Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/01/2025, 06:48
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_f9f7c996d9d37bf4ff3a2a12ef235fa4.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_f9f7c996d9d37bf4ff3a2a12ef235fa4.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_f9f7c996d9d37bf4ff3a2a12ef235fa4.exe
-
Size
14KB
-
MD5
f9f7c996d9d37bf4ff3a2a12ef235fa4
-
SHA1
6bde65981ad37dede323033d29bfc15cabbefac5
-
SHA256
eac81d1cd5b67eb31b73b1835a3a0f19e5465a3371d39a361aa5d2f95e78f635
-
SHA512
f419f5a5660f8853a9f231f2b9026ca83b3559c26faf1fc979f7766bb83b7507e5c241df6bacd81e41f7ba83574fc3cda9a0c3d12d8b3507f775906efd9487a7
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhX:hDXWipuE+K3/SSHgxx
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 2668 DEM6142.exe 1512 DEMB693.exe 2604 DEMBD3.exe 336 DEM6114.exe 1152 DEMB635.exe 2240 DEMB47.exe -
Loads dropped DLL 6 IoCs
pid Process 3008 JaffaCakes118_f9f7c996d9d37bf4ff3a2a12ef235fa4.exe 2668 DEM6142.exe 1512 DEMB693.exe 2604 DEMBD3.exe 336 DEM6114.exe 1152 DEMB635.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_f9f7c996d9d37bf4ff3a2a12ef235fa4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM6142.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMB693.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMBD3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM6114.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMB635.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3008 wrote to memory of 2668 3008 JaffaCakes118_f9f7c996d9d37bf4ff3a2a12ef235fa4.exe 31 PID 3008 wrote to memory of 2668 3008 JaffaCakes118_f9f7c996d9d37bf4ff3a2a12ef235fa4.exe 31 PID 3008 wrote to memory of 2668 3008 JaffaCakes118_f9f7c996d9d37bf4ff3a2a12ef235fa4.exe 31 PID 3008 wrote to memory of 2668 3008 JaffaCakes118_f9f7c996d9d37bf4ff3a2a12ef235fa4.exe 31 PID 2668 wrote to memory of 1512 2668 DEM6142.exe 34 PID 2668 wrote to memory of 1512 2668 DEM6142.exe 34 PID 2668 wrote to memory of 1512 2668 DEM6142.exe 34 PID 2668 wrote to memory of 1512 2668 DEM6142.exe 34 PID 1512 wrote to memory of 2604 1512 DEMB693.exe 36 PID 1512 wrote to memory of 2604 1512 DEMB693.exe 36 PID 1512 wrote to memory of 2604 1512 DEMB693.exe 36 PID 1512 wrote to memory of 2604 1512 DEMB693.exe 36 PID 2604 wrote to memory of 336 2604 DEMBD3.exe 38 PID 2604 wrote to memory of 336 2604 DEMBD3.exe 38 PID 2604 wrote to memory of 336 2604 DEMBD3.exe 38 PID 2604 wrote to memory of 336 2604 DEMBD3.exe 38 PID 336 wrote to memory of 1152 336 DEM6114.exe 40 PID 336 wrote to memory of 1152 336 DEM6114.exe 40 PID 336 wrote to memory of 1152 336 DEM6114.exe 40 PID 336 wrote to memory of 1152 336 DEM6114.exe 40 PID 1152 wrote to memory of 2240 1152 DEMB635.exe 42 PID 1152 wrote to memory of 2240 1152 DEMB635.exe 42 PID 1152 wrote to memory of 2240 1152 DEMB635.exe 42 PID 1152 wrote to memory of 2240 1152 DEMB635.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9f7c996d9d37bf4ff3a2a12ef235fa4.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9f7c996d9d37bf4ff3a2a12ef235fa4.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\DEM6142.exe"C:\Users\Admin\AppData\Local\Temp\DEM6142.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\DEMB693.exe"C:\Users\Admin\AppData\Local\Temp\DEMB693.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\DEMBD3.exe"C:\Users\Admin\AppData\Local\Temp\DEMBD3.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Users\Admin\AppData\Local\Temp\DEM6114.exe"C:\Users\Admin\AppData\Local\Temp\DEM6114.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Users\Admin\AppData\Local\Temp\DEMB635.exe"C:\Users\Admin\AppData\Local\Temp\DEMB635.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Users\Admin\AppData\Local\Temp\DEMB47.exe"C:\Users\Admin\AppData\Local\Temp\DEMB47.exe"7⤵
- Executes dropped EXE
PID:2240
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD55acf8ebc200a2a1f01bab693c995581e
SHA164233f3288a89be135e6616d13815589f7785d67
SHA256e992f4c998d198fd3c3b4c04a81267267091768898957f700ec4936afd5871d1
SHA512606457b577a151e31af7304899c4c7f1b880a82802605364c03535f753252acd90ad8fbf73e5f35dcae6dfdeac0b3671a90a5ad8d52d99daec67979bd9774386
-
Filesize
14KB
MD559ecc85e6c6c0dbf6e3a6e978df5e763
SHA18eb111e89e1c319b4a73f5965d79dfed5e0748f8
SHA2568d322ddcddc55ebd711d19d310e9baa14045f93a090cf8234c501dd92658b989
SHA5123ecf919812fd88c8b4282bf99f5867eaaec6a8ce90507ba507e2e7f42ac16e8d2bcb162125c51cab16901d129b7004b0ba20b8894f81ed3502bb2a1341af4567
-
Filesize
14KB
MD5adada66b26fc31536f17cc2a112b9c5d
SHA1cec4c69f12a256f65e99200ee958b9216cb7fb64
SHA2562833a9e26a302a8d62ec7d51d9f01c098f90c59dc58b5f4a6e29d7da4fe7ba12
SHA51222cf91549a55b38fe312f8f62b52dbd52258b6f0b31ae6b2ea5bb11a2ddc4da4d2bc368393069d9b87dfb236d92d485c506568c610e9ae3e45487036a7eed07d
-
Filesize
14KB
MD5f7811e086d174776c9613dbd8efa18de
SHA146f723137164e59555ed0a0060224f60b40cbb91
SHA2560b3cb9da1d532e601299e01032736c8ee470e9968e7c849ff8e908f655097962
SHA5120a6e55d47fcd9e10b5fef336e1f99485c450fa193e26541d4f4470abd7b03cfa8873a68706ba34cff17d0f596a1e09eb0894b2d4afbae391f90d51c8772bd3e4
-
Filesize
14KB
MD57826f3688a4dbe78c0235723386806a9
SHA185d2f1eb7491624818d5978fc778934cd4e58f80
SHA2567c71a75c7d61c973e98e8475a483148006e3e24d153c26455ac902426ed297cc
SHA51283372617cf2cb427d3b1540f2676e84960caa995d867129af5a0aaf3b30c24682649f9e295232ded587dbdd1816517bf6ee8ae6c9bd4958da99a50997de42476
-
Filesize
14KB
MD563dd45df35d73a6ff0fffa568dd042fa
SHA1f007085a7d05d72d24f53d9d755b67d3c013872f
SHA256d83b865781fc04902b9895654ea64bc86a46eaf310352dd2a905221caa27d18c
SHA512bd746884882d79516c870664a0be1db29777aa0a639cb6558fafb13b973b36351dfb8c403b4dafe9f7fd9d9eb57465ea1737fd73748b940ed2f082ec213cf095