Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
22/07/2024, 10:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
62cca8ffc96bb576212a19d5a6885295_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
62cca8ffc96bb576212a19d5a6885295_JaffaCakes118.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
62cca8ffc96bb576212a19d5a6885295_JaffaCakes118.exe
-
Size
124KB
-
MD5
62cca8ffc96bb576212a19d5a6885295
-
SHA1
16bfaf421e5de7add035b6960b9e4f94736132db
-
SHA256
8d71c7cdc265a6f4a5899a8723dc46031ce0f4a8be5a550a8cd3509bbe136d90
-
SHA512
d82b98d2faa0433aa6c8b68dd6cc64f841c7d950e643bb30eba2b03836823d656c4305f7688acb4273c5cde981c7141d5d2934940569821eae296fba3c54a39c
-
SSDEEP
1536:LdtkjMTQEhU0GgAJa0P1kNmKldCMhdu8KWP/nTn8nBP9VewNeG0h/l:vkjbEhU0GgAT98t
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 62cca8ffc96bb576212a19d5a6885295_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" vooqeiv.exe -
Executes dropped EXE 1 IoCs
pid Process 2312 vooqeiv.exe -
Loads dropped DLL 2 IoCs
pid Process 3032 62cca8ffc96bb576212a19d5a6885295_JaffaCakes118.exe 3032 62cca8ffc96bb576212a19d5a6885295_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 53 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /V" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /n" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /r" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /H" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /G" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /z" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /u" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /s" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /p" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /K" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /b" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /L" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /Q" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /W" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /R" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /m" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /l" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /D" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /w" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /T" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /E" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /d" 62cca8ffc96bb576212a19d5a6885295_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /A" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /C" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /q" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /i" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /Z" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /y" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /Y" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /J" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /P" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /h" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /d" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /X" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /a" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /j" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /S" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /B" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /I" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /N" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /f" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /k" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /o" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /O" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /g" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /F" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /M" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /U" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /c" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /v" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /e" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /t" vooqeiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\vooqeiv = "C:\\Users\\Admin\\vooqeiv.exe /x" vooqeiv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3032 62cca8ffc96bb576212a19d5a6885295_JaffaCakes118.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe 2312 vooqeiv.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3032 62cca8ffc96bb576212a19d5a6885295_JaffaCakes118.exe 2312 vooqeiv.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3032 wrote to memory of 2312 3032 62cca8ffc96bb576212a19d5a6885295_JaffaCakes118.exe 30 PID 3032 wrote to memory of 2312 3032 62cca8ffc96bb576212a19d5a6885295_JaffaCakes118.exe 30 PID 3032 wrote to memory of 2312 3032 62cca8ffc96bb576212a19d5a6885295_JaffaCakes118.exe 30 PID 3032 wrote to memory of 2312 3032 62cca8ffc96bb576212a19d5a6885295_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\62cca8ffc96bb576212a19d5a6885295_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\62cca8ffc96bb576212a19d5a6885295_JaffaCakes118.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Users\Admin\vooqeiv.exe"C:\Users\Admin\vooqeiv.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2312
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD5eb86cfd6e2f67c75add7c2728ce2f425
SHA1190eeffd6bc64807ec4f454f0ae9eb2dac4471a4
SHA256e526818164ea3ed08012b9aaa5c85300f2715b472099b505893d4be1abea11dd
SHA5121f1ad9c97779ecb711368c025fce1f4148e385c782c4ac0f5e2b5430411ca9ac68cf2a5970634443322049c35f79f8257b1cb74a7e780a0c2f81e9598d245a32