Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
19/07/2024, 10:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5ba1d549c86659b2e55b7db04764df9a_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
5ba1d549c86659b2e55b7db04764df9a_JaffaCakes118.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
5ba1d549c86659b2e55b7db04764df9a_JaffaCakes118.exe
-
Size
192KB
-
MD5
5ba1d549c86659b2e55b7db04764df9a
-
SHA1
262fd00bd6c0d2482aa8f58a5500e1ca68185872
-
SHA256
ac7ecd7e24484b8e12fbd087f0ebf052f4f623b887e3ccd9cdaadd8819d86731
-
SHA512
eadc7eb2906981c3714e4a97c134f419613f9c8077cd720f02a2928daa79d89e971f7a5d66b4d9944028896e1c017098602e8c9bf89c252aff2920a08f3ad8f3
-
SSDEEP
1536:25Bmd2Or1gtVQeaaaaat031AdQWB5kCFrWszRUOHFlQhzyLBVomtfVBiZHAPDoFf:IOBgnW3kCFrWsF2eLorfMfsFs89x
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 5ba1d549c86659b2e55b7db04764df9a_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qeiebo.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5ba1d549c86659b2e55b7db04764df9a_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 4828 qeiebo.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeiebo = "C:\\Users\\Admin\\qeiebo.exe /e" qeiebo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeiebo = "C:\\Users\\Admin\\qeiebo.exe /r" qeiebo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeiebo = "C:\\Users\\Admin\\qeiebo.exe /k" qeiebo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeiebo = "C:\\Users\\Admin\\qeiebo.exe /d" qeiebo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeiebo = "C:\\Users\\Admin\\qeiebo.exe /w" qeiebo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeiebo = "C:\\Users\\Admin\\qeiebo.exe /c" qeiebo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeiebo = "C:\\Users\\Admin\\qeiebo.exe /z" qeiebo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeiebo = "C:\\Users\\Admin\\qeiebo.exe /o" qeiebo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeiebo = "C:\\Users\\Admin\\qeiebo.exe /x" qeiebo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeiebo = "C:\\Users\\Admin\\qeiebo.exe /i" qeiebo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeiebo = "C:\\Users\\Admin\\qeiebo.exe /t" qeiebo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeiebo = "C:\\Users\\Admin\\qeiebo.exe /a" qeiebo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeiebo = "C:\\Users\\Admin\\qeiebo.exe /m" 5ba1d549c86659b2e55b7db04764df9a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeiebo = "C:\\Users\\Admin\\qeiebo.exe /q" qeiebo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeiebo = "C:\\Users\\Admin\\qeiebo.exe /v" qeiebo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeiebo = "C:\\Users\\Admin\\qeiebo.exe /l" qeiebo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeiebo = "C:\\Users\\Admin\\qeiebo.exe /p" qeiebo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeiebo = "C:\\Users\\Admin\\qeiebo.exe /h" qeiebo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeiebo = "C:\\Users\\Admin\\qeiebo.exe /b" qeiebo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeiebo = "C:\\Users\\Admin\\qeiebo.exe /s" qeiebo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeiebo = "C:\\Users\\Admin\\qeiebo.exe /f" qeiebo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeiebo = "C:\\Users\\Admin\\qeiebo.exe /n" qeiebo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeiebo = "C:\\Users\\Admin\\qeiebo.exe /y" qeiebo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeiebo = "C:\\Users\\Admin\\qeiebo.exe /u" qeiebo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeiebo = "C:\\Users\\Admin\\qeiebo.exe /j" qeiebo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeiebo = "C:\\Users\\Admin\\qeiebo.exe /g" qeiebo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeiebo = "C:\\Users\\Admin\\qeiebo.exe /m" qeiebo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1996 5ba1d549c86659b2e55b7db04764df9a_JaffaCakes118.exe 1996 5ba1d549c86659b2e55b7db04764df9a_JaffaCakes118.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe 4828 qeiebo.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1996 5ba1d549c86659b2e55b7db04764df9a_JaffaCakes118.exe 4828 qeiebo.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1996 wrote to memory of 4828 1996 5ba1d549c86659b2e55b7db04764df9a_JaffaCakes118.exe 94 PID 1996 wrote to memory of 4828 1996 5ba1d549c86659b2e55b7db04764df9a_JaffaCakes118.exe 94 PID 1996 wrote to memory of 4828 1996 5ba1d549c86659b2e55b7db04764df9a_JaffaCakes118.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ba1d549c86659b2e55b7db04764df9a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5ba1d549c86659b2e55b7db04764df9a_JaffaCakes118.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Admin\qeiebo.exe"C:\Users\Admin\qeiebo.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4828
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192KB
MD59c8f665fc3dda8f46e8d09f678601a47
SHA16af0cadb220a40e8eb5235ef785d96c8fa954f5f
SHA2566d81739ee0f6d99a9e8b2ad66e974963ffd7d607f19111ac9cecdc0bd5e4b3af
SHA51208e15573353c1b7c7fdab536baa2052569349eb36ab9f13a27756110e152118bb833e1c278bb16836980961b8200574dd6d5151044eb47dc4204adea0c30847c