Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/08/2024, 16:15
Static task
static1
Behavioral task
behavioral1
Sample
abb24a447af7c1aa3ea0cbac05552447_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
abb24a447af7c1aa3ea0cbac05552447_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
abb24a447af7c1aa3ea0cbac05552447_JaffaCakes118.exe
-
Size
88KB
-
MD5
abb24a447af7c1aa3ea0cbac05552447
-
SHA1
c3a06393aa9207cc90d42437de97982d5083d6ac
-
SHA256
8daac65f8ea89cdc4a8eee965236850beb044b54600acf3d843fb5c4cced86b1
-
SHA512
f34182110597d3c99d02cb3156473bf647a3e5044b295ecc90349e3db77f093310a579c5ff1064ddc7d53061fb016c331825e680008ee7cfbe760b2f4c155aad
-
SSDEEP
768:BDFIetrFRaaq2AOa6TnwVDZ1RO8YSEQJt1H7a8jFk+ZxqfcwltS:bIwp7YzDZ16SEQJjZx0cwl8
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" soiod.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation abb24a447af7c1aa3ea0cbac05552447_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 4844 soiod.exe -
Adds Run key to start application 2 TTPs 52 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /M" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /o" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /j" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /b" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /k" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /s" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /L" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /G" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /P" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /O" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /h" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /N" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /S" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /E" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /f" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /r" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /q" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /v" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /X" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /d" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /u" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /R" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /F" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /a" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /g" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /V" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /t" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /p" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /n" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /A" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /W" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /I" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /z" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /J" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /U" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /D" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /Q" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /x" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /H" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /l" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /C" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /m" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /T" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /K" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /Y" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /i" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /e" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /Z" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /c" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /y" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /w" soiod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soiod = "C:\\Users\\Admin\\soiod.exe /B" soiod.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abb24a447af7c1aa3ea0cbac05552447_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language soiod.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe 4844 soiod.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1936 abb24a447af7c1aa3ea0cbac05552447_JaffaCakes118.exe 4844 soiod.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1936 wrote to memory of 4844 1936 abb24a447af7c1aa3ea0cbac05552447_JaffaCakes118.exe 89 PID 1936 wrote to memory of 4844 1936 abb24a447af7c1aa3ea0cbac05552447_JaffaCakes118.exe 89 PID 1936 wrote to memory of 4844 1936 abb24a447af7c1aa3ea0cbac05552447_JaffaCakes118.exe 89 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83 PID 4844 wrote to memory of 1936 4844 soiod.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\abb24a447af7c1aa3ea0cbac05552447_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\abb24a447af7c1aa3ea0cbac05552447_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Users\Admin\soiod.exe"C:\Users\Admin\soiod.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4844
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD5d144943e03dbd1724b770ddaf732d6b2
SHA156a66e046a48af40a4ef977cf2c60e0996ceaf15
SHA2569e9400c9a624270deea0513774d626fabb19dc202008e8efb93c9fbe82929b8a
SHA512268906d7b3f0738261efbf2a4ac9e380ec2d5fbded74e3977486ef6f74dbe0eed2feb8eeb8de8cd644c1347bb64ef699ed35f663c00f0b72f8e762c9c10e3f74