Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
10/08/2024, 21:13 UTC
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
87b21458c2bf93ff2df92b3abca3b74b_JaffaCakes118.exe
Resource
win7-20240705-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
87b21458c2bf93ff2df92b3abca3b74b_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
87b21458c2bf93ff2df92b3abca3b74b_JaffaCakes118.exe
-
Size
288KB
-
MD5
87b21458c2bf93ff2df92b3abca3b74b
-
SHA1
c45872d0171b70d88f21ba904b3fe6ac77032e7c
-
SHA256
92190ba5d831a90130960adf8ba7c76e1ecdd57fc5907cfb54d9c44fe2912bcf
-
SHA512
b7feefbe7cac8510ca67feb70a6f8231e2297472f035a0c9de5727e04265863be8a5441d8ad9461f1f6b7df8c0bdb2dff68c2388536af2c10760e0bd77e11af0
-
SSDEEP
6144:w5c0f7XP+g3AGJpWVzuChYrgns+XuCKnvmb7/D263VAPL8R8FUjcWMHu9tmuE79x:Z27/XvLWpukogns+XuCKnvmb7/D263QF
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 87b21458c2bf93ff2df92b3abca3b74b_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" caada.exe -
Executes dropped EXE 1 IoCs
pid Process 2060 caada.exe -
Loads dropped DLL 2 IoCs
pid Process 948 87b21458c2bf93ff2df92b3abca3b74b_JaffaCakes118.exe 948 87b21458c2bf93ff2df92b3abca3b74b_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 52 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /R" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /N" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /b" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /k" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /M" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /x" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /t" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /J" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /a" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /A" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /z" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /P" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /H" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /X" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /r" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /B" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /h" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /n" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /O" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /V" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /m" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /j" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /l" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /d" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /Z" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /o" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /v" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /T" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /S" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /U" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /L" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /u" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /y" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /f" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /p" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /g" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /G" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /n" 87b21458c2bf93ff2df92b3abca3b74b_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /E" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /Q" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /D" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /C" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /I" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /w" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /Y" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /q" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /c" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /F" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /e" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /s" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /W" caada.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caada = "C:\\Users\\Admin\\caada.exe /K" caada.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caada.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 87b21458c2bf93ff2df92b3abca3b74b_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 948 87b21458c2bf93ff2df92b3abca3b74b_JaffaCakes118.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe 2060 caada.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 948 87b21458c2bf93ff2df92b3abca3b74b_JaffaCakes118.exe 2060 caada.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 948 wrote to memory of 2060 948 87b21458c2bf93ff2df92b3abca3b74b_JaffaCakes118.exe 29 PID 948 wrote to memory of 2060 948 87b21458c2bf93ff2df92b3abca3b74b_JaffaCakes118.exe 29 PID 948 wrote to memory of 2060 948 87b21458c2bf93ff2df92b3abca3b74b_JaffaCakes118.exe 29 PID 948 wrote to memory of 2060 948 87b21458c2bf93ff2df92b3abca3b74b_JaffaCakes118.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\87b21458c2bf93ff2df92b3abca3b74b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\87b21458c2bf93ff2df92b3abca3b74b_JaffaCakes118.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Users\Admin\caada.exe"C:\Users\Admin\caada.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2060
-
Network
-
Remote address:8.8.8.8:53Requestns1.player1352.comIN AResponse
-
Remote address:8.8.8.8:53Requestns1.player1352.comIN A
-
Remote address:8.8.8.8:53Requestns1.player1352.netIN AResponsens1.player1352.netIN A107.178.223.183ns1.player1352.netIN A104.155.138.21
-
466 B 372 B 10 9
-
128 B 137 B 2 1
DNS Request
ns1.player1352.com
DNS Request
ns1.player1352.com
-
64 B 96 B 1 1
DNS Request
ns1.player1352.net
DNS Response
107.178.223.183104.155.138.21
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
288KB
MD5a158f5ec3864e47c4093b221fa8e1f11
SHA1a48f843c95077205cbb6e43cf83b16816a1d2391
SHA2567fa918c75a68a5991bb14dc46b519c42482f0117fb99e351de51cc29e2e4fc0c
SHA5122569fdc4e4cd7f490f67bda260f48be590cba3699e69397f2344b356915d9d769c1cf594322256045cfc96bc4b222d3b38684434ad2978d4c45e8de697646d3b