Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/04/2024, 23:22
Static task
static1
Behavioral task
behavioral1
Sample
e619c0199a77559eadae1249d97bde3e_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e619c0199a77559eadae1249d97bde3e_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e619c0199a77559eadae1249d97bde3e_JaffaCakes118.exe
-
Size
396KB
-
MD5
e619c0199a77559eadae1249d97bde3e
-
SHA1
12556d97f08609fdf059ca1e50aeb939ccf07465
-
SHA256
e1be2c86ac30e33bccdf62c83d3aec2ddedaa09402a9ddf609bfd17eae68f232
-
SHA512
fa09f5540e2a3b3b4a4b32e5db1d2a3eafc027122d87276cc4b679b01db208ba31a1831414ba200965856c8f20a524c11f3298e1a2ed797dd2df8a1c02719e95
-
SSDEEP
6144:rjwm6qra/lBzFWYSTnEiEcVc2vKx7TCNVq1i4Upx0DKHE2ViGudrpRf3WO/fwApT:r8m6Wa/TpWYSTnEg/vGgEKHFgGudrpX
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ldcioy.exe -
Executes dropped EXE 1 IoCs
pid Process 2992 ldcioy.exe -
Loads dropped DLL 2 IoCs
pid Process 3012 e619c0199a77559eadae1249d97bde3e_JaffaCakes118.exe 3012 e619c0199a77559eadae1249d97bde3e_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 52 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /N" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /w" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /U" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /Q" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /l" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /c" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /e" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /O" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /j" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /V" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /i" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /m" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /r" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /p" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /C" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /q" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /Y" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /g" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /n" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /P" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /b" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /W" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /G" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /y" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /t" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /R" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /Z" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /D" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /a" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /E" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /F" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /d" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /A" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /k" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /x" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /u" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /h" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /s" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /M" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /I" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /X" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /B" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /H" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /f" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /K" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /v" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /S" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /J" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /L" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /z" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /o" ldcioy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /T" ldcioy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe 2992 ldcioy.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3012 e619c0199a77559eadae1249d97bde3e_JaffaCakes118.exe 2992 ldcioy.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3012 wrote to memory of 2992 3012 e619c0199a77559eadae1249d97bde3e_JaffaCakes118.exe 28 PID 3012 wrote to memory of 2992 3012 e619c0199a77559eadae1249d97bde3e_JaffaCakes118.exe 28 PID 3012 wrote to memory of 2992 3012 e619c0199a77559eadae1249d97bde3e_JaffaCakes118.exe 28 PID 3012 wrote to memory of 2992 3012 e619c0199a77559eadae1249d97bde3e_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\e619c0199a77559eadae1249d97bde3e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e619c0199a77559eadae1249d97bde3e_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\ldcioy.exe"C:\Users\Admin\ldcioy.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2992
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
396KB
MD54cf75fe02833e2a2119af67bf03d0960
SHA1b6f83af3e6696372215c2a4a488fba8f17ca2f3e
SHA256fda85b187f71a1203e55ff340d669813582b1f7a353ebb73f2bf0dc26534946c
SHA5125e1be501ea3b9518716e25f9a69a49211575ca3bc5df30e18962ef5609f8e0bc5396a6cc01620ed91e4fdd361763a72c3ef175175547c1e21acbc658068a2637