Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/01/2025, 06:42
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_f9d1a277b59230d9739d5fedecb6ed8b.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_f9d1a277b59230d9739d5fedecb6ed8b.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_f9d1a277b59230d9739d5fedecb6ed8b.exe
-
Size
20KB
-
MD5
f9d1a277b59230d9739d5fedecb6ed8b
-
SHA1
b61d7caad9552eb9ace84c77c4fa1c6850cb6484
-
SHA256
254ea2fb1c31685e634a26c379a2742661901686f1a0fdf38fcfc8060d59cde6
-
SHA512
ff238e9980591b71e1abaa91b86914a6870a2da4a41c4d9dfe26ac63f66766532babaaf603c482abc73ac9da4f15d2741d4a1db0ad3f018470cf05c93ab868cb
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4PRSV:hDXWipuE+K3/SSHgxmHZPRy
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation DEM747F.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation DEMCAEC.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation JaffaCakes118_f9d1a277b59230d9739d5fedecb6ed8b.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation DEM70CB.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation DEMC7C4.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation DEM1E60.exe -
Executes dropped EXE 6 IoCs
pid Process 4404 DEM70CB.exe 5112 DEMC7C4.exe 3856 DEM1E60.exe 2432 DEM747F.exe 2872 DEMCAEC.exe 1468 DEM212A.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMCAEC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM212A.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_f9d1a277b59230d9739d5fedecb6ed8b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM70CB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMC7C4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM1E60.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM747F.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4240 wrote to memory of 4404 4240 JaffaCakes118_f9d1a277b59230d9739d5fedecb6ed8b.exe 90 PID 4240 wrote to memory of 4404 4240 JaffaCakes118_f9d1a277b59230d9739d5fedecb6ed8b.exe 90 PID 4240 wrote to memory of 4404 4240 JaffaCakes118_f9d1a277b59230d9739d5fedecb6ed8b.exe 90 PID 4404 wrote to memory of 5112 4404 DEM70CB.exe 94 PID 4404 wrote to memory of 5112 4404 DEM70CB.exe 94 PID 4404 wrote to memory of 5112 4404 DEM70CB.exe 94 PID 5112 wrote to memory of 3856 5112 DEMC7C4.exe 96 PID 5112 wrote to memory of 3856 5112 DEMC7C4.exe 96 PID 5112 wrote to memory of 3856 5112 DEMC7C4.exe 96 PID 3856 wrote to memory of 2432 3856 DEM1E60.exe 98 PID 3856 wrote to memory of 2432 3856 DEM1E60.exe 98 PID 3856 wrote to memory of 2432 3856 DEM1E60.exe 98 PID 2432 wrote to memory of 2872 2432 DEM747F.exe 100 PID 2432 wrote to memory of 2872 2432 DEM747F.exe 100 PID 2432 wrote to memory of 2872 2432 DEM747F.exe 100 PID 2872 wrote to memory of 1468 2872 DEMCAEC.exe 102 PID 2872 wrote to memory of 1468 2872 DEMCAEC.exe 102 PID 2872 wrote to memory of 1468 2872 DEMCAEC.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9d1a277b59230d9739d5fedecb6ed8b.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9d1a277b59230d9739d5fedecb6ed8b.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Users\Admin\AppData\Local\Temp\DEM70CB.exe"C:\Users\Admin\AppData\Local\Temp\DEM70CB.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Users\Admin\AppData\Local\Temp\DEMC7C4.exe"C:\Users\Admin\AppData\Local\Temp\DEMC7C4.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Users\Admin\AppData\Local\Temp\DEM1E60.exe"C:\Users\Admin\AppData\Local\Temp\DEM1E60.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Users\Admin\AppData\Local\Temp\DEM747F.exe"C:\Users\Admin\AppData\Local\Temp\DEM747F.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Users\Admin\AppData\Local\Temp\DEMCAEC.exe"C:\Users\Admin\AppData\Local\Temp\DEMCAEC.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Users\Admin\AppData\Local\Temp\DEM212A.exe"C:\Users\Admin\AppData\Local\Temp\DEM212A.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1468
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5a53b3fc2aa9dac7e1ea6f14a91d81637
SHA1c27020485373644d84e9a7d1ec82ba51a0f255f7
SHA256523b64784239ef8a3515fafd91cc6f5858b045c3fcff7513e0ea0f4ea66edea2
SHA512b70b4bfb22f9ef16d7bf7386466245306f670c7a2065c39a28f6da74fee3dec16fe4bf9d4590930cf6d2cd0a4d16c3668ca63b14768cc0f5d9c01718a6deb0d0
-
Filesize
20KB
MD5dec09b359b5c6d859a3a592ab9b6efe2
SHA11a6ac2853e1ecfdbe2acdec12f62a947c3ff66dc
SHA256cdca843b429e1b37768d2991c936e87cec20c1de90bf9ee8da2b8ef742080e0e
SHA51284619d9d9d3acba665b5a5bc945f1664861f71ada40650176b2254dc024b2e713e4e565d57bd11ab228370689ef01739775637185ab1ee195bcb4746cceecbe0
-
Filesize
20KB
MD597fa9902c63aea9a37ab9fb44b5e704a
SHA1d971933e60f0b416417059db8d36690e0cf66b90
SHA2569d566ac6078bce7aced80d29833a6bc8067f596f877f69520926bc3cebee2a09
SHA51271af90396c53dff3b582caa1b5fcd52c14f14683d25c635664255426a25944d6e1b11ce3561e13e20ee1768374bf34dbb51dfaef20ab8c23b259bd6bb8c787be
-
Filesize
20KB
MD5242af6111a88dc700a808d9d81451bce
SHA170f81250da924f4fc5f93d6bcb9d75285a825740
SHA256bb599de0d0189c24fe99818a1ff9f71311dd5d606619b96a2ce28191c71b1af8
SHA512faa223bb68cb46a8f25ede034a919a445968b985b1ca8dd0b91208b422897d76bec38cb3191c9b48fe3ab5c27ddd0356c40373904e89df9a6935ade9289b85f3
-
Filesize
20KB
MD553296efa7eceb4b3aee85cd68d3459aa
SHA14396d8f3d2088a048d440d3826b911545207fad2
SHA256c8d12365ba3da63805a0e01836c33aa52c68c792af36cc2b62d75fb15d811b93
SHA512bf36ea0aaf83643b6a6e59bd7f1073a19042a761e1c50b947961d556561e5144e61cbb573f0ef9ea545165c13c7495d224ff3ef60ec144e1b337d9968ffa157c
-
Filesize
20KB
MD502aa29f452b93ebde62b3415441c66b6
SHA1f0c55687de86d58a670ff20a4813fc754dbb2d92
SHA25650a42e6befdbbe91382c102d7ac470ec46ab0d71ead8e14fa613131547614817
SHA51272d425eddc67b714dae474f98ca9306ea3bd6b22205e62e062f93a76bb220edace923ed961e93b2740caf955f4dbd626676d2d7ef744ae7d9598e998f43a759f