Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20/06/2024, 09:02
Static task
static1
Behavioral task
behavioral1
Sample
048b925ebf1ac0f043c4c4e7cdf8c49f_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
048b925ebf1ac0f043c4c4e7cdf8c49f_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
048b925ebf1ac0f043c4c4e7cdf8c49f_JaffaCakes118.exe
-
Size
132KB
-
MD5
048b925ebf1ac0f043c4c4e7cdf8c49f
-
SHA1
c76db990c103306230e02d1c8d23f9db169e37d2
-
SHA256
9e659749bc05cf3cc046923233df3cf9b93f46d8f9f369a9acc4f518b2a752c2
-
SHA512
9712711b4595cdb81e494da36ae45d4a920bca77e48668aacbf376aa743cee57a645fd02654d12fc5aa3f2c09ba85aff920c1e3d15fef5296615d4db348ad09f
-
SSDEEP
3072:V5RPXEcBrPf9HU9Oki6DX37fAdHEE5j4oQ324:VPPXEcBrPFHU9Ok7rfKVdT4
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 048b925ebf1ac0f043c4c4e7cdf8c49f_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" wiuseh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 048b925ebf1ac0f043c4c4e7cdf8c49f_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2376 wiuseh.exe -
Adds Run key to start application 2 TTPs 52 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /p" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /A" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /x" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /J" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /Q" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /Z" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /q" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /X" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /v" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /L" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /R" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /s" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /U" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /F" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /E" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /H" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /T" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /K" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /a" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /f" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /i" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /m" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /G" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /j" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /q" 048b925ebf1ac0f043c4c4e7cdf8c49f_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /y" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /w" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /n" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /I" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /r" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /b" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /C" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /V" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /k" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /O" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /P" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /Y" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /D" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /N" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /M" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /o" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /u" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /e" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /h" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /S" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /c" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /l" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /W" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /z" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /t" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /d" wiuseh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuseh = "C:\\Users\\Admin\\wiuseh.exe /g" wiuseh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 624 048b925ebf1ac0f043c4c4e7cdf8c49f_JaffaCakes118.exe 624 048b925ebf1ac0f043c4c4e7cdf8c49f_JaffaCakes118.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe 2376 wiuseh.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 624 048b925ebf1ac0f043c4c4e7cdf8c49f_JaffaCakes118.exe 2376 wiuseh.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 624 wrote to memory of 2376 624 048b925ebf1ac0f043c4c4e7cdf8c49f_JaffaCakes118.exe 97 PID 624 wrote to memory of 2376 624 048b925ebf1ac0f043c4c4e7cdf8c49f_JaffaCakes118.exe 97 PID 624 wrote to memory of 2376 624 048b925ebf1ac0f043c4c4e7cdf8c49f_JaffaCakes118.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\048b925ebf1ac0f043c4c4e7cdf8c49f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\048b925ebf1ac0f043c4c4e7cdf8c49f_JaffaCakes118.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Users\Admin\wiuseh.exe"C:\Users\Admin\wiuseh.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=3960 /prefetch:81⤵PID:2264
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
132KB
MD5f03639515c8180635bfc645fc9608f53
SHA1481fa7ffb4857b5eaabfaa03214702eb3c6249e3
SHA256a00137bf5a27e9096d8fcb70a8906fb51e80f57f8229781d9bf04070de055419
SHA512fee54b8d36fa0ecd390cbd712d6f05118490d4bd564ba6787e2ff2d042de7f16142991a4c244ce736bb3ad846ec8570dc141fad4fd7ed01a7540f4261dbf88ec