Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
17/04/2024, 12:58
Static task
static1
Behavioral task
behavioral1
Sample
f5d274a7491191e1a0180ec06a70c7bb_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
f5d274a7491191e1a0180ec06a70c7bb_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f5d274a7491191e1a0180ec06a70c7bb_JaffaCakes118.exe
-
Size
216KB
-
MD5
f5d274a7491191e1a0180ec06a70c7bb
-
SHA1
d675406a2e63ba4b7a87e72024e575e0453f6324
-
SHA256
96e73eb087f1c27a05ad2fbd861b9fd4c73bd86dfda4215cf4344bd3d934d181
-
SHA512
f71f59e49d7a6c81aa0571d78432f97c35844872eb3c2c4cd89d4137b266d789d377f27c5c215c7bbc6fb2a416aebfb9e63f414c6acb2f924ce33c1ca3081610
-
SSDEEP
6144:CcX2DECtrkQ5zgMZUP15HcAgonAmKfwDVAQ:n41gMZUHcAgonAmZDV
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" beuade.exe -
Executes dropped EXE 1 IoCs
pid Process 2968 beuade.exe -
Loads dropped DLL 2 IoCs
pid Process 2316 f5d274a7491191e1a0180ec06a70c7bb_JaffaCakes118.exe 2316 f5d274a7491191e1a0180ec06a70c7bb_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 49 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /c" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /d" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /T" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /E" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /n" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /m" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /B" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /h" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /P" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /F" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /G" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /i" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /g" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /O" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /w" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /J" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /Z" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /z" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /u" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /q" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /Q" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /C" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /H" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /j" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /k" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /D" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /R" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /t" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /r" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /o" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /b" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /s" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /y" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /N" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /K" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /S" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /I" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /v" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /W" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /l" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /p" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /V" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /f" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /x" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /M" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /e" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /L" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /U" beuade.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\beuade = "C:\\Users\\Admin\\beuade.exe /X" beuade.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe 2968 beuade.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2316 f5d274a7491191e1a0180ec06a70c7bb_JaffaCakes118.exe 2968 beuade.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2316 wrote to memory of 2968 2316 f5d274a7491191e1a0180ec06a70c7bb_JaffaCakes118.exe 28 PID 2316 wrote to memory of 2968 2316 f5d274a7491191e1a0180ec06a70c7bb_JaffaCakes118.exe 28 PID 2316 wrote to memory of 2968 2316 f5d274a7491191e1a0180ec06a70c7bb_JaffaCakes118.exe 28 PID 2316 wrote to memory of 2968 2316 f5d274a7491191e1a0180ec06a70c7bb_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5d274a7491191e1a0180ec06a70c7bb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f5d274a7491191e1a0180ec06a70c7bb_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\beuade.exe"C:\Users\Admin\beuade.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2968
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216KB
MD54a706813728454521c02010c4be165ad
SHA19e409baedf8ec45292a8c6f16dc5e2c2a1e4d424
SHA25692c26b25e8386996dd18370f9fa8cd7f72b049a024e0bc74ffcc7b14df49bce5
SHA512d2b0d77d137966d789a8f81f5fd93c79ee7a4757449240d417eaa206abdd5aca7731a7f68ea093b39dd64d15fd68068e5b2b1803bdfab32050bff81de8c9a596