Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/01/2025, 06:51
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_fa06181159d36bbedacb464b849b0ec3.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_fa06181159d36bbedacb464b849b0ec3.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_fa06181159d36bbedacb464b849b0ec3.exe
-
Size
16KB
-
MD5
fa06181159d36bbedacb464b849b0ec3
-
SHA1
354576fec1117a68d02ce8527374d81c1ccb419a
-
SHA256
78fa00ae23d5774f63fe6c1d551784a4315e1cafc5819d8720166672582fbb2f
-
SHA512
10f861b83d85fd7553580601bd4d1e9f73fb97058a6891a9825ef9da80c3b6d61127bd4ac256c6b904772eb86fefd27d82619fa9d74b0553653830e1ac3ca5c6
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYl0rJHPSU9:hDXWipuE+K3/SSHgxmlOJH7
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation DEM26E7.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation JaffaCakes118_fa06181159d36bbedacb464b849b0ec3.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation DEMCC97.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation DEM2362.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation DEM79AF.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation DEMD05B.exe -
Executes dropped EXE 6 IoCs
pid Process 1644 DEMCC97.exe 3540 DEM2362.exe 3036 DEM79AF.exe 4212 DEMD05B.exe 3596 DEM26E7.exe 4044 DEM7CC7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMCC97.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM2362.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM79AF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMD05B.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM26E7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM7CC7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_fa06181159d36bbedacb464b849b0ec3.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1500 wrote to memory of 1644 1500 JaffaCakes118_fa06181159d36bbedacb464b849b0ec3.exe 96 PID 1500 wrote to memory of 1644 1500 JaffaCakes118_fa06181159d36bbedacb464b849b0ec3.exe 96 PID 1500 wrote to memory of 1644 1500 JaffaCakes118_fa06181159d36bbedacb464b849b0ec3.exe 96 PID 1644 wrote to memory of 3540 1644 DEMCC97.exe 101 PID 1644 wrote to memory of 3540 1644 DEMCC97.exe 101 PID 1644 wrote to memory of 3540 1644 DEMCC97.exe 101 PID 3540 wrote to memory of 3036 3540 DEM2362.exe 104 PID 3540 wrote to memory of 3036 3540 DEM2362.exe 104 PID 3540 wrote to memory of 3036 3540 DEM2362.exe 104 PID 3036 wrote to memory of 4212 3036 DEM79AF.exe 106 PID 3036 wrote to memory of 4212 3036 DEM79AF.exe 106 PID 3036 wrote to memory of 4212 3036 DEM79AF.exe 106 PID 4212 wrote to memory of 3596 4212 DEMD05B.exe 108 PID 4212 wrote to memory of 3596 4212 DEMD05B.exe 108 PID 4212 wrote to memory of 3596 4212 DEMD05B.exe 108 PID 3596 wrote to memory of 4044 3596 DEM26E7.exe 111 PID 3596 wrote to memory of 4044 3596 DEM26E7.exe 111 PID 3596 wrote to memory of 4044 3596 DEM26E7.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa06181159d36bbedacb464b849b0ec3.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa06181159d36bbedacb464b849b0ec3.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\DEMCC97.exe"C:\Users\Admin\AppData\Local\Temp\DEMCC97.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\DEM2362.exe"C:\Users\Admin\AppData\Local\Temp\DEM2362.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Users\Admin\AppData\Local\Temp\DEM79AF.exe"C:\Users\Admin\AppData\Local\Temp\DEM79AF.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\DEMD05B.exe"C:\Users\Admin\AppData\Local\Temp\DEMD05B.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Users\Admin\AppData\Local\Temp\DEM26E7.exe"C:\Users\Admin\AppData\Local\Temp\DEM26E7.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Users\Admin\AppData\Local\Temp\DEM7CC7.exe"C:\Users\Admin\AppData\Local\Temp\DEM7CC7.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4044
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD507b7c3330cb7aa401fbaf4b0a4bc21ca
SHA11d05d27363389f50f95efdd78c159a8632c1df38
SHA25673f51a010ad59fcd39c1ab68b666525151c01940556342335a0aa3032dfcb5ac
SHA512b6e42c931c6c5637e4e94d9b8c9104f13205bae7629bc9d884e414c5ff023b6e966c7cfa41c342bd2f7df64d2afb79a588b014c95315e851f1d38081e90fa52d
-
Filesize
16KB
MD5a15934d551f59ef2d4c320ae6a7bfb74
SHA190120fd6be9527322f0a22ffd4575edb562f44a5
SHA256deb8ea2fb7d41bd14090caf1c18765cc7447f7c9429c18aa6401a7d12cdd5aa7
SHA51253f5a308af1a4ec4118bf448c27cab6e1cb7ddee999758a1dc2373234817f0dbd9e41223afd5c7950a4c1d3aab908433a4e56d16a04947e4dde29e646a3fe7fb
-
Filesize
16KB
MD587aefd5aab40264678fcb6c2c296b468
SHA1087c317575099771ff9fe3f042b3db02b9c9c933
SHA25623d7a9c6eaaeb97417957fbc98c8ace677f30573470f7395645a7f3b9914c3ca
SHA51253c6a1046ac487f2a542614b9f9e3bf800f81abf9f0cf7545cb8a7962b448f55cf91c145dfaff8a5b1ff18181cea330ccbc3c1e8db9427b46c43ec1d80909da3
-
Filesize
16KB
MD5755b05b263f8b79bb536a67b48aaa2ae
SHA1dd0befee00280ac1635dd909fc4615f1989e10b9
SHA2564061806e2aec2977466757aea3528fafb7ffd82d486bf94c8ee4e7543cad667f
SHA51251dd38e088eb3fdd323bca048b1cfd6c4972ccc06072fbae6fa78ccdf058a9efc22dbb6bfad757d3657eb0833be49bb70647fef428650f044fa68941ec5aaa56
-
Filesize
16KB
MD58ad78815327a3b779c4b45c9191e1c20
SHA10e915bc0d9c9572e7f967eaa0854d33afc776016
SHA256a04a62cb2dc42c4372fc5f5909d1180165b64a683ed1fd52d81666e2bc74a598
SHA51204ef9d5a7ee19c14ee5c164c4fcf0bab4f2705acf03f7e45ab0ddb545e28df21e7735c61da93a53d95406f3981198c784bd23c793613c7cac9a069557e1ad9a1
-
Filesize
16KB
MD54eb03bdba5dd569d2568c3a250d10bd6
SHA150e8a7364a2dc6473f90261e48f2d3fa2db431ea
SHA256248a626e35d4f7ba806e8a01d60dc4f4c0356a3f8758431a4efeaa5085551ba0
SHA51206ac5b72c28e57c29cd8daac49acc6ff4e233665dc8d0dd749e27e850c00604948b547bd53478110fdcd8ab44996ff7490cf8aa136ef4d8c9f2cc1a5ad047d7d