Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/04/2024, 14:40
Static task
static1
Behavioral task
behavioral1
Sample
eda8b5f3e378fe847e0580e205eb33fd_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
eda8b5f3e378fe847e0580e205eb33fd_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
eda8b5f3e378fe847e0580e205eb33fd_JaffaCakes118.exe
-
Size
256KB
-
MD5
eda8b5f3e378fe847e0580e205eb33fd
-
SHA1
f833ebe6a1e3bf312fc1ac1974115d2d49ca9490
-
SHA256
46f7f4ef8cace4c42fd6659c5a735a7dde4f13cc7494ca17e2a9f3e96208c9a1
-
SHA512
77e9cea8d7bd13de670a5009e00ff2e0097a069a70921986abee671f5298532f734ee33c7293a04db7ab2578c90264e7b60de4bbe76dfd08b1d0db8f1fd7532a
-
SSDEEP
3072:x0bfWRrIMNRlZ62Pal2LBJXmzOHm5WZ3K+MCBOQ39cOaRr5ZGPVB:xWepp3PJXCOGY3egOQ39cC
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" eda8b5f3e378fe847e0580e205eb33fd_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" myred.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation eda8b5f3e378fe847e0580e205eb33fd_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2832 myred.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myred = "C:\\Users\\Admin\\myred.exe /l" myred.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myred = "C:\\Users\\Admin\\myred.exe /s" myred.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myred = "C:\\Users\\Admin\\myred.exe /a" myred.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myred = "C:\\Users\\Admin\\myred.exe /q" myred.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myred = "C:\\Users\\Admin\\myred.exe /d" myred.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myred = "C:\\Users\\Admin\\myred.exe /k" myred.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myred = "C:\\Users\\Admin\\myred.exe /n" myred.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myred = "C:\\Users\\Admin\\myred.exe /e" myred.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myred = "C:\\Users\\Admin\\myred.exe /w" myred.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myred = "C:\\Users\\Admin\\myred.exe /t" myred.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myred = "C:\\Users\\Admin\\myred.exe /h" myred.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myred = "C:\\Users\\Admin\\myred.exe /f" myred.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myred = "C:\\Users\\Admin\\myred.exe /p" myred.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myred = "C:\\Users\\Admin\\myred.exe /m" myred.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myred = "C:\\Users\\Admin\\myred.exe /c" myred.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myred = "C:\\Users\\Admin\\myred.exe /j" myred.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myred = "C:\\Users\\Admin\\myred.exe /o" myred.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myred = "C:\\Users\\Admin\\myred.exe /r" myred.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myred = "C:\\Users\\Admin\\myred.exe /v" myred.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myred = "C:\\Users\\Admin\\myred.exe /g" myred.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myred = "C:\\Users\\Admin\\myred.exe /i" myred.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myred = "C:\\Users\\Admin\\myred.exe /x" myred.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myred = "C:\\Users\\Admin\\myred.exe /b" myred.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myred = "C:\\Users\\Admin\\myred.exe /y" myred.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myred = "C:\\Users\\Admin\\myred.exe /u" myred.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myred = "C:\\Users\\Admin\\myred.exe /w" eda8b5f3e378fe847e0580e205eb33fd_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myred = "C:\\Users\\Admin\\myred.exe /z" myred.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2032 eda8b5f3e378fe847e0580e205eb33fd_JaffaCakes118.exe 2032 eda8b5f3e378fe847e0580e205eb33fd_JaffaCakes118.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe 2832 myred.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2032 eda8b5f3e378fe847e0580e205eb33fd_JaffaCakes118.exe 2832 myred.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2032 wrote to memory of 2832 2032 eda8b5f3e378fe847e0580e205eb33fd_JaffaCakes118.exe 89 PID 2032 wrote to memory of 2832 2032 eda8b5f3e378fe847e0580e205eb33fd_JaffaCakes118.exe 89 PID 2032 wrote to memory of 2832 2032 eda8b5f3e378fe847e0580e205eb33fd_JaffaCakes118.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\eda8b5f3e378fe847e0580e205eb33fd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eda8b5f3e378fe847e0580e205eb33fd_JaffaCakes118.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\myred.exe"C:\Users\Admin\myred.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2832
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256KB
MD5fe499dc25b7a3c28a8f59c95b5c5f1db
SHA1f0fc2d7c1b53b6be3209920d65d5eb491681b4b7
SHA2568e6b9d1e4ed743a378bb2c27ab18a39dc439ef52eceefbce4e9e9bf46dda0047
SHA512ebd85c99f82d97f7c54780a9a8c48a3e3c965003d4650fa8f28a04bb42cfc723849d6e68913fc9c74c28ad6ca257eb84b06a62c06740b7d5b78914c29514b366