Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20/06/2024, 01:30
Static task
static1
Behavioral task
behavioral1
Sample
01b7a1e0d46d37cdbc37c37f2c1f9774_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
01b7a1e0d46d37cdbc37c37f2c1f9774_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
01b7a1e0d46d37cdbc37c37f2c1f9774_JaffaCakes118.exe
-
Size
272KB
-
MD5
01b7a1e0d46d37cdbc37c37f2c1f9774
-
SHA1
325debb69ebf44c67deda6332e11d22aebbb61b7
-
SHA256
afd3041705aa879161ddb1535f65f26bcbc72f412260171677de18d701519439
-
SHA512
e5ee3398fd0325674e70a70dd217cf536be188866531b219e74bfe93ef84639c4b9c5d18b4885ba0cbb5adf9183116ae44ed577e0d2eca5e69a89eb1fc553f23
-
SSDEEP
6144:P3abKlQxchRdjLmtrBuMrdekUH63u+X5sc57W:CLxGLTuPL5
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 01b7a1e0d46d37cdbc37c37f2c1f9774_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qvfiuw.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 01b7a1e0d46d37cdbc37c37f2c1f9774_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 4840 qvfiuw.exe -
Adds Run key to start application 2 TTPs 53 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /q" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /Z" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /S" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /F" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /J" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /U" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /a" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /b" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /n" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /R" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /B" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /Q" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /y" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /L" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /p" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /z" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /C" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /M" 01b7a1e0d46d37cdbc37c37f2c1f9774_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /V" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /i" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /A" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /H" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /e" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /m" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /Y" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /x" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /O" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /X" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /W" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /E" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /K" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /l" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /I" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /s" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /t" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /v" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /M" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /c" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /f" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /w" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /D" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /r" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /g" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /T" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /N" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /k" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /o" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /d" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /G" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /P" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /h" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /u" qvfiuw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvfiuw = "C:\\Users\\Admin\\qvfiuw.exe /j" qvfiuw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4968 01b7a1e0d46d37cdbc37c37f2c1f9774_JaffaCakes118.exe 4968 01b7a1e0d46d37cdbc37c37f2c1f9774_JaffaCakes118.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe 4840 qvfiuw.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4968 01b7a1e0d46d37cdbc37c37f2c1f9774_JaffaCakes118.exe 4840 qvfiuw.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4968 wrote to memory of 4840 4968 01b7a1e0d46d37cdbc37c37f2c1f9774_JaffaCakes118.exe 93 PID 4968 wrote to memory of 4840 4968 01b7a1e0d46d37cdbc37c37f2c1f9774_JaffaCakes118.exe 93 PID 4968 wrote to memory of 4840 4968 01b7a1e0d46d37cdbc37c37f2c1f9774_JaffaCakes118.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\01b7a1e0d46d37cdbc37c37f2c1f9774_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\01b7a1e0d46d37cdbc37c37f2c1f9774_JaffaCakes118.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Users\Admin\qvfiuw.exe"C:\Users\Admin\qvfiuw.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1300,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=4240 /prefetch:81⤵PID:3040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272KB
MD5af66a048dd46a90445e86869c80969ff
SHA137428c7cebb8c4837793373a6131e6306660fe14
SHA256fc1937e4179634e9b9e8d5009c981ec4e43129765de514fdb49ef9b4ff609902
SHA5124911bf8220f25263d8a26c117a0bdcc0e6cc7955f5ebd2b72c80f7729ccd40294f09d99fb41bf6aa9d9a9cc08786bc20dc3b6ce9d056562a97eb80c32aa1243e