Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

f9c870d2e4...18.exe

windows7-x64

10

f9c870d2e4...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    19/04/2024, 07:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f9c870d2e4af62dff412d6ca65babb18_JaffaCakes118.exe

  • Size

    288KB

  • MD5

    f9c870d2e4af62dff412d6ca65babb18

  • SHA1

    7685d690c54281dc59afe696b07d4fa5acbe1cc4

  • SHA256

    37bf70df08384ed0262f88b296f8b961c8b11426578971d2b985a7cbadcd0f21

  • SHA512

    db05efd25166a70831586597dd82c3af85d3889eca32b07dcf108f78678e1c5014e7c50cc07879607a5629442f3c617db77506f64ffc0e4389aebc5c29c863ee

  • SSDEEP

    6144:xX8JX6MQUXu+9qjCTWeqKas8hiAHlkyvbhA5qLXtE8VZP6lnrlZdgpP:usM7u+xWEAyeAGy8V168P

Score
10/10
ponydiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Disables taskbar notifications via registry modification
    evasion
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 3 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 17 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\f9c870d2e4af62dff412d6ca65babb18_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f9c870d2e4af62dff412d6ca65babb18_JaffaCakes118.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2340
    • C:\Users\Admin\AppData\Local\Temp\f9c870d2e4af62dff412d6ca65babb18_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\f9c870d2e4af62dff412d6ca65babb18_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\8AF89\C490F.exe%C:\Users\Admin\AppData\Roaming\8AF89
      2⤵
        PID:928
      • C:\Users\Admin\AppData\Local\Temp\f9c870d2e4af62dff412d6ca65babb18_JaffaCakes118.exe
        C:\Users\Admin\AppData\Local\Temp\f9c870d2e4af62dff412d6ca65babb18_JaffaCakes118.exe startC:\Program Files (x86)\8924A\lvvm.exe%C:\Program Files (x86)\8924A
        2⤵
          PID:380
        • C:\Program Files (x86)\LP\0F08\9AC9.tmp
          "C:\Program Files (x86)\LP\0F08\9AC9.tmp"
          2⤵
          • Executes dropped EXE
          PID:1184
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2580
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1888

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\8AF89\924A.AF8
        Filesize

        996B

        MD5

        2509b7ce1b0de5609fd200aa966de3dc

        SHA1

        9832df41dd1056a7a7edbd6601396d01990398b0

        SHA256

        4894a94dcea14ceec10b6c2880da677c345df99e8476fb0ecba7547a36d14cba

        SHA512

        08d517215f0733525e6826b269f4c76e01098cdad34eddcb9579a405e46fe690cef65ddbd25886b4cded750fe81bc70b0cd183c7bbbef7733e0bb340f77ac542

        Download Submit

      • C:\Users\Admin\AppData\Roaming\8AF89\924A.AF8
        Filesize

        1KB

        MD5

        fffd9f2c5a5e37b6efea70c464870779

        SHA1

        b8809a786d35bf935cce86202683d3e9572eb7be

        SHA256

        e4405cf7c71ddd03e6c80c1f1548524e31231e765f3f94f76afe2352ec432009

        SHA512

        f2186013470d52ae483224decbd0dd76c0f12652edc12206bec13fa682c51bea02185e12d5e209c672b6be9eb94c66758155d8174021c2953511abba5c890acd

        Download Submit

      • C:\Users\Admin\AppData\Roaming\8AF89\924A.AF8
        Filesize

        600B

        MD5

        902ab1bdc73921f2bf0c300eca5edf3c

        SHA1

        ef48aedeee381cfdfac98a0710bd1852e19dd76f

        SHA256

        fba1d0fe1bad7812d6110c4a38930d2d231c88b99d0350c178d334dd98e205d3

        SHA512

        82a708063c32e210d91f2f8484eb0b952c1aeb5ae3a3c2a51f4d2d4168bed74ffea78fb5f669a02997cdf2fdc595ee91083cf99bffb36807f5d0562aade7ee41

        Download Submit

      • \Program Files (x86)\LP\0F08\9AC9.tmp
        Filesize

        102KB

        MD5

        3dd4e5cd0cb32f735268a740c647065a

        SHA1

        5e88431137152bf76f61d06b1c2086ecd5082a76

        SHA256

        a1cb303db454c3faa73fa6705c9a7ce126110615879047fbd579d2c813fba535

        SHA512

        37463297b6e127dc2689f2b998b14042189baa26727ab1770fc482035b09df2cd3f349fb11038fabde84d0b4a5a07bfc6b5c619001ddc70c9c37c0aa87b3fe04

        Download Submit

      • memory/380-121-0x00000000002B5000-0x00000000002FC000-memory.dmp

        Filesize

        284KB

        Download

      • memory/380-120-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/928-13-0x0000000000315000-0x000000000035C000-memory.dmp

        Filesize

        284KB

        Download

      • memory/928-12-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/1184-311-0x00000000002F0000-0x00000000003F0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1184-310-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

        Download

      • memory/1184-313-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

        Download

      • memory/1888-293-0x0000000004570000-0x0000000004571000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1888-315-0x0000000004570000-0x0000000004571000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2340-118-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/2340-168-0x0000000000520000-0x0000000000620000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2340-14-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/2340-1-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/2340-2-0x0000000000520000-0x0000000000620000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2340-312-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/2340-317-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download