Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23/07/2024, 10:57
Static task
static1
Behavioral task
behavioral1
Sample
674c9c3ab659c4eead1f503ae186f0ad_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
674c9c3ab659c4eead1f503ae186f0ad_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
674c9c3ab659c4eead1f503ae186f0ad_JaffaCakes118.exe
-
Size
148KB
-
MD5
674c9c3ab659c4eead1f503ae186f0ad
-
SHA1
9ab5881b142d73709318f1fd5fcc1ada88f4ee82
-
SHA256
242749bb831e7f859b93bbe902fcb91ffb04a8db97a210d54a9bd8f1174036a4
-
SHA512
518d8cd9c06cb6157763a7cf95293283f28fc8216efe514409203148077b25eb462fd393b954ca667e82fee5ca31c59eb5a96165cf531c7aa3040b01328d54d9
-
SSDEEP
3072:gdo+kgRs59j/pvkqBBac+RAGq1bg7Yfgst6OzOS79pgRZkhQJAOA29E5j4oQC6:OoBbj/pvkqBBac+RAGq1bZHtrzOS77kI
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" sbtaew.exe Set value (int) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 674c9c3ab659c4eead1f503ae186f0ad_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation 674c9c3ab659c4eead1f503ae186f0ad_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 620 sbtaew.exe -
Adds Run key to start application 2 TTPs 53 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /N" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /k" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /W" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /v" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /o" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /r" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /t" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /J" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /m" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /z" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /D" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /u" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /B" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /K" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /Y" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /T" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /Q" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /h" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /G" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /l" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /A" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /O" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /I" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /j" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /U" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /s" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /P" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /M" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /a" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /E" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /e" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /c" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /F" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /L" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /X" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /y" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /f" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /w" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /d" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /g" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /x" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /S" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /q" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /H" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /n" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /p" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /Z" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /b" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /V" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /C" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /R" sbtaew.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /N" 674c9c3ab659c4eead1f503ae186f0ad_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbtaew = "C:\\Users\\Admin\\sbtaew.exe /i" sbtaew.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4980 674c9c3ab659c4eead1f503ae186f0ad_JaffaCakes118.exe 4980 674c9c3ab659c4eead1f503ae186f0ad_JaffaCakes118.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe 620 sbtaew.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4980 674c9c3ab659c4eead1f503ae186f0ad_JaffaCakes118.exe 620 sbtaew.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4980 wrote to memory of 620 4980 674c9c3ab659c4eead1f503ae186f0ad_JaffaCakes118.exe 87 PID 4980 wrote to memory of 620 4980 674c9c3ab659c4eead1f503ae186f0ad_JaffaCakes118.exe 87 PID 4980 wrote to memory of 620 4980 674c9c3ab659c4eead1f503ae186f0ad_JaffaCakes118.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\674c9c3ab659c4eead1f503ae186f0ad_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\674c9c3ab659c4eead1f503ae186f0ad_JaffaCakes118.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Users\Admin\sbtaew.exe"C:\Users\Admin\sbtaew.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:620
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148KB
MD53bfc0288e92c537989fe531683dd9f70
SHA169f1e0e444c28e7074f2650f6b58e8a8e1b7d43c
SHA256b8d41eb9f7876118e4385c1a67e0f7c099f28680838f75d6428f4422edc4380a
SHA512152c47d3ed580c1521e172ffae2a04377c4beea3ea4613a5f627b5e94eb6c33afe0683b72c5f5cdf12f5d5d750ca4da11483e1c50e961a870227c4581d1b64a3