Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    26/06/2024, 01:17

General

  • Target

    103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe

  • Size

    273KB

  • MD5

    103969adfdbd2eab47535981cec6636f

  • SHA1

    35236c66149a580a64c051fdb37626f891f72e7b

  • SHA256

    4a31901feb4828ab1d5e99b5c6dccf9a547abc75ed244c4e1de4d42bef00dfbb

  • SHA512

    7d1d4e03f29ad494fde1f6eb3817e0ca6fb8429d4daf8839de8897b557951c4fe027e9bc23a3a32e87bff90280c1015e910db9d73aaf190d62c48763a50556ab

  • SSDEEP

    6144:GW8RGXHdb5K+QhEd3+NLmximO92D93aqnKpQ1i5cg1:GxRkdb5K+mEBAQ1iT

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Disables taskbar notifications via registry modification
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 3 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1964
    • C:\Users\Admin\AppData\Local\Temp\103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\B0741\AB4D5.exe%C:\Users\Admin\AppData\Roaming\B0741
      2⤵
        PID:1656
      • C:\Program Files (x86)\LP\D51B\B1C2.tmp
        "C:\Program Files (x86)\LP\D51B\B1C2.tmp"
        2⤵
        • Executes dropped EXE
        PID:1456
      • C:\Users\Admin\AppData\Local\Temp\103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe
        C:\Users\Admin\AppData\Local\Temp\103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe startC:\Program Files (x86)\41D1B\lvvm.exe%C:\Program Files (x86)\41D1B
        2⤵
          PID:1604
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2672
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1588

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\B0741\1D1B.074

        Filesize

        600B

        MD5

        4b8d616d7aaf4897d63d76d8a42b92df

        SHA1

        6d869ac49e7eb7d150f0b42a0c1149c623e60cbc

        SHA256

        423644ac7e5b75c5f526ac4bde9df81e73041309d0d23e2e8c2a103b9206a184

        SHA512

        308e25a144e4fd148f4c2567259f7cb4542f02b16a321271baea65039f715c11175c6aefe6d85a56615454ca4d420bd8db3a74630931e66321159217abc4ca50

      • C:\Users\Admin\AppData\Roaming\B0741\1D1B.074

        Filesize

        1KB

        MD5

        600d0b15e9fcdec130c3ddaeae5342b6

        SHA1

        fe37a32b514a229d71a16d3674e0d936109ffa53

        SHA256

        58a7732ad6767cf4d7485d391f139308243d637620929f5e530ac6bdd02eb9df

        SHA512

        087a609eda0ad970a1988c7c1858531f9a0c432d325d56d057bc3d1a6ab05ddfc9ce4903a8bd070b0b7d6495cb548018845b2498fb45149bff454a41aa66f189

      • C:\Users\Admin\AppData\Roaming\B0741\1D1B.074

        Filesize

        1KB

        MD5

        e47f904f223498cb26507d1e475f8152

        SHA1

        98b01d1d52f686409ecaf261327ade1229a05062

        SHA256

        b130c4d14541da437753d0bfc0d3fc869b96abec343e6cf15a8beb4f7248d075

        SHA512

        5b236d688524dedb5296b2def05830276966ff26c95b27054207cd38abf04655a060f68e96b620e110430a7def3518619367ecc994fe26c4a1ab1ca2e19dc1bf

      • C:\Users\Admin\AppData\Roaming\B0741\1D1B.074

        Filesize

        897B

        MD5

        73dd5a34416a5bb3efce88e4075f155b

        SHA1

        a87d97f65ab6704b37d6bc5b4ca0b4c9738b97b3

        SHA256

        ba8c990d1bacfc3d31cfa03828a2279dadba93051c910f1cbf63cd667c3d93aa

        SHA512

        46fdbbf1aacfbc835b794dc2f7517db2f3e4632f90ad549a7de8727f473b7843ad5bcda540cd0e3dc65c3288e9169e6b199b39200785e1e9d2b8b1a455f15a90

      • \Program Files (x86)\LP\D51B\B1C2.tmp

        Filesize

        96KB

        MD5

        74a1e9547eb8c42e9ca482c5c8bdd261

        SHA1

        c56c60e84b4ef45065289636cfdfab21654acdb3

        SHA256

        f4ac8ead1ff2f95c2b50405531d433d7af912b8f848095d3cb00401576ee90fb

        SHA512

        ae90627a5f1485383b6de178aea4b36f9e44891d78fe5a274d1632727dd71906061323725a7c3c106b039cb65e10ea7e9c7d277ce35fb0ac6458fdc3e346ecb9

      • memory/1456-192-0x0000000000400000-0x000000000041C000-memory.dmp

        Filesize

        112KB

      • memory/1604-199-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

      • memory/1656-67-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

      • memory/1964-14-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

      • memory/1964-2-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

      • memory/1964-197-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

      • memory/1964-191-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

      • memory/1964-1-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

      • memory/1964-309-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

      • memory/1964-15-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

      • memory/1964-318-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB