Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10/07/2024, 12:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
34caecbcc1f4ad64fb054ddf2b32fab4_JaffaCakes118.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
34caecbcc1f4ad64fb054ddf2b32fab4_JaffaCakes118.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
34caecbcc1f4ad64fb054ddf2b32fab4_JaffaCakes118.exe
-
Size
188KB
-
MD5
34caecbcc1f4ad64fb054ddf2b32fab4
-
SHA1
5aeda637b7e8468954d5f616efc3d2cef711a543
-
SHA256
805b99227471151ce4b9c8b34891bd8c6991465f82e7f0cdbc8f6872df5462c5
-
SHA512
7c8178ce57bd417c298d6f65886d51702f2a7f63f5d8b8c8363edbe4d7416dc5dc5aab95723f6b271c63e3368507026a7c4e9ae2798a814c8e99c215ed159ac1
-
SSDEEP
3072:6j4VOBQqQ7b4zxMJsSmJ6nTQFlKRilqoq6v/i:RVqM4zk0cqfMoty
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 34caecbcc1f4ad64fb054ddf2b32fab4_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ruouma.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation 34caecbcc1f4ad64fb054ddf2b32fab4_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 5012 ruouma.exe -
Adds Run key to start application 2 TTPs 53 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /T" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /z" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /W" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /p" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /m" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /G" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /Y" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /r" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /y" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /t" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /I" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /R" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /K" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /u" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /j" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /L" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /f" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /o" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /F" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /A" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /g" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /n" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /r" 34caecbcc1f4ad64fb054ddf2b32fab4_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /V" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /H" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /B" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /P" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /U" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /b" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /h" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /J" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /E" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /Z" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /C" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /q" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /e" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /d" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /O" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /i" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /w" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /M" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /D" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /x" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /X" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /Q" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /c" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /k" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /v" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /a" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /N" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /s" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /S" ruouma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruouma = "C:\\Users\\Admin\\ruouma.exe /l" ruouma.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4572 34caecbcc1f4ad64fb054ddf2b32fab4_JaffaCakes118.exe 4572 34caecbcc1f4ad64fb054ddf2b32fab4_JaffaCakes118.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe 5012 ruouma.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4572 34caecbcc1f4ad64fb054ddf2b32fab4_JaffaCakes118.exe 5012 ruouma.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4572 wrote to memory of 5012 4572 34caecbcc1f4ad64fb054ddf2b32fab4_JaffaCakes118.exe 88 PID 4572 wrote to memory of 5012 4572 34caecbcc1f4ad64fb054ddf2b32fab4_JaffaCakes118.exe 88 PID 4572 wrote to memory of 5012 4572 34caecbcc1f4ad64fb054ddf2b32fab4_JaffaCakes118.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\34caecbcc1f4ad64fb054ddf2b32fab4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\34caecbcc1f4ad64fb054ddf2b32fab4_JaffaCakes118.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Users\Admin\ruouma.exe"C:\Users\Admin\ruouma.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5012
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
188KB
MD52054d3288a2d1a6c874d20437db15c53
SHA154cf5d1304b57932e87a7c264ca90ead7f712654
SHA256fc1bea7d91406ac4d94625201f4cec190ec79667a8b5cbdaf6a2b6a15eba918b
SHA5127179eacd0680f944be647e9f83a01221fead68f1dac5975e199785fdc93aac188ee6dbfdff8037f4ad59aa0a6d559bf10f223a4a7cba1888b4d3325b5a6a4df9