Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    133s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    11/01/2025, 06:49

General

  • Target

    JaffaCakes118_f9fde476b15ad9fe7da9a629f280ae8c.exe

  • Size

    16KB

  • MD5

    f9fde476b15ad9fe7da9a629f280ae8c

  • SHA1

    1e06abb6ceceef9fee6170b0590114979e4c1f2c

  • SHA256

    ac7699a7ff7ef0ea4473ce4dd6391ed175be53e3c5e884a94ffd51788a008538

  • SHA512

    df3256bd480ac979ab11d150e9ef28fbce3d82b82492bead078bea7e5bbd9ff4383d2dfcd5b78bccd64c9e41764ff0d3045402a67e5b2cabee4a9b11d896aebe

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY0Fi:hDXWipuE+K3/SSHgxm0Q

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9fde476b15ad9fe7da9a629f280ae8c.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9fde476b15ad9fe7da9a629f280ae8c.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2804
    • C:\Users\Admin\AppData\Local\Temp\DEM5E46.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5E46.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Users\Admin\AppData\Local\Temp\DEMB403.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMB403.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2500
        • C:\Users\Admin\AppData\Local\Temp\DEMBC4.exe
          "C:\Users\Admin\AppData\Local\Temp\DEMBC4.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2184
          • C:\Users\Admin\AppData\Local\Temp\DEM621D.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM621D.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2860
            • C:\Users\Admin\AppData\Local\Temp\DEMB912.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMB912.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:428
              • C:\Users\Admin\AppData\Local\Temp\DEMF2D.exe
                "C:\Users\Admin\AppData\Local\Temp\DEMF2D.exe"
                7⤵
                • Executes dropped EXE
                PID:2620

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEMB403.exe

    Filesize

    16KB

    MD5

    037adf4b6cc48064230c6f891b6f9c19

    SHA1

    865b9955fe4c83eb75779400c95c9e770d526a98

    SHA256

    1d6ed390305f7666455cfc43ff312db736e7077ed2c3eb19e90eb8cca45bb559

    SHA512

    d38722d5d1c0e36ac0f86cc83f63988a28dea1e4145f71b8d48b11b3a06d8192c74d2dd8355d728063e0df57c86d6bb4cc82d31588543387830c0289faa2139c

  • C:\Users\Admin\AppData\Local\Temp\DEMB912.exe

    Filesize

    16KB

    MD5

    fc838cb300a3cd2531c4f9a0a96d467c

    SHA1

    dcd66a97d77533ad02e98196fc69b70cd423bfdc

    SHA256

    8e9423adfa049bd5ccbedd798d88f53142cf51aa9b5592cebf2fb365034dd80d

    SHA512

    200acee2e07d50b45b2e637f8de64aed49e20d4345eaeac744013fba8cd74ea504b7f759c9c50f5330d891a804cf3d05736fb60d8e702547061c331e5d6a3228

  • \Users\Admin\AppData\Local\Temp\DEM5E46.exe

    Filesize

    16KB

    MD5

    08b2359ade3736a22760fd91a361e11d

    SHA1

    6c9ecd8780585b27460d0b3b0080fd24dfa07ba6

    SHA256

    74b1f35ab5f06f51aa5b5ad19cc56466353566d908dcd2b3089bc53d369d70f9

    SHA512

    1e0e68fe7542bf32c3971a9bbb70052d1d76aaed888fb90b7a311ead42a8ff7847ba4b2e1a9f5e70cf5d238302fbff87bfe88142936ddfee47c0fe6fb923503c

  • \Users\Admin\AppData\Local\Temp\DEM621D.exe

    Filesize

    16KB

    MD5

    bdb87000309515ef1447ef787bfe16c2

    SHA1

    77ca59f410002245bb926d2fa1672894b2cc3f3d

    SHA256

    8fc91d2031054b91bc915991bb078524fe2c6e956051d3321caf9a277d1f0253

    SHA512

    7ca1ea68a990e7744fe39f67e1563b36c3df67aa6a22c5559f3684c9994b041488cc0afcbbd21d1e62b24ced76c54b0868b4959b775b3375c82c19a81dbb2b04

  • \Users\Admin\AppData\Local\Temp\DEMBC4.exe

    Filesize

    16KB

    MD5

    075212934bec5e82f8c0577df909853d

    SHA1

    81af10b7e31340bc01a9bd01813731eb8a53d362

    SHA256

    a636dbe25bdaf9de6a184a884ba1b10f8fb8f0bd5db9704dfbca10ee908f8f3f

    SHA512

    bb4402cb272ecada9208236ba392b821f454b914f3346a7499b2e8843d2cb76dab65fc5a466488ad4afe1d5583559e7867daa85ac5929bc2c7aae75ef60ee3cd

  • \Users\Admin\AppData\Local\Temp\DEMF2D.exe

    Filesize

    16KB

    MD5

    f3315d8993c75cfd87322cea196f05a5

    SHA1

    26a76e29c93a734debc2eb354a07c702a91a9971

    SHA256

    069150c23bd6a66de29962877864b4674a09ab6fafebf78648c770cdae468af2

    SHA512

    8ce68049f5f77f688ae3d80feb13eb10a96a97b100bf5ae5b6063707c69e4109dc15b9a2797b7a9c4b3db4b78020fcf34559dbee54d1fcb468d6476a418994e6