Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
20/04/2024, 02:42 UTC
Static task
static1
Behavioral task
behavioral1
Sample
fbc04b72d274ae7cfd3cd69aadf389cf_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
fbc04b72d274ae7cfd3cd69aadf389cf_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
fbc04b72d274ae7cfd3cd69aadf389cf_JaffaCakes118.exe
-
Size
196KB
-
MD5
fbc04b72d274ae7cfd3cd69aadf389cf
-
SHA1
38f3109a6e1cb16e17b803a729a0d8f5e3e85ca3
-
SHA256
e3cbf30449ff668ab7c9cbef820512132d25c44d8924108fae8c6b1cedc28349
-
SHA512
c69a397d554c7f3f59070bf7c4379f75f8ca0d56c3a23d7bcd71b56e46f7ce59c28b76a55f0703c418f2a71c688032b8f8c58af5448af640dbe4167a334216d7
-
SSDEEP
6144:/WvnELXCb1CcReqYJqOaihDI/5Yz43qA0gA3Zgfx9c1dLJYkAeRBVF48tju1f8Lr:/knEuGhI/5Yz43qA0gA3Zgfx9c1dLJYU
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" meedea.exe -
Executes dropped EXE 1 IoCs
pid Process 1300 meedea.exe -
Loads dropped DLL 2 IoCs
pid Process 2416 fbc04b72d274ae7cfd3cd69aadf389cf_JaffaCakes118.exe 2416 fbc04b72d274ae7cfd3cd69aadf389cf_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 52 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /P" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /u" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /t" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /i" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /K" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /R" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /V" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /G" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /k" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /W" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /p" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /H" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /J" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /U" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /h" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /L" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /y" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /w" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /o" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /D" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /b" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /Y" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /T" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /q" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /f" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /Z" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /d" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /S" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /j" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /I" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /e" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /z" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /c" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /M" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /A" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /v" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /N" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /E" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /X" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /m" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /Q" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /n" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /s" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /O" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /g" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /a" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /C" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /x" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /l" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /B" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /F" meedea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\meedea = "C:\\Users\\Admin\\meedea.exe /r" meedea.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe 1300 meedea.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2416 fbc04b72d274ae7cfd3cd69aadf389cf_JaffaCakes118.exe 1300 meedea.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2416 wrote to memory of 1300 2416 fbc04b72d274ae7cfd3cd69aadf389cf_JaffaCakes118.exe 28 PID 2416 wrote to memory of 1300 2416 fbc04b72d274ae7cfd3cd69aadf389cf_JaffaCakes118.exe 28 PID 2416 wrote to memory of 1300 2416 fbc04b72d274ae7cfd3cd69aadf389cf_JaffaCakes118.exe 28 PID 2416 wrote to memory of 1300 2416 fbc04b72d274ae7cfd3cd69aadf389cf_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\fbc04b72d274ae7cfd3cd69aadf389cf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fbc04b72d274ae7cfd3cd69aadf389cf_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Users\Admin\meedea.exe"C:\Users\Admin\meedea.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1300
-
Network
-
Remote address:8.8.8.8:53Requestns1.player1532.comIN AResponsens1.player1532.comIN A107.178.223.183ns1.player1532.comIN A104.155.138.21
-
Remote address:8.8.8.8:53Requestns1.player1532.comIN A
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
196KB
MD5c989e4fbe437c07b84e69bd557acce03
SHA197a414a13d0835fdbf8197c0ad13f260385339f8
SHA256ed8d7ec177f5da9c2f737e1f0513041ae77bdfa81c27845b4c80eafe45ba00ae
SHA512373b06f54de0a9f1626e56bfb0f605f2d22558fe716b9dc364b823474370543b08abb20ded552dcf16520595f36568c09fa79f6ce0a5f03f71acf7c11b2fb4bc