Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/01/2025, 06:42
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_f9d1a277b59230d9739d5fedecb6ed8b.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_f9d1a277b59230d9739d5fedecb6ed8b.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_f9d1a277b59230d9739d5fedecb6ed8b.exe
-
Size
20KB
-
MD5
f9d1a277b59230d9739d5fedecb6ed8b
-
SHA1
b61d7caad9552eb9ace84c77c4fa1c6850cb6484
-
SHA256
254ea2fb1c31685e634a26c379a2742661901686f1a0fdf38fcfc8060d59cde6
-
SHA512
ff238e9980591b71e1abaa91b86914a6870a2da4a41c4d9dfe26ac63f66766532babaaf603c482abc73ac9da4f15d2741d4a1db0ad3f018470cf05c93ab868cb
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4PRSV:hDXWipuE+K3/SSHgxmHZPRy
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 2264 DEM8881.exe 1728 DEMDE6D.exe 2468 DEM339E.exe 1908 DEM891D.exe 1152 DEMDE1F.exe 2460 DEM336F.exe -
Loads dropped DLL 6 IoCs
pid Process 2788 JaffaCakes118_f9d1a277b59230d9739d5fedecb6ed8b.exe 2264 DEM8881.exe 1728 DEMDE6D.exe 2468 DEM339E.exe 1908 DEM891D.exe 1152 DEMDE1F.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMDE6D.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM339E.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM891D.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMDE1F.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_f9d1a277b59230d9739d5fedecb6ed8b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM8881.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2788 wrote to memory of 2264 2788 JaffaCakes118_f9d1a277b59230d9739d5fedecb6ed8b.exe 32 PID 2788 wrote to memory of 2264 2788 JaffaCakes118_f9d1a277b59230d9739d5fedecb6ed8b.exe 32 PID 2788 wrote to memory of 2264 2788 JaffaCakes118_f9d1a277b59230d9739d5fedecb6ed8b.exe 32 PID 2788 wrote to memory of 2264 2788 JaffaCakes118_f9d1a277b59230d9739d5fedecb6ed8b.exe 32 PID 2264 wrote to memory of 1728 2264 DEM8881.exe 34 PID 2264 wrote to memory of 1728 2264 DEM8881.exe 34 PID 2264 wrote to memory of 1728 2264 DEM8881.exe 34 PID 2264 wrote to memory of 1728 2264 DEM8881.exe 34 PID 1728 wrote to memory of 2468 1728 DEMDE6D.exe 36 PID 1728 wrote to memory of 2468 1728 DEMDE6D.exe 36 PID 1728 wrote to memory of 2468 1728 DEMDE6D.exe 36 PID 1728 wrote to memory of 2468 1728 DEMDE6D.exe 36 PID 2468 wrote to memory of 1908 2468 DEM339E.exe 38 PID 2468 wrote to memory of 1908 2468 DEM339E.exe 38 PID 2468 wrote to memory of 1908 2468 DEM339E.exe 38 PID 2468 wrote to memory of 1908 2468 DEM339E.exe 38 PID 1908 wrote to memory of 1152 1908 DEM891D.exe 40 PID 1908 wrote to memory of 1152 1908 DEM891D.exe 40 PID 1908 wrote to memory of 1152 1908 DEM891D.exe 40 PID 1908 wrote to memory of 1152 1908 DEM891D.exe 40 PID 1152 wrote to memory of 2460 1152 DEMDE1F.exe 42 PID 1152 wrote to memory of 2460 1152 DEMDE1F.exe 42 PID 1152 wrote to memory of 2460 1152 DEMDE1F.exe 42 PID 1152 wrote to memory of 2460 1152 DEMDE1F.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9d1a277b59230d9739d5fedecb6ed8b.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9d1a277b59230d9739d5fedecb6ed8b.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\DEM8881.exe"C:\Users\Admin\AppData\Local\Temp\DEM8881.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\DEMDE6D.exe"C:\Users\Admin\AppData\Local\Temp\DEMDE6D.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\DEM339E.exe"C:\Users\Admin\AppData\Local\Temp\DEM339E.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Users\Admin\AppData\Local\Temp\DEM891D.exe"C:\Users\Admin\AppData\Local\Temp\DEM891D.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Users\Admin\AppData\Local\Temp\DEMDE1F.exe"C:\Users\Admin\AppData\Local\Temp\DEMDE1F.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Users\Admin\AppData\Local\Temp\DEM336F.exe"C:\Users\Admin\AppData\Local\Temp\DEM336F.exe"7⤵
- Executes dropped EXE
PID:2460
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD51264db6af317c56ad6c5a1b03b991b2e
SHA18c87ebbfaa6334d12579925b18328363e9728ba5
SHA2568e49ad32b41997fdbb4220b148cf7d2a494bfe201af19d89d468bd2ffd91a2b1
SHA512c57ac3d2e97f5890394e8eb04ac1b8793eac6b9b9e0eeb76edd9683f43c770b377ddc796ec7afdae602052105ec76da20004da347eaba0b98dc8dec2b23f9a96
-
Filesize
20KB
MD5f7b3104b60c163669c8de324c3000b35
SHA1392ad98d368a16669bfa9e2e89c8071ca07178c2
SHA2566b6924d21c315f74fda058eef0f76a62f502debe86bbe7c0b6dd776d06b645e6
SHA512063ef743ce61989268d7c0e3e2ebdbc0066f309f341a8fd1380d636df2e247d8732802a2dce85e54faf0e759f3cfea3b6ef69852a6676fdf002ca63bae356221
-
Filesize
20KB
MD5f0671f8b95f9a18cb977a4d365c2b689
SHA156f029585f36d5e26b4bd704306b3870a20749b7
SHA25641d12293bed94e610cddeea808a7f7ac95b53b576071f290ba04ea0c580d5339
SHA5120a7721a379928795eac26f69142bd3c4d755249986ae4b2f50118302aa98d2f5799ad8e1fbc31919db3ae4bfd7a966358596b781b1dbfbeb23ea3e2e84a2473b
-
Filesize
20KB
MD5a887ba0334b38d279d2363ced40c62b7
SHA154313d716bc3e3ce8a300a353caec9633bc2d7f7
SHA2567cfcfbdd281eabe49f682be3b7a719d1ab44630bdcd2cb9be3fc0e2bd4e6d12b
SHA512eed2955409161ae2ff4b6a7a83c388a8699b7a8022c8d64f308e2edc1f3bb44f1e02ee6d501f0fd483cb2ccd74aeaef3829faaa1248e6ce912b5ef77c64c7cc1
-
Filesize
20KB
MD58432deb48a20f29373818c7e5d830b43
SHA17b408f6bd3a2a4b23dace171d58e4b80a6778932
SHA256f836473733d71a20c88af22df5662c7cfb55132cadd3e72ad1876127922815c6
SHA51226ee4823b3e4e69b785eb7f089470670c0248dce1835596f7f83189038390261157349184b8d24f3b1e2b545ce932dfe6835448f47b6e4f0c8101401534fbb59
-
Filesize
20KB
MD56e5458590a4e3d89af38a4a463816fc6
SHA1895a84bdb8b1cd60aeb11375e7ec1f6b665853b8
SHA2567e2bbec656d91192b42f2a532e665c8ca675507b3efb2d4146cb87ec79d4674f
SHA512d7a06fa1464f235a71b315568863879b92dccebad5b39e3133eec263852b736203396056de536acfe256febb2330022b29e0b8fd4deb45422ca6f14cfee7b025