Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/04/2024, 23:22
Static task
static1
Behavioral task
behavioral1
Sample
e619c0199a77559eadae1249d97bde3e_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e619c0199a77559eadae1249d97bde3e_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e619c0199a77559eadae1249d97bde3e_JaffaCakes118.exe
-
Size
396KB
-
MD5
e619c0199a77559eadae1249d97bde3e
-
SHA1
12556d97f08609fdf059ca1e50aeb939ccf07465
-
SHA256
e1be2c86ac30e33bccdf62c83d3aec2ddedaa09402a9ddf609bfd17eae68f232
-
SHA512
fa09f5540e2a3b3b4a4b32e5db1d2a3eafc027122d87276cc4b679b01db208ba31a1831414ba200965856c8f20a524c11f3298e1a2ed797dd2df8a1c02719e95
-
SSDEEP
6144:rjwm6qra/lBzFWYSTnEiEcVc2vKx7TCNVq1i4Upx0DKHE2ViGudrpRf3WO/fwApT:r8m6Wa/TpWYSTnEg/vGgEKHFgGudrpX
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" vaopua.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation e619c0199a77559eadae1249d97bde3e_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 3852 vaopua.exe -
Adds Run key to start application 2 TTPs 51 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /g" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /p" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /v" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /Z" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /K" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /d" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /E" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /t" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /N" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /q" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /V" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /w" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /P" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /C" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /l" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /Y" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /R" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /e" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /u" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /k" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /A" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /j" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /i" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /m" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /z" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /r" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /H" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /f" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /h" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /X" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /I" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /F" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /U" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /J" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /o" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /c" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /D" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /T" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /B" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /s" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /y" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /a" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /n" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /Q" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /x" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /b" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /M" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /O" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /W" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /S" vaopua.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /G" vaopua.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe 3852 vaopua.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4468 e619c0199a77559eadae1249d97bde3e_JaffaCakes118.exe 3852 vaopua.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4468 wrote to memory of 3852 4468 e619c0199a77559eadae1249d97bde3e_JaffaCakes118.exe 91 PID 4468 wrote to memory of 3852 4468 e619c0199a77559eadae1249d97bde3e_JaffaCakes118.exe 91 PID 4468 wrote to memory of 3852 4468 e619c0199a77559eadae1249d97bde3e_JaffaCakes118.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\e619c0199a77559eadae1249d97bde3e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e619c0199a77559eadae1249d97bde3e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Users\Admin\vaopua.exe"C:\Users\Admin\vaopua.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3852
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
396KB
MD564df989fd6e6975d1566f296ce437b98
SHA1c62d7510b16c97f8462cfd70a328e67ac764e10d
SHA2561a02816d0d93a2f4d590760ed401764e174167479335e27d86d68fa497276e7c
SHA512bcc3dcc6fc40fb3a48235aecc8dfd771e5970224077d85ab44f2651491215384c7a0faeab8ef90540b396c1b3690785efe3a945f3eebef6f2ee56dde939f2126