Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2024, 03:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
246cbce0d0a13450bb771418f0cf3061_JaffaCakes118.exe
Resource
win7-20231129-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
246cbce0d0a13450bb771418f0cf3061_JaffaCakes118.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
246cbce0d0a13450bb771418f0cf3061_JaffaCakes118.exe
-
Size
192KB
-
MD5
246cbce0d0a13450bb771418f0cf3061
-
SHA1
07e19b5e4ef89872134d731a6ea8f31fcb24b7ea
-
SHA256
ae199db7bdc96b9a013e948c60811ee94dbb3d5184ecda613e2c340ece7a17a6
-
SHA512
a0ae20d18c33fa44a9508ccd83d323072eef992fed7e1c5de9548ded6860ff706f2ca0807a2da495b904dc8d70e5499043d0fdebf894e137e613ecda45fa135f
-
SSDEEP
1536:RDcP2OaLaaaaat031AdQWB5kCFrWszRUOHFlQhzyLwVKftfVBiZHAPloFp5A2mbP:rOaW3kCFrWsF2eLbqx2994sUxq
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 246cbce0d0a13450bb771418f0cf3061_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" yooeliy.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation 246cbce0d0a13450bb771418f0cf3061_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 4760 yooeliy.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yooeliy = "C:\\Users\\Admin\\yooeliy.exe /l" yooeliy.exe Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yooeliy = "C:\\Users\\Admin\\yooeliy.exe /a" yooeliy.exe Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yooeliy = "C:\\Users\\Admin\\yooeliy.exe /r" yooeliy.exe Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yooeliy = "C:\\Users\\Admin\\yooeliy.exe /n" yooeliy.exe Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yooeliy = "C:\\Users\\Admin\\yooeliy.exe /o" yooeliy.exe Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yooeliy = "C:\\Users\\Admin\\yooeliy.exe /x" yooeliy.exe Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yooeliy = "C:\\Users\\Admin\\yooeliy.exe /t" yooeliy.exe Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yooeliy = "C:\\Users\\Admin\\yooeliy.exe /u" yooeliy.exe Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yooeliy = "C:\\Users\\Admin\\yooeliy.exe /b" yooeliy.exe Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yooeliy = "C:\\Users\\Admin\\yooeliy.exe /z" yooeliy.exe Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yooeliy = "C:\\Users\\Admin\\yooeliy.exe /i" yooeliy.exe Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yooeliy = "C:\\Users\\Admin\\yooeliy.exe /v" yooeliy.exe Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yooeliy = "C:\\Users\\Admin\\yooeliy.exe /j" yooeliy.exe Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yooeliy = "C:\\Users\\Admin\\yooeliy.exe /h" yooeliy.exe Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yooeliy = "C:\\Users\\Admin\\yooeliy.exe /q" yooeliy.exe Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yooeliy = "C:\\Users\\Admin\\yooeliy.exe /g" yooeliy.exe Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yooeliy = "C:\\Users\\Admin\\yooeliy.exe /d" yooeliy.exe Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yooeliy = "C:\\Users\\Admin\\yooeliy.exe /y" yooeliy.exe Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yooeliy = "C:\\Users\\Admin\\yooeliy.exe /m" 246cbce0d0a13450bb771418f0cf3061_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yooeliy = "C:\\Users\\Admin\\yooeliy.exe /m" yooeliy.exe Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yooeliy = "C:\\Users\\Admin\\yooeliy.exe /e" yooeliy.exe Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yooeliy = "C:\\Users\\Admin\\yooeliy.exe /c" yooeliy.exe Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yooeliy = "C:\\Users\\Admin\\yooeliy.exe /p" yooeliy.exe Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yooeliy = "C:\\Users\\Admin\\yooeliy.exe /w" yooeliy.exe Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yooeliy = "C:\\Users\\Admin\\yooeliy.exe /f" yooeliy.exe Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yooeliy = "C:\\Users\\Admin\\yooeliy.exe /k" yooeliy.exe Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yooeliy = "C:\\Users\\Admin\\yooeliy.exe /s" yooeliy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2536 246cbce0d0a13450bb771418f0cf3061_JaffaCakes118.exe 2536 246cbce0d0a13450bb771418f0cf3061_JaffaCakes118.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe 4760 yooeliy.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2536 246cbce0d0a13450bb771418f0cf3061_JaffaCakes118.exe 4760 yooeliy.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2536 wrote to memory of 4760 2536 246cbce0d0a13450bb771418f0cf3061_JaffaCakes118.exe 94 PID 2536 wrote to memory of 4760 2536 246cbce0d0a13450bb771418f0cf3061_JaffaCakes118.exe 94 PID 2536 wrote to memory of 4760 2536 246cbce0d0a13450bb771418f0cf3061_JaffaCakes118.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\246cbce0d0a13450bb771418f0cf3061_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\246cbce0d0a13450bb771418f0cf3061_JaffaCakes118.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Users\Admin\yooeliy.exe"C:\Users\Admin\yooeliy.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4760
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192KB
MD501843fa947948f0935bbe3728f5126c3
SHA1e82235436682d0754a82d195dcbb9de71c13cf61
SHA256d3ce0595e3f18a5081615b0c3a293ea6b7262adb71485f8fa4d23d16bda6a60f
SHA512ce35c0481bf33d739f41174d01124c8194c00f9e74d882e21184eacde23ec0538d2e311f8dd185827d6fc85cb2e9fd409ee0ba67a8ee5f870db3f0d611fc22be