Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
27/06/2024, 23:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
17eb3bce064cfb844d164aa1d8c7daaa_JaffaCakes118.exe
Resource
win7-20231129-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
17eb3bce064cfb844d164aa1d8c7daaa_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
17eb3bce064cfb844d164aa1d8c7daaa_JaffaCakes118.exe
-
Size
88KB
-
MD5
17eb3bce064cfb844d164aa1d8c7daaa
-
SHA1
1c15176ff59566bb3302855398abec0696ba2b03
-
SHA256
2385bd1cba79a627373c4fa98a8cff91d58d31bae77ee51293e91c68cf55602f
-
SHA512
1c44662e95eaaa8dce869ee205745e002d04c92a0334bdb109e2058e2916c216b1ad3333a943e066c44613a54e7ec2b7d3c8d8d95fb1730633f44a7602707b6a
-
SSDEEP
768:tt4celx1XGFE6oKmgSRl5HcJR0t20rdg8hUPjvY4dW4dsoeKpAdDY4BO0BCZc/UO:n3ev5GFk7RPnQpBeCZk9
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" liuapom.exe -
Executes dropped EXE 1 IoCs
pid Process 2144 liuapom.exe -
Loads dropped DLL 2 IoCs
pid Process 1684 17eb3bce064cfb844d164aa1d8c7daaa_JaffaCakes118.exe 1684 17eb3bce064cfb844d164aa1d8c7daaa_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\liuapom = "C:\\Users\\Admin\\liuapom.exe" liuapom.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe 2144 liuapom.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1684 17eb3bce064cfb844d164aa1d8c7daaa_JaffaCakes118.exe 2144 liuapom.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1684 wrote to memory of 2144 1684 17eb3bce064cfb844d164aa1d8c7daaa_JaffaCakes118.exe 28 PID 1684 wrote to memory of 2144 1684 17eb3bce064cfb844d164aa1d8c7daaa_JaffaCakes118.exe 28 PID 1684 wrote to memory of 2144 1684 17eb3bce064cfb844d164aa1d8c7daaa_JaffaCakes118.exe 28 PID 1684 wrote to memory of 2144 1684 17eb3bce064cfb844d164aa1d8c7daaa_JaffaCakes118.exe 28 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27 PID 2144 wrote to memory of 1684 2144 liuapom.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\17eb3bce064cfb844d164aa1d8c7daaa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\17eb3bce064cfb844d164aa1d8c7daaa_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\liuapom.exe"C:\Users\Admin\liuapom.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2144
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD57a03893ba79d92c6600a0f0d005d152e
SHA1c74a25e0d49af44ac4c02e419967d8561844c821
SHA25688878d4c29dd37ea937df93e6e8f535281a2440d6cc8d941c4ec28153018cfdb
SHA5125555de485c96a29731448befb77039d757eaf99f969276ed82ce16848dc0d2f9d5d024a6132b8097c903f141f679f114bd973757bb94fc38ff06a1fd1da01e57