Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
11/01/2025, 06:50
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_f9feddb8d9d2e15ef6a9d53e7014a152.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_f9feddb8d9d2e15ef6a9d53e7014a152.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_f9feddb8d9d2e15ef6a9d53e7014a152.exe
-
Size
13KB
-
MD5
f9feddb8d9d2e15ef6a9d53e7014a152
-
SHA1
97bed1b600d6d402db7e53de8a3681e5d5918537
-
SHA256
03f5bb9657f3509ade7b7c9d998a11f7f922489aa8de906fa94f70c5487c2901
-
SHA512
71e48c41901fc3156fad55c2f5c8878d455c2d326ab47fafc04e65e4efb720970a05c9a49c8d6db6511292c55619d413a299c068e3874bf3ce59f36a56a2d680
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhbuQK:hDXWipuE+K3/SSHgxcQK
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 2140 DEM232.exe 2892 DEM57A2.exe 2248 DEMAEC6.exe 2836 DEM4E1.exe 2632 DEM5AEC.exe 2500 DEMB155.exe -
Loads dropped DLL 6 IoCs
pid Process 2296 JaffaCakes118_f9feddb8d9d2e15ef6a9d53e7014a152.exe 2140 DEM232.exe 2892 DEM57A2.exe 2248 DEMAEC6.exe 2836 DEM4E1.exe 2632 DEM5AEC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_f9feddb8d9d2e15ef6a9d53e7014a152.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM232.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM57A2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMAEC6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM4E1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM5AEC.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2296 wrote to memory of 2140 2296 JaffaCakes118_f9feddb8d9d2e15ef6a9d53e7014a152.exe 32 PID 2296 wrote to memory of 2140 2296 JaffaCakes118_f9feddb8d9d2e15ef6a9d53e7014a152.exe 32 PID 2296 wrote to memory of 2140 2296 JaffaCakes118_f9feddb8d9d2e15ef6a9d53e7014a152.exe 32 PID 2296 wrote to memory of 2140 2296 JaffaCakes118_f9feddb8d9d2e15ef6a9d53e7014a152.exe 32 PID 2140 wrote to memory of 2892 2140 DEM232.exe 34 PID 2140 wrote to memory of 2892 2140 DEM232.exe 34 PID 2140 wrote to memory of 2892 2140 DEM232.exe 34 PID 2140 wrote to memory of 2892 2140 DEM232.exe 34 PID 2892 wrote to memory of 2248 2892 DEM57A2.exe 36 PID 2892 wrote to memory of 2248 2892 DEM57A2.exe 36 PID 2892 wrote to memory of 2248 2892 DEM57A2.exe 36 PID 2892 wrote to memory of 2248 2892 DEM57A2.exe 36 PID 2248 wrote to memory of 2836 2248 DEMAEC6.exe 38 PID 2248 wrote to memory of 2836 2248 DEMAEC6.exe 38 PID 2248 wrote to memory of 2836 2248 DEMAEC6.exe 38 PID 2248 wrote to memory of 2836 2248 DEMAEC6.exe 38 PID 2836 wrote to memory of 2632 2836 DEM4E1.exe 40 PID 2836 wrote to memory of 2632 2836 DEM4E1.exe 40 PID 2836 wrote to memory of 2632 2836 DEM4E1.exe 40 PID 2836 wrote to memory of 2632 2836 DEM4E1.exe 40 PID 2632 wrote to memory of 2500 2632 DEM5AEC.exe 43 PID 2632 wrote to memory of 2500 2632 DEM5AEC.exe 43 PID 2632 wrote to memory of 2500 2632 DEM5AEC.exe 43 PID 2632 wrote to memory of 2500 2632 DEM5AEC.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9feddb8d9d2e15ef6a9d53e7014a152.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9feddb8d9d2e15ef6a9d53e7014a152.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\DEM232.exe"C:\Users\Admin\AppData\Local\Temp\DEM232.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\DEM57A2.exe"C:\Users\Admin\AppData\Local\Temp\DEM57A2.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\DEMAEC6.exe"C:\Users\Admin\AppData\Local\Temp\DEMAEC6.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\DEM4E1.exe"C:\Users\Admin\AppData\Local\Temp\DEM4E1.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Users\Admin\AppData\Local\Temp\DEM5AEC.exe"C:\Users\Admin\AppData\Local\Temp\DEM5AEC.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Users\Admin\AppData\Local\Temp\DEMB155.exe"C:\Users\Admin\AppData\Local\Temp\DEMB155.exe"7⤵
- Executes dropped EXE
PID:2500
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD55d7c3f4f4ee4428f1eb517b15ff3d14e
SHA13e19bc76c47ae3b7c1cbe2abf29207327d0dedb1
SHA256ba0450826e901043fa7e852bd8f3aea7edbe7be6390f77379532ed610458ab09
SHA512d821e102211f7603911f4b95ec320ffc34567d105a1b95899594693a82319e5cf1fae932b00924f8dfba1a6cff3a34297a5d1c6aaeb77e9354ec335b8da52a51
-
Filesize
13KB
MD584a14d79cb9d019cd6027fe7e3b4fb09
SHA1213da4a98059275e032c784e0d205197f10ba251
SHA256d1af51b19ad1a18138a168ccec7fd1c908665f4ed7a07a86a99342de779c3ef7
SHA512c246172374b91835d0cd4fa6523dba96217d4b8df755d717e5530a52aef6c0cb5db75c3f158e53f2e76447338c1f9f230363914d1c342a1d625a05b6edb2151c
-
Filesize
14KB
MD5dc96b752fc9c298a112e0a7bb29df63e
SHA1cdc16b74833bc4d7704a0193b1076dca1d635b55
SHA256e723344c68bc120f90cbb410402c60bc48e9a36db89e90f5b24b95e1c336585d
SHA512226c89cf2108f03d4619bcb7098742a0fa8563089856b23f2dbb64bf2afd047a7c8ab550271b6ba2c618aced241979ab7ade48f4b31b4bcd4a5df6e965629982
-
Filesize
14KB
MD56ea7c0a7dded8b02530e1bd3d8c32776
SHA176addb9b3c82402ee497dfc59197d60a6d8115af
SHA256ab45369d922b6eb3d9dd345f835122e759bdafc64db7bbad6dd366bfa1600c86
SHA512c6de704b5409254eaf3fec34c735a7ed0a3c9d3d340336bb83e31db6aaf83e27780a1e802a5540008d56c41cd400440826cf1da96e2461dd1618284d5c5ac091
-
Filesize
14KB
MD576ab3b392f1a56b7e9e90e186530436b
SHA1fb52bdbcc74ce7698c9e503a2592af6b46430e0d
SHA2566aa31b7ee0b742648b2ad320929d2c657cfaafbd201fa903823769ac53b329e4
SHA512fc66030edc436e39cdbe4e8b8960e2f5ee578949493aed57b18d99f47a57b4bdc128ffdea1bd6b1a6c7d3c5a9e24c1fd995331e1d03befe45d7d520e33591f0b
-
Filesize
14KB
MD5aeffe90da567e25ed38b41609250f203
SHA1efe3eb6ff8e62fc6cefffe00e621d6e1f8588bc8
SHA256389c5dbe96f518b8986a73707ced3d20721e043f44785a5dc4b633c1c72dc50e
SHA512622b148fa7bd18ebce2ba9fb16536ad48e37bf91cd82ec501331d2349dad3b3195d2522073c7071d42852e3ea8cdc83c3eeac5ef4147e218fd4f3013f6e1c6ad