Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19/08/2024, 08:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
aa5d35e8a06a26e1d765b14d98987b34_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
aa5d35e8a06a26e1d765b14d98987b34_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
aa5d35e8a06a26e1d765b14d98987b34_JaffaCakes118.exe
-
Size
72KB
-
MD5
aa5d35e8a06a26e1d765b14d98987b34
-
SHA1
af0f50ae9757e6b02561ffe2ccdece94fd6c5382
-
SHA256
c08a4c5ebe21926616e2270067762689f88d6a1bc6662576272f075770c906f4
-
SHA512
e3cd02e2446e37ed89e7e20092863c5029709921b758d711bf65d0f4bb95d766894d56b989cda3fb1bb2bcca82464a17c7e7858dbed3b90acf4a5ffcd3f3040c
-
SSDEEP
1536:ZCxFYReRz2WHtHRHzH6tLj5YpQqNldFeLDNlN1yHzDR2LYpyTU7gt:87YReRGtLj5YpQqNldFeLDNlN11
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ciazooh.exe -
Executes dropped EXE 1 IoCs
pid Process 2804 ciazooh.exe -
Loads dropped DLL 2 IoCs
pid Process 2864 aa5d35e8a06a26e1d765b14d98987b34_JaffaCakes118.exe 2864 aa5d35e8a06a26e1d765b14d98987b34_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciazooh = "C:\\Users\\Admin\\ciazooh.exe" ciazooh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aa5d35e8a06a26e1d765b14d98987b34_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ciazooh.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe 2804 ciazooh.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2864 aa5d35e8a06a26e1d765b14d98987b34_JaffaCakes118.exe 2804 ciazooh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2864 wrote to memory of 2804 2864 aa5d35e8a06a26e1d765b14d98987b34_JaffaCakes118.exe 30 PID 2864 wrote to memory of 2804 2864 aa5d35e8a06a26e1d765b14d98987b34_JaffaCakes118.exe 30 PID 2864 wrote to memory of 2804 2864 aa5d35e8a06a26e1d765b14d98987b34_JaffaCakes118.exe 30 PID 2864 wrote to memory of 2804 2864 aa5d35e8a06a26e1d765b14d98987b34_JaffaCakes118.exe 30 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29 PID 2804 wrote to memory of 2864 2804 ciazooh.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa5d35e8a06a26e1d765b14d98987b34_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\aa5d35e8a06a26e1d765b14d98987b34_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Users\Admin\ciazooh.exe"C:\Users\Admin\ciazooh.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2804
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD56c5e383b6212b6d7c4c4624cdb0400d9
SHA1636fd060abe3b5cf1c9129c87bd49bd676f473bd
SHA256edc111f8b2f095d1f8d9b40afbc53397168115b46c5295d8f9c375ac67aad05e
SHA512a9cb1d66664a03a8868b9250ff5911d5020fd124f2f21b36c87f618f9dc94987c2bf7da4a43d9bdf19202abbe56bc1bace80ec66e7354be87ce3803d545981e1