Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
26/06/2024, 01:17
General
-
Target
103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe
-
Size
273KB
-
MD5
103969adfdbd2eab47535981cec6636f
-
SHA1
35236c66149a580a64c051fdb37626f891f72e7b
-
SHA256
4a31901feb4828ab1d5e99b5c6dccf9a547abc75ed244c4e1de4d42bef00dfbb
-
SHA512
7d1d4e03f29ad494fde1f6eb3817e0ca6fb8429d4daf8839de8897b557951c4fe027e9bc23a3a32e87bff90280c1015e910db9d73aaf190d62c48763a50556ab
-
SSDEEP
6144:GW8RGXHdb5K+QhEd3+NLmximO92D93aqnKpQ1i5cg1:GxRkdb5K+mEBAQ1iT
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 10 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 3 IoCs
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of FindShellTrayWindow 28 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\103969adfdbd2eab47535981cec6636f_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\B0741\AB4D5.exe%C:\Users\Admin\AppData\Roaming\B07412⤵
-
-
C:\Program Files (x86)\LP\D51B\B1C2.tmp"C:\Program Files (x86)\LP\D51B\B1C2.tmp"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\103969adfdbd2eab47535981cec6636f_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe startC:\Program Files (x86)\41D1B\lvvm.exe%C:\Program Files (x86)\41D1B2⤵
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
600B
MD54b8d616d7aaf4897d63d76d8a42b92df
SHA16d869ac49e7eb7d150f0b42a0c1149c623e60cbc
SHA256423644ac7e5b75c5f526ac4bde9df81e73041309d0d23e2e8c2a103b9206a184
SHA512308e25a144e4fd148f4c2567259f7cb4542f02b16a321271baea65039f715c11175c6aefe6d85a56615454ca4d420bd8db3a74630931e66321159217abc4ca50
-
Filesize
1KB
MD5600d0b15e9fcdec130c3ddaeae5342b6
SHA1fe37a32b514a229d71a16d3674e0d936109ffa53
SHA25658a7732ad6767cf4d7485d391f139308243d637620929f5e530ac6bdd02eb9df
SHA512087a609eda0ad970a1988c7c1858531f9a0c432d325d56d057bc3d1a6ab05ddfc9ce4903a8bd070b0b7d6495cb548018845b2498fb45149bff454a41aa66f189
-
Filesize
1KB
MD5e47f904f223498cb26507d1e475f8152
SHA198b01d1d52f686409ecaf261327ade1229a05062
SHA256b130c4d14541da437753d0bfc0d3fc869b96abec343e6cf15a8beb4f7248d075
SHA5125b236d688524dedb5296b2def05830276966ff26c95b27054207cd38abf04655a060f68e96b620e110430a7def3518619367ecc994fe26c4a1ab1ca2e19dc1bf
-
Filesize
897B
MD573dd5a34416a5bb3efce88e4075f155b
SHA1a87d97f65ab6704b37d6bc5b4ca0b4c9738b97b3
SHA256ba8c990d1bacfc3d31cfa03828a2279dadba93051c910f1cbf63cd667c3d93aa
SHA51246fdbbf1aacfbc835b794dc2f7517db2f3e4632f90ad549a7de8727f473b7843ad5bcda540cd0e3dc65c3288e9169e6b199b39200785e1e9d2b8b1a455f15a90
-
Filesize
96KB
MD574a1e9547eb8c42e9ca482c5c8bdd261
SHA1c56c60e84b4ef45065289636cfdfab21654acdb3
SHA256f4ac8ead1ff2f95c2b50405531d433d7af912b8f848095d3cb00401576ee90fb
SHA512ae90627a5f1485383b6de178aea4b36f9e44891d78fe5a274d1632727dd71906061323725a7c3c106b039cb65e10ea7e9c7d277ce35fb0ac6458fdc3e346ecb9
-
Filesize
112KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
416KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
416KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
424KB