Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08/09/2024, 12:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d45c837903e41d734742126e207d5aab_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
d45c837903e41d734742126e207d5aab_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
d45c837903e41d734742126e207d5aab_JaffaCakes118.exe
-
Size
104KB
-
MD5
d45c837903e41d734742126e207d5aab
-
SHA1
ae927d7a2378f0e6549b25a86a6505d807655e0a
-
SHA256
76b287087874adc8cbe231f695574a33166e5437b01643f85ff897380e4d160b
-
SHA512
c9fea6bc1f22fcb3a81abb5d3577f1f60fe9b540dc6be939de40d27c3b9ca407b1f211e44d34198bb7a41f21f30e32c16b274037f3e0dcf089d20b970b80ed52
-
SSDEEP
1536:K24imNbbAJ8xxp+pofZ71TDdxqh5c2+JTlD/5QOuqXRRRyRAR/RwRzyYWkMktgFI:RmK+5+pMI7cv776qL0oDc
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" raoefi.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation d45c837903e41d734742126e207d5aab_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2256 raoefi.exe -
Adds Run key to start application 2 TTPs 52 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /u" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /m" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /p" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /Y" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /d" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /y" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /B" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /N" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /O" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /F" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /r" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /M" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /s" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /H" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /U" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /i" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /W" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /A" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /J" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /k" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /w" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /n" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /z" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /q" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /o" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /v" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /f" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /e" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /g" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /K" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /Z" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /R" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /c" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /Q" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /I" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /j" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /l" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /a" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /V" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /b" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /P" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /L" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /t" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /S" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /T" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /C" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /x" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /h" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /E" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /X" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /G" raoefi.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raoefi = "C:\\Users\\Admin\\raoefi.exe /D" raoefi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d45c837903e41d734742126e207d5aab_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language raoefi.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe 2256 raoefi.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1392 d45c837903e41d734742126e207d5aab_JaffaCakes118.exe 2256 raoefi.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1392 wrote to memory of 2256 1392 d45c837903e41d734742126e207d5aab_JaffaCakes118.exe 87 PID 1392 wrote to memory of 2256 1392 d45c837903e41d734742126e207d5aab_JaffaCakes118.exe 87 PID 1392 wrote to memory of 2256 1392 d45c837903e41d734742126e207d5aab_JaffaCakes118.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\d45c837903e41d734742126e207d5aab_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d45c837903e41d734742126e207d5aab_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Users\Admin\raoefi.exe"C:\Users\Admin\raoefi.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2256
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
104KB
MD55af7415d00e9a7da04a5158684cf648d
SHA1c65439cc418443c07c2d6cb5894640204130fe89
SHA2561b3ab56b702df16b186311ff4c51ac048b2cc30ec89a91090ac59e0624415483
SHA5122e3ba95100e3f05e51bc62cbcd20501f5683e98f71d152e8e1895b24181bb3709164f00be0a57231199adb8a4448d28fa1b1ecbe4bf022b7a59935272364fea7