Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27/06/2024, 12:27
Static task
static1
Behavioral task
behavioral1
Sample
1601bab4a7dbdb4a48a8b34adca83f39_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1601bab4a7dbdb4a48a8b34adca83f39_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
1601bab4a7dbdb4a48a8b34adca83f39_JaffaCakes118.exe
-
Size
88KB
-
MD5
1601bab4a7dbdb4a48a8b34adca83f39
-
SHA1
b6224d1cab6ddb4342385ed4ddfa0fb23ba7c1c0
-
SHA256
1f4ea461026d82220f6b51ff7a495318e54e91bc1944bc021f9f81ced8d7e128
-
SHA512
d62105c74c3a5dcd9f3940cff04e427da77df33cf35d3c7474dcb17565de4daf99b15d61546401e1d84f03017e44f77d05356e726424f38aac456e3489724d93
-
SSDEEP
1536:QqyCRiRQBO5zjH2PfO/zNbup/EbUjtjZjgjWjpjy0UQh18bna:GCwRpPN0USaba
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" zitoh.exe -
Executes dropped EXE 1 IoCs
pid Process 2108 zitoh.exe -
Loads dropped DLL 2 IoCs
pid Process 2420 1601bab4a7dbdb4a48a8b34adca83f39_JaffaCakes118.exe 2420 1601bab4a7dbdb4a48a8b34adca83f39_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 51 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /p" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /c" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /s" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /x" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /Z" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /Q" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /E" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /n" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /a" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /v" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /j" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /m" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /A" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /z" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /R" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /W" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /K" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /f" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /J" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /N" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /b" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /M" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /I" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /F" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /g" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /C" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /X" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /Y" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /k" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /h" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /H" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /U" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /O" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /D" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /u" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /V" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /S" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /P" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /L" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /T" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /t" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /q" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /y" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /d" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /l" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /e" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /i" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /G" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /o" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /B" zitoh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\zitoh = "C:\\Users\\Admin\\zitoh.exe /w" zitoh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe 2108 zitoh.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2420 1601bab4a7dbdb4a48a8b34adca83f39_JaffaCakes118.exe 2108 zitoh.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2420 wrote to memory of 2108 2420 1601bab4a7dbdb4a48a8b34adca83f39_JaffaCakes118.exe 28 PID 2420 wrote to memory of 2108 2420 1601bab4a7dbdb4a48a8b34adca83f39_JaffaCakes118.exe 28 PID 2420 wrote to memory of 2108 2420 1601bab4a7dbdb4a48a8b34adca83f39_JaffaCakes118.exe 28 PID 2420 wrote to memory of 2108 2420 1601bab4a7dbdb4a48a8b34adca83f39_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\1601bab4a7dbdb4a48a8b34adca83f39_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1601bab4a7dbdb4a48a8b34adca83f39_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Users\Admin\zitoh.exe"C:\Users\Admin\zitoh.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2108
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD5c61bff3e0588cc306a468e7f2c38adae
SHA1f168ba0f493d357e1d7e86bef153d4f6bc12e65a
SHA2566f99c3ff1140d3a626e76e3e3fa04209e500880243da2f544593421602e7cec4
SHA512f2f129cb4b69b2e949914f46c2adcc8017b12b2bbdfb611ec284c5d6451ab0c31bd14dd0da516dd4bfde2492c14bf88d5d051306fa694e7a381e1a8fe091a212