Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
13/07/2024, 09:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
410f049a796bc67d1458c178b2c36487_JaffaCakes118.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
410f049a796bc67d1458c178b2c36487_JaffaCakes118.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
410f049a796bc67d1458c178b2c36487_JaffaCakes118.exe
-
Size
136KB
-
MD5
410f049a796bc67d1458c178b2c36487
-
SHA1
34cfe849caee623422b00a583ab1e31a97af9084
-
SHA256
87347b4a7cc5551fcaf812ba0bad99ddc24df5ba995cf8c4ab867b1d5953078e
-
SHA512
bd385968113e0f517859c14b37ec1df2e9976919aa81715ff5e2834d2047adca116ed97d41686739b49bfed56baa96a6b7c02d7d787e6f51757311d2a7868763
-
SSDEEP
3072:PpvJovvXFwRBW1cQoj9MYuPCNtrK6tJTVUa37KiCg:Tu/d2QRYjfTVU4Ki
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 410f049a796bc67d1458c178b2c36487_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" nuoagey.exe -
Executes dropped EXE 1 IoCs
pid Process 2308 nuoagey.exe -
Loads dropped DLL 2 IoCs
pid Process 2556 410f049a796bc67d1458c178b2c36487_JaffaCakes118.exe 2556 410f049a796bc67d1458c178b2c36487_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 52 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /x" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /v" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /o" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /V" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /l" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /n" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /m" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /z" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /D" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /S" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /Z" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /O" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /E" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /A" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /U" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /B" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /y" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /s" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /W" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /F" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /k" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /L" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /g" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /w" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /G" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /c" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /l" 410f049a796bc67d1458c178b2c36487_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /a" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /u" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /j" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /h" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /p" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /i" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /N" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /Q" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /C" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /H" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /Y" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /R" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /T" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /b" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /X" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /P" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /r" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /M" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /K" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /t" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /d" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /J" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /e" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /I" nuoagey.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoagey = "C:\\Users\\Admin\\nuoagey.exe /f" nuoagey.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2556 410f049a796bc67d1458c178b2c36487_JaffaCakes118.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe 2308 nuoagey.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2556 410f049a796bc67d1458c178b2c36487_JaffaCakes118.exe 2308 nuoagey.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2556 wrote to memory of 2308 2556 410f049a796bc67d1458c178b2c36487_JaffaCakes118.exe 30 PID 2556 wrote to memory of 2308 2556 410f049a796bc67d1458c178b2c36487_JaffaCakes118.exe 30 PID 2556 wrote to memory of 2308 2556 410f049a796bc67d1458c178b2c36487_JaffaCakes118.exe 30 PID 2556 wrote to memory of 2308 2556 410f049a796bc67d1458c178b2c36487_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\410f049a796bc67d1458c178b2c36487_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\410f049a796bc67d1458c178b2c36487_JaffaCakes118.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Users\Admin\nuoagey.exe"C:\Users\Admin\nuoagey.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2308
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD59062a34bf90e2434d57168daadb364ce
SHA10facd5fd3ca13cacbab2bcb83396cb9659c4c1db
SHA2560bbfbaf34b966bac10e7ab63b8b6505df757b3beb38c2f0ac8af6b0bd1084c68
SHA512d4ce576cc69c5d621a921e3f9f280b7bf26e3b2cf8168c32e8095dd00f6bc181c83da3d99e23b151b28acca53675af1c7c5378ee255b039501ce4824b78ddf51