Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11/04/2024, 12:21

General

  • Target

    ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe

  • Size

    276KB

  • MD5

    ed69746aa446d81ec40535f048806a4c

  • SHA1

    083afb28943d6e75245a9a5a8d598fedb572d651

  • SHA256

    99a0be7e62206f74468ce3b6a6c6e307133a8dc5f51da3d43d7b017d51db0d60

  • SHA512

    8bfe12e54eb1ce2aa1d7b0dabb4890fb0d141bc43d5fef0f7f6575e5fc72a9703a828cad6fea8af9c428352f7c1352d78f11eb41d420126d13df75a239775599

  • SSDEEP

    6144:mGj01tuAV3qkskU8ywoyz6Bk1j2wdPVfXNpkJWv/bEf2HYfuj8:tcvMkUs/uk0mP/k8vT6wY9

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Disables taskbar notifications via registry modification
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 3 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 17 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2876
    • C:\Users\Admin\AppData\Local\Temp\ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\3B188\0BCDA.exe%C:\Users\Admin\AppData\Roaming\3B188
      2⤵
        PID:2308
      • C:\Users\Admin\AppData\Local\Temp\ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe
        C:\Users\Admin\AppData\Local\Temp\ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe startC:\Program Files (x86)\88B96\lvvm.exe%C:\Program Files (x86)\88B96
        2⤵
          PID:556
        • C:\Program Files (x86)\LP\DAF3\A4F6.tmp
          "C:\Program Files (x86)\LP\DAF3\A4F6.tmp"
          2⤵
          • Executes dropped EXE
          PID:1140
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3060
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3012

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\3B188\8B96.B18

        Filesize

        996B

        MD5

        9bb9edcbe28f4ac3e98e419e7aa15546

        SHA1

        b8febcb8de20a381940e825d306930275ee5175c

        SHA256

        ba7297a40548683cb5c8abd5f19957e5e38b3e4e160ed553414a30182a85d7d9

        SHA512

        4054468f66658b55e06773e83cee9939af083d7695076e5bda1ada3f1618cb355010b1e8ef781e067b5603cde11a72d8ae166efcd40d9ef7b07a6dad9b64a989

      • C:\Users\Admin\AppData\Roaming\3B188\8B96.B18

        Filesize

        600B

        MD5

        896cab25da8beb8b85b17b95cbb52f6d

        SHA1

        3133d41d3bde78e17178c4f6c8c91fba42abf6de

        SHA256

        1eb031f293333aeee4dcef8f5043d73b7626eafa155e22e03178eb61714eafea

        SHA512

        55d31f0db2ff277f15edc5378c0a71e78f35ffafb772f0c62d45e3c4898e5c1128ffe5e0650521ad9897d9218ce1f0aa6cdda2e6ee362618154c8feacb43aa13

      • C:\Users\Admin\AppData\Roaming\3B188\8B96.B18

        Filesize

        1KB

        MD5

        b3df6d55600267c0afbfa963dc7806bc

        SHA1

        326f53aecf72382df6c69b2003d7a81ad680cb0a

        SHA256

        8c9d16ef9be0d681e9ee9c015fbef800ad5216a8d08647e1992847e64874bf7f

        SHA512

        c8a0ec83e52802057c2d209d5b8a1a094168f3fc905298ea16bf977dcaefc26c30242e5a7057f65ffffe9e15c2aa89187d50ac4ed403c6008eb0a74d557b2cc7

      • \Program Files (x86)\LP\DAF3\A4F6.tmp

        Filesize

        97KB

        MD5

        ba97344303629a238cfca2f532434690

        SHA1

        5b33b602f875e3eb825c2832a2e7d3e4901c8771

        SHA256

        796a4920cfdc6e3d28d115ff6bb442a0e3be3b9ed4ee67d75ee35b4ffce537a9

        SHA512

        e78ffa32be0be8d0ae345ba008c94bb9cc474660e64b7134df67500bfdeb95ba747e637918cf1d190bd663efa6de331b3955213fba99d875687df97d4b0d9c89

      • memory/556-116-0x0000000000400000-0x0000000000469000-memory.dmp

        Filesize

        420KB

      • memory/556-117-0x00000000005E2000-0x0000000000604000-memory.dmp

        Filesize

        136KB

      • memory/1140-299-0x0000000000400000-0x000000000041C000-memory.dmp

        Filesize

        112KB

      • memory/1140-302-0x0000000000400000-0x000000000041C000-memory.dmp

        Filesize

        112KB

      • memory/1140-300-0x0000000000270000-0x0000000000370000-memory.dmp

        Filesize

        1024KB

      • memory/2308-283-0x0000000000270000-0x0000000000370000-memory.dmp

        Filesize

        1024KB

      • memory/2308-17-0x0000000000270000-0x0000000000370000-memory.dmp

        Filesize

        1024KB

      • memory/2308-16-0x0000000000400000-0x0000000000469000-memory.dmp

        Filesize

        420KB

      • memory/2876-3-0x00000000005C0000-0x00000000006C0000-memory.dmp

        Filesize

        1024KB

      • memory/2876-2-0x0000000000400000-0x0000000000469000-memory.dmp

        Filesize

        420KB

      • memory/2876-0-0x0000000000400000-0x0000000000469000-memory.dmp

        Filesize

        420KB

      • memory/2876-172-0x00000000005C0000-0x00000000006C0000-memory.dmp

        Filesize

        1024KB

      • memory/2876-114-0x0000000000400000-0x0000000000469000-memory.dmp

        Filesize

        420KB

      • memory/2876-301-0x0000000000400000-0x0000000000469000-memory.dmp

        Filesize

        420KB

      • memory/2876-14-0x0000000000400000-0x0000000000469000-memory.dmp

        Filesize

        420KB

      • memory/2876-306-0x0000000000400000-0x0000000000469000-memory.dmp

        Filesize

        420KB

      • memory/3012-281-0x0000000004160000-0x0000000004161000-memory.dmp

        Filesize

        4KB

      • memory/3012-304-0x0000000004160000-0x0000000004161000-memory.dmp

        Filesize

        4KB