Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28/03/2024, 20:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0fda62950a6def66ff9cd5f6bf0d373e_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
0fda62950a6def66ff9cd5f6bf0d373e_JaffaCakes118.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
0fda62950a6def66ff9cd5f6bf0d373e_JaffaCakes118.exe
-
Size
304KB
-
MD5
0fda62950a6def66ff9cd5f6bf0d373e
-
SHA1
0d42ede86b4a970c73ab7c8b5e43b2a3a9092221
-
SHA256
f1cba3dadb1a6e49066b9e651612a0b46e13915809e74fdac3724fdb6d4f21c3
-
SHA512
ebd2e4a43402e653c1e65b876b77cab341b63ea53b05f50c965721b1af5f3d4bbcc03540db511c2b0dbc08e60627439cd63dd526cfda4be620ce3b66a19020e5
-
SSDEEP
3072:hPGOaEaAaTG0kZSmA2I8xqc+3EMop2aEaLFra+7pvPSvBm9:S4Ab0oEylaRS2
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 0fda62950a6def66ff9cd5f6bf0d373e_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qeozais.exe -
Executes dropped EXE 1 IoCs
pid Process 1904 qeozais.exe -
Loads dropped DLL 2 IoCs
pid Process 548 0fda62950a6def66ff9cd5f6bf0d373e_JaffaCakes118.exe 548 0fda62950a6def66ff9cd5f6bf0d373e_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeozais = "C:\\Users\\Admin\\qeozais.exe /u" 0fda62950a6def66ff9cd5f6bf0d373e_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeozais = "C:\\Users\\Admin\\qeozais.exe /h" qeozais.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeozais = "C:\\Users\\Admin\\qeozais.exe /r" qeozais.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeozais = "C:\\Users\\Admin\\qeozais.exe /w" qeozais.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeozais = "C:\\Users\\Admin\\qeozais.exe /m" qeozais.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeozais = "C:\\Users\\Admin\\qeozais.exe /c" qeozais.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeozais = "C:\\Users\\Admin\\qeozais.exe /f" qeozais.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeozais = "C:\\Users\\Admin\\qeozais.exe /v" qeozais.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeozais = "C:\\Users\\Admin\\qeozais.exe /i" qeozais.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeozais = "C:\\Users\\Admin\\qeozais.exe /n" qeozais.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeozais = "C:\\Users\\Admin\\qeozais.exe /q" qeozais.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeozais = "C:\\Users\\Admin\\qeozais.exe /p" qeozais.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeozais = "C:\\Users\\Admin\\qeozais.exe /e" qeozais.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeozais = "C:\\Users\\Admin\\qeozais.exe /o" qeozais.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeozais = "C:\\Users\\Admin\\qeozais.exe /x" qeozais.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeozais = "C:\\Users\\Admin\\qeozais.exe /u" qeozais.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeozais = "C:\\Users\\Admin\\qeozais.exe /d" qeozais.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeozais = "C:\\Users\\Admin\\qeozais.exe /a" qeozais.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeozais = "C:\\Users\\Admin\\qeozais.exe /g" qeozais.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeozais = "C:\\Users\\Admin\\qeozais.exe /s" qeozais.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeozais = "C:\\Users\\Admin\\qeozais.exe /b" qeozais.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeozais = "C:\\Users\\Admin\\qeozais.exe /y" qeozais.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeozais = "C:\\Users\\Admin\\qeozais.exe /j" qeozais.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeozais = "C:\\Users\\Admin\\qeozais.exe /z" qeozais.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeozais = "C:\\Users\\Admin\\qeozais.exe /l" qeozais.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeozais = "C:\\Users\\Admin\\qeozais.exe /t" qeozais.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeozais = "C:\\Users\\Admin\\qeozais.exe /k" qeozais.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 548 0fda62950a6def66ff9cd5f6bf0d373e_JaffaCakes118.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe 1904 qeozais.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 548 0fda62950a6def66ff9cd5f6bf0d373e_JaffaCakes118.exe 1904 qeozais.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 548 wrote to memory of 1904 548 0fda62950a6def66ff9cd5f6bf0d373e_JaffaCakes118.exe 28 PID 548 wrote to memory of 1904 548 0fda62950a6def66ff9cd5f6bf0d373e_JaffaCakes118.exe 28 PID 548 wrote to memory of 1904 548 0fda62950a6def66ff9cd5f6bf0d373e_JaffaCakes118.exe 28 PID 548 wrote to memory of 1904 548 0fda62950a6def66ff9cd5f6bf0d373e_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fda62950a6def66ff9cd5f6bf0d373e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0fda62950a6def66ff9cd5f6bf0d373e_JaffaCakes118.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Users\Admin\qeozais.exe"C:\Users\Admin\qeozais.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1904
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304KB
MD595257981e085e745d3284d6b9c48b585
SHA1b436cd183bdf5ca5a9b573329c8b1a87227d31bf
SHA256baab95722267e2d14a39252a3f0bc4348c00043cf01eb7e567bb85db643ce1cc
SHA512bceb58411aba0951140fc9c52ef3c5d29daaa44d26eac0a0bae77ed38a78be30403d9a79a4b5d4fd789580948bb8df1c0ae36df1446fcc81a588748a07739858