Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
11/01/2025, 06:49
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_f9fde476b15ad9fe7da9a629f280ae8c.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_f9fde476b15ad9fe7da9a629f280ae8c.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_f9fde476b15ad9fe7da9a629f280ae8c.exe
-
Size
16KB
-
MD5
f9fde476b15ad9fe7da9a629f280ae8c
-
SHA1
1e06abb6ceceef9fee6170b0590114979e4c1f2c
-
SHA256
ac7699a7ff7ef0ea4473ce4dd6391ed175be53e3c5e884a94ffd51788a008538
-
SHA512
df3256bd480ac979ab11d150e9ef28fbce3d82b82492bead078bea7e5bbd9ff4383d2dfcd5b78bccd64c9e41764ff0d3045402a67e5b2cabee4a9b11d896aebe
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY0Fi:hDXWipuE+K3/SSHgxm0Q
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 2696 DEM5E46.exe 2500 DEMB403.exe 2184 DEMBC4.exe 2860 DEM621D.exe 428 DEMB912.exe 2620 DEMF2D.exe -
Loads dropped DLL 6 IoCs
pid Process 2804 JaffaCakes118_f9fde476b15ad9fe7da9a629f280ae8c.exe 2696 DEM5E46.exe 2500 DEMB403.exe 2184 DEMBC4.exe 2860 DEM621D.exe 428 DEMB912.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_f9fde476b15ad9fe7da9a629f280ae8c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM5E46.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMB403.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMBC4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM621D.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMB912.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2804 wrote to memory of 2696 2804 JaffaCakes118_f9fde476b15ad9fe7da9a629f280ae8c.exe 31 PID 2804 wrote to memory of 2696 2804 JaffaCakes118_f9fde476b15ad9fe7da9a629f280ae8c.exe 31 PID 2804 wrote to memory of 2696 2804 JaffaCakes118_f9fde476b15ad9fe7da9a629f280ae8c.exe 31 PID 2804 wrote to memory of 2696 2804 JaffaCakes118_f9fde476b15ad9fe7da9a629f280ae8c.exe 31 PID 2696 wrote to memory of 2500 2696 DEM5E46.exe 33 PID 2696 wrote to memory of 2500 2696 DEM5E46.exe 33 PID 2696 wrote to memory of 2500 2696 DEM5E46.exe 33 PID 2696 wrote to memory of 2500 2696 DEM5E46.exe 33 PID 2500 wrote to memory of 2184 2500 DEMB403.exe 36 PID 2500 wrote to memory of 2184 2500 DEMB403.exe 36 PID 2500 wrote to memory of 2184 2500 DEMB403.exe 36 PID 2500 wrote to memory of 2184 2500 DEMB403.exe 36 PID 2184 wrote to memory of 2860 2184 DEMBC4.exe 38 PID 2184 wrote to memory of 2860 2184 DEMBC4.exe 38 PID 2184 wrote to memory of 2860 2184 DEMBC4.exe 38 PID 2184 wrote to memory of 2860 2184 DEMBC4.exe 38 PID 2860 wrote to memory of 428 2860 DEM621D.exe 40 PID 2860 wrote to memory of 428 2860 DEM621D.exe 40 PID 2860 wrote to memory of 428 2860 DEM621D.exe 40 PID 2860 wrote to memory of 428 2860 DEM621D.exe 40 PID 428 wrote to memory of 2620 428 DEMB912.exe 42 PID 428 wrote to memory of 2620 428 DEMB912.exe 42 PID 428 wrote to memory of 2620 428 DEMB912.exe 42 PID 428 wrote to memory of 2620 428 DEMB912.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9fde476b15ad9fe7da9a629f280ae8c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9fde476b15ad9fe7da9a629f280ae8c.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Users\Admin\AppData\Local\Temp\DEM5E46.exe"C:\Users\Admin\AppData\Local\Temp\DEM5E46.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Users\Admin\AppData\Local\Temp\DEMB403.exe"C:\Users\Admin\AppData\Local\Temp\DEMB403.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\DEMBC4.exe"C:\Users\Admin\AppData\Local\Temp\DEMBC4.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Users\Admin\AppData\Local\Temp\DEM621D.exe"C:\Users\Admin\AppData\Local\Temp\DEM621D.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\DEMB912.exe"C:\Users\Admin\AppData\Local\Temp\DEMB912.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Users\Admin\AppData\Local\Temp\DEMF2D.exe"C:\Users\Admin\AppData\Local\Temp\DEMF2D.exe"7⤵
- Executes dropped EXE
PID:2620
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5037adf4b6cc48064230c6f891b6f9c19
SHA1865b9955fe4c83eb75779400c95c9e770d526a98
SHA2561d6ed390305f7666455cfc43ff312db736e7077ed2c3eb19e90eb8cca45bb559
SHA512d38722d5d1c0e36ac0f86cc83f63988a28dea1e4145f71b8d48b11b3a06d8192c74d2dd8355d728063e0df57c86d6bb4cc82d31588543387830c0289faa2139c
-
Filesize
16KB
MD5fc838cb300a3cd2531c4f9a0a96d467c
SHA1dcd66a97d77533ad02e98196fc69b70cd423bfdc
SHA2568e9423adfa049bd5ccbedd798d88f53142cf51aa9b5592cebf2fb365034dd80d
SHA512200acee2e07d50b45b2e637f8de64aed49e20d4345eaeac744013fba8cd74ea504b7f759c9c50f5330d891a804cf3d05736fb60d8e702547061c331e5d6a3228
-
Filesize
16KB
MD508b2359ade3736a22760fd91a361e11d
SHA16c9ecd8780585b27460d0b3b0080fd24dfa07ba6
SHA25674b1f35ab5f06f51aa5b5ad19cc56466353566d908dcd2b3089bc53d369d70f9
SHA5121e0e68fe7542bf32c3971a9bbb70052d1d76aaed888fb90b7a311ead42a8ff7847ba4b2e1a9f5e70cf5d238302fbff87bfe88142936ddfee47c0fe6fb923503c
-
Filesize
16KB
MD5bdb87000309515ef1447ef787bfe16c2
SHA177ca59f410002245bb926d2fa1672894b2cc3f3d
SHA2568fc91d2031054b91bc915991bb078524fe2c6e956051d3321caf9a277d1f0253
SHA5127ca1ea68a990e7744fe39f67e1563b36c3df67aa6a22c5559f3684c9994b041488cc0afcbbd21d1e62b24ced76c54b0868b4959b775b3375c82c19a81dbb2b04
-
Filesize
16KB
MD5075212934bec5e82f8c0577df909853d
SHA181af10b7e31340bc01a9bd01813731eb8a53d362
SHA256a636dbe25bdaf9de6a184a884ba1b10f8fb8f0bd5db9704dfbca10ee908f8f3f
SHA512bb4402cb272ecada9208236ba392b821f454b914f3346a7499b2e8843d2cb76dab65fc5a466488ad4afe1d5583559e7867daa85ac5929bc2c7aae75ef60ee3cd
-
Filesize
16KB
MD5f3315d8993c75cfd87322cea196f05a5
SHA126a76e29c93a734debc2eb354a07c702a91a9971
SHA256069150c23bd6a66de29962877864b4674a09ab6fafebf78648c770cdae468af2
SHA5128ce68049f5f77f688ae3d80feb13eb10a96a97b100bf5ae5b6063707c69e4109dc15b9a2797b7a9c4b3db4b78020fcf34559dbee54d1fcb468d6476a418994e6