Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29/03/2024, 14:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
24310e18df24dce9dd757dd643b17398_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
24310e18df24dce9dd757dd643b17398_JaffaCakes118.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
24310e18df24dce9dd757dd643b17398_JaffaCakes118.exe
-
Size
72KB
-
MD5
24310e18df24dce9dd757dd643b17398
-
SHA1
3e751af035730133afbe938d1048b5997e19330f
-
SHA256
069bfaa0ce8344b1a11979bce00f3f1ae933102684ff89c62f5f7eb6e27e11fc
-
SHA512
0f54d8424edef58e1f984269dc1b2506f56d98db1ae4bd0dc5d2f46b51410ca49234fdea4d8687079f54dec461204d6b0beb6b7b5e3b9163dde56b2c0dc0b3da
-
SSDEEP
768:j/aw1owYOWJOaogydP+XfLDvlexvluI9Oty/N/X+YVhP5itZfP6v+XyjC:raw1owcxfHIxvluiEmNfP8Sv+6C
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ceoduus.exe -
Executes dropped EXE 1 IoCs
pid Process 1452 ceoduus.exe -
Loads dropped DLL 2 IoCs
pid Process 1228 24310e18df24dce9dd757dd643b17398_JaffaCakes118.exe 1228 24310e18df24dce9dd757dd643b17398_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceoduus = "C:\\Users\\Admin\\ceoduus.exe" ceoduus.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe 1452 ceoduus.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1228 24310e18df24dce9dd757dd643b17398_JaffaCakes118.exe 1452 ceoduus.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1228 wrote to memory of 1452 1228 24310e18df24dce9dd757dd643b17398_JaffaCakes118.exe 28 PID 1228 wrote to memory of 1452 1228 24310e18df24dce9dd757dd643b17398_JaffaCakes118.exe 28 PID 1228 wrote to memory of 1452 1228 24310e18df24dce9dd757dd643b17398_JaffaCakes118.exe 28 PID 1228 wrote to memory of 1452 1228 24310e18df24dce9dd757dd643b17398_JaffaCakes118.exe 28 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27 PID 1452 wrote to memory of 1228 1452 ceoduus.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\24310e18df24dce9dd757dd643b17398_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\24310e18df24dce9dd757dd643b17398_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Users\Admin\ceoduus.exe"C:\Users\Admin\ceoduus.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1452
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD51beaab250012673e2da9793c1cd8ee47
SHA1ab490d9a957d7c79fc912bca45af5b7309d81132
SHA25603a006057faadae94596d6e340ffe1f6897f44296349cd05ed1de3eba87c838d
SHA5127df372f73b700130a0749a68535ca216a306c413c4eb9a744d7f06fd68dbb2de56eff12c2ccf931b3332b3051ced459bc5b70a835cbcbfd3ea08a428b32bd2c6