Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    133s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/01/2025, 06:51

General

  • Target

    JaffaCakes118_fa06181159d36bbedacb464b849b0ec3.exe

  • Size

    16KB

  • MD5

    fa06181159d36bbedacb464b849b0ec3

  • SHA1

    354576fec1117a68d02ce8527374d81c1ccb419a

  • SHA256

    78fa00ae23d5774f63fe6c1d551784a4315e1cafc5819d8720166672582fbb2f

  • SHA512

    10f861b83d85fd7553580601bd4d1e9f73fb97058a6891a9825ef9da80c3b6d61127bd4ac256c6b904772eb86fefd27d82619fa9d74b0553653830e1ac3ca5c6

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYl0rJHPSU9:hDXWipuE+K3/SSHgxmlOJH7

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa06181159d36bbedacb464b849b0ec3.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa06181159d36bbedacb464b849b0ec3.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1500
    • C:\Users\Admin\AppData\Local\Temp\DEMCC97.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMCC97.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1644
      • C:\Users\Admin\AppData\Local\Temp\DEM2362.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM2362.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3540
        • C:\Users\Admin\AppData\Local\Temp\DEM79AF.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM79AF.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3036
          • C:\Users\Admin\AppData\Local\Temp\DEMD05B.exe
            "C:\Users\Admin\AppData\Local\Temp\DEMD05B.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4212
            • C:\Users\Admin\AppData\Local\Temp\DEM26E7.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM26E7.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3596
              • C:\Users\Admin\AppData\Local\Temp\DEM7CC7.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM7CC7.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:4044

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM2362.exe

    Filesize

    16KB

    MD5

    07b7c3330cb7aa401fbaf4b0a4bc21ca

    SHA1

    1d05d27363389f50f95efdd78c159a8632c1df38

    SHA256

    73f51a010ad59fcd39c1ab68b666525151c01940556342335a0aa3032dfcb5ac

    SHA512

    b6e42c931c6c5637e4e94d9b8c9104f13205bae7629bc9d884e414c5ff023b6e966c7cfa41c342bd2f7df64d2afb79a588b014c95315e851f1d38081e90fa52d

  • C:\Users\Admin\AppData\Local\Temp\DEM26E7.exe

    Filesize

    16KB

    MD5

    a15934d551f59ef2d4c320ae6a7bfb74

    SHA1

    90120fd6be9527322f0a22ffd4575edb562f44a5

    SHA256

    deb8ea2fb7d41bd14090caf1c18765cc7447f7c9429c18aa6401a7d12cdd5aa7

    SHA512

    53f5a308af1a4ec4118bf448c27cab6e1cb7ddee999758a1dc2373234817f0dbd9e41223afd5c7950a4c1d3aab908433a4e56d16a04947e4dde29e646a3fe7fb

  • C:\Users\Admin\AppData\Local\Temp\DEM79AF.exe

    Filesize

    16KB

    MD5

    87aefd5aab40264678fcb6c2c296b468

    SHA1

    087c317575099771ff9fe3f042b3db02b9c9c933

    SHA256

    23d7a9c6eaaeb97417957fbc98c8ace677f30573470f7395645a7f3b9914c3ca

    SHA512

    53c6a1046ac487f2a542614b9f9e3bf800f81abf9f0cf7545cb8a7962b448f55cf91c145dfaff8a5b1ff18181cea330ccbc3c1e8db9427b46c43ec1d80909da3

  • C:\Users\Admin\AppData\Local\Temp\DEM7CC7.exe

    Filesize

    16KB

    MD5

    755b05b263f8b79bb536a67b48aaa2ae

    SHA1

    dd0befee00280ac1635dd909fc4615f1989e10b9

    SHA256

    4061806e2aec2977466757aea3528fafb7ffd82d486bf94c8ee4e7543cad667f

    SHA512

    51dd38e088eb3fdd323bca048b1cfd6c4972ccc06072fbae6fa78ccdf058a9efc22dbb6bfad757d3657eb0833be49bb70647fef428650f044fa68941ec5aaa56

  • C:\Users\Admin\AppData\Local\Temp\DEMCC97.exe

    Filesize

    16KB

    MD5

    8ad78815327a3b779c4b45c9191e1c20

    SHA1

    0e915bc0d9c9572e7f967eaa0854d33afc776016

    SHA256

    a04a62cb2dc42c4372fc5f5909d1180165b64a683ed1fd52d81666e2bc74a598

    SHA512

    04ef9d5a7ee19c14ee5c164c4fcf0bab4f2705acf03f7e45ab0ddb545e28df21e7735c61da93a53d95406f3981198c784bd23c793613c7cac9a069557e1ad9a1

  • C:\Users\Admin\AppData\Local\Temp\DEMD05B.exe

    Filesize

    16KB

    MD5

    4eb03bdba5dd569d2568c3a250d10bd6

    SHA1

    50e8a7364a2dc6473f90261e48f2d3fa2db431ea

    SHA256

    248a626e35d4f7ba806e8a01d60dc4f4c0356a3f8758431a4efeaa5085551ba0

    SHA512

    06ac5b72c28e57c29cd8daac49acc6ff4e233665dc8d0dd749e27e850c00604948b547bd53478110fdcd8ab44996ff7490cf8aa136ef4d8c9f2cc1a5ad047d7d