f44c7c779a8fe3599fa0b3eaee78507492e9e5

    SHA512

    516098074fb33b7e2b1595186d46bc32a3db07d575ae5128dfe0700c7421e38539c9c0227d2dd5557cfc0452da4842d81b9ce371e085fdbace4a0ff2fc5a266f

  • \Users\Admin\AppData\Local\Temp\DEM7C41.exe

    Filesize

    14KB

    MD5

    9ad3309626246b803ebe262c2b0c5745

    SHA1

    0572f26a0bab70a3235b1bdfa89c1bde5b0e8d50

    SHA256

    b9b8563dfcfba0fd2469cdcd44a3502bb298ea475dd8f29d64bda404fe7dea91

    SHA512

    54f12fe4edf6a7b7b6f5fc518d86939817a986e2e6da1ee93a17c02fb0a03c78afe3b8d6c8964641e8e874689a4449f07a93f983198afaf4da49c1341aeb6084

  • \Users\Admin\AppData\Local\Temp\DEM7D0C.exe

    Filesize

    15KB

    MD5

    2cb976e0b7735a51fc6591a8b3b2159f

    SHA1

    6d9f4d90d57c2aa57aea4bbb64a505f4b6569cb9

    SHA256

    7790d8858628cfd38b4a1e82827a6ed53eab2639dc3ab532b4e9ff8e948f1ea8

    SHA512

    0a02704af4f1f5acced325e89643a52d9d4288098e243a6994d30b14fbcd79ee91417e9d365788c77d0a4a2299a5df3558057734c666d0fa0bf266b27ec91aae

  • \Users\Admin\AppData\Local\Temp\DEMD153.exe

    Filesize

    14KB

    MD5

    b32f95d1003b545f196357fd14386cc0

    SHA1

    54a82112f4fcc9765a5ac6fa8fa9da991115f62c

    SHA256

    c42cf979856a12eab782a2cae87d51aa433598d86caf90ba2c3c2036683b9c9d

    SHA512

    93bf75d68a47a50edfde822505cd36582d7ff6f5b915b78180076fa621128b56b971dba19f8aa5eea4f73b2c07f74770246d1e8bf156ec67245243d7db43034d

  • \Users\Admin\AppData\Local\Temp\DEMD192.exe

    Filesize

    14KB

    MD5

    8543c45e3eaf2928127dc359252d60ff

    SHA1

    2405d2b14235fe7b5d875f660c49512958741644

    SHA256

    973bc6d04c4487aa7d1e6d668f7aa0f5731be6e87bc82363ebd79097b44410c2

    SHA512

    ccee4fc69fde55aafad6a7aaf31c7b59702f319c74b88f520a1de87feaf83bf63fa4cf681a8dd10aa489aaadd33ca4b7cd0787925de44e51763b6a9f538f8b4e