Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24/06/2024, 15:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
09410cd64e4c3ddc45a0f7a9e705093c_JaffaCakes118.exe
Resource
win7-20240508-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
09410cd64e4c3ddc45a0f7a9e705093c_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
09410cd64e4c3ddc45a0f7a9e705093c_JaffaCakes118.exe
-
Size
60KB
-
MD5
09410cd64e4c3ddc45a0f7a9e705093c
-
SHA1
e6446fd06fa7efbb34f345677f6d6a571eb9fe86
-
SHA256
e2c6c075e5337f1c29781972cbd7a849486fcf2a9aab258a5848104739e334bb
-
SHA512
9de6a85292a9ee121c493057395328f3d446dc8d47154a649b8b32a3717f734a456087cb9702f13d7a343e01327d66af924bf5798e0f547901a71cd6175e4373
-
SSDEEP
768:+XWmpnBOFlpJ1VUU6+9A/v/bVlbdfs3OfKDHGIHY56WX:+XWNpJXd6y43wY56WX
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" puoiw.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 09410cd64e4c3ddc45a0f7a9e705093c_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 4192 puoiw.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoiw = "C:\\Users\\Admin\\puoiw.exe" puoiw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe 4192 puoiw.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4408 09410cd64e4c3ddc45a0f7a9e705093c_JaffaCakes118.exe 4192 puoiw.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4408 wrote to memory of 4192 4408 09410cd64e4c3ddc45a0f7a9e705093c_JaffaCakes118.exe 80 PID 4408 wrote to memory of 4192 4408 09410cd64e4c3ddc45a0f7a9e705093c_JaffaCakes118.exe 80 PID 4408 wrote to memory of 4192 4408 09410cd64e4c3ddc45a0f7a9e705093c_JaffaCakes118.exe 80 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79 PID 4192 wrote to memory of 4408 4192 puoiw.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\09410cd64e4c3ddc45a0f7a9e705093c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\09410cd64e4c3ddc45a0f7a9e705093c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Users\Admin\puoiw.exe"C:\Users\Admin\puoiw.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4192
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5f4ac83ec72fab79efc24ff8d54b6cb56
SHA1a7afe32a2d5bccca1f140a55f8ac18020a6ecaa1
SHA2566d866230e8da8ac239d8bf20319d7c2859b3f260e29caa1dd1365eed7438e501
SHA512f58b50a9f6e5e487ad7fc66fe800c859a59e0b9b0bc6d34784ed7d1be676f317f18a19097415ee81596958e7d86a12b60c1b421014b5a223b47684ae5e51c980