Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    19/07/2024, 08:34 UTC

General

  • Target

    5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe

  • Size

    286KB

  • MD5

    5b30734c86e13b3ecf4c464f8c1f1a66

  • SHA1

    d6023ba18d36ab1f3a79e722966cb03a7e02ddff

  • SHA256

    563410ebee67ab9c295168c8d26eff9ea363250c2e8a44066acbe85d14e2ad52

  • SHA512

    e6ec5ffe5e79b63742558a86510d92c5ccc50525c9a6745096e61c0bcd52532ca9d39867c9c83d0ea56765cb5d71cb0def2e5f8da6bee6036186868f6cd250a4

  • SSDEEP

    6144:OVq+UoZyYg4M4crK5XKOKzOVGPwyOV8N0cSCbdJ2rjm:OV2ajbx6pPwPuN0cbb/oi

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Disables taskbar notifications via registry modification
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 3 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2320
    • C:\Users\Admin\AppData\Local\Temp\5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\1FFA9\C7688.exe%C:\Users\Admin\AppData\Roaming\1FFA9
      2⤵
        PID:1900
      • C:\Users\Admin\AppData\Local\Temp\5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
        C:\Users\Admin\AppData\Local\Temp\5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe startC:\Program Files (x86)\A9F06\lvvm.exe%C:\Program Files (x86)\A9F06
        2⤵
          PID:2948
        • C:\Program Files (x86)\LP\8891\3A04.tmp
          "C:\Program Files (x86)\LP\8891\3A04.tmp"
          2⤵
          • Executes dropped EXE
          PID:1580
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2512
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1180

      Network

      • flag-us
        DNS
        csc3-2004-crl.verisign.com
        5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        csc3-2004-crl.verisign.com
        IN A
        Response
      • flag-us
        DNS
        cx7m.hoststorageforyou.com
        5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        cx7m.hoststorageforyou.com
        IN A
        Response
      • flag-us
        DNS
        cx7m.hoststorageforyou.com
        5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        cx7m.hoststorageforyou.com
        IN A
      • flag-us
        DNS
        patentgenius.com
        5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        patentgenius.com
        IN A
        Response
      • flag-us
        DNS
        patentgenius.com
        5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        patentgenius.com
        IN A
      • flag-us
        DNS
        5ptgqew2ey.wwwmediahosts.com
        5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        5ptgqew2ey.wwwmediahosts.com
        IN A
        Response
      • flag-us
        DNS
        -z92.wwwmediahosts.com
        5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        -z92.wwwmediahosts.com
        IN A
        Response
      • flag-us
        DNS
        6yqi.hoststorageforyou.com
        5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        6yqi.hoststorageforyou.com
        IN A
        Response
      • flag-us
        DNS
        TRANSERSDATAFORME.COM
        3A04.tmp
        Remote address:
        8.8.8.8:53
        Request
        TRANSERSDATAFORME.COM
        IN A
        Response
      • flag-us
        DNS
        www.google.com
        5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        www.google.com
        IN A
        Response
        www.google.com
        IN A
        142.250.180.4
      • flag-gb
        GET
        http://www.google.com/
        5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
        Remote address:
        142.250.180.4:80
        Request
        GET / HTTP/1.0
        Connection: close
        Host: www.google.com
        Accept: */*
        Response
        HTTP/1.0 302 Found
        Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGPTK6LQGIjD3tjWfiEI30vBI7QtNuhnPtBWySsujdS1nyf_zXAEXg8l5DsLLuo6AxkKMrS4TgtwyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
        x-hallmonitor-challenge: CgwI9MrotAYQlqWWwgISBMJuDUY
        Content-Type: text/html; charset=UTF-8
        Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-RHzFvUWKRtyEaXtlP3Mhmw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
        Date: Fri, 19 Jul 2024 08:36:04 GMT
        Server: gws
        Content-Length: 396
        X-XSS-Protection: 0
        X-Frame-Options: SAMEORIGIN
        Set-Cookie: AEC=AVYB7coY2eW3_iGR0XwSyMX5A2AdCtEzDcd-BnRiCjUjbJtebtNB7j9v_E8; expires=Wed, 15-Jan-2025 08:36:04 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
      • flag-gb
        GET
        http://www.google.com/
        5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
        Remote address:
        142.250.180.4:80
        Request
        GET / HTTP/1.1
        Connection: close
        Pragma: no-cache
        Host: www.google.com
        Response
        HTTP/1.1 302 Found
        Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGPfK6LQGIjDHuq3eSAjElvC9MaESFq0Yhwi7GaPgL3xnlnSp_pwh6iAsq1eLMrA9GHioBcAAoGoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
        x-hallmonitor-challenge: CgsI-MrotAYQhIqkexIEwm4NRg
        Content-Type: text/html; charset=UTF-8
        Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-zODqvbZ9D8cNRYU4vAWHCw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
        Date: Fri, 19 Jul 2024 08:36:08 GMT
        Server: gws
        Content-Length: 396
        X-XSS-Protection: 0
        X-Frame-Options: SAMEORIGIN
        Set-Cookie: AEC=AVYB7crMfqzmKuUrtb4fKYLlVPquFS7jg86f1N0aAfuEYCvIhtdnnPOG0g; expires=Wed, 15-Jan-2025 08:36:08 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
        Connection: close
      • flag-gb
        GET
        http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGPfK6LQGIjDHuq3eSAjElvC9MaESFq0Yhwi7GaPgL3xnlnSp_pwh6iAsq1eLMrA9GHioBcAAoGoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
        5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
        Remote address:
        142.250.180.4:80
        Request
        GET /sorry/index?continue=http://www.google.com/&q=EgTCbg1GGPfK6LQGIjDHuq3eSAjElvC9MaESFq0Yhwi7GaPgL3xnlnSp_pwh6iAsq1eLMrA9GHioBcAAoGoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
        Connection: close
        Pragma: no-cache
        Host: www.google.com
        Response
        HTTP/1.1 429 Too Many Requests
        Date: Fri, 19 Jul 2024 08:36:08 GMT
        Pragma: no-cache
        Expires: Fri, 01 Jan 1990 00:00:00 GMT
        Cache-Control: no-store, no-cache, must-revalidate
        Content-Type: text/html
        Server: HTTP server (unknown)
        Content-Length: 3052
        X-XSS-Protection: 0
        Connection: close
      • 127.0.0.1:49697
      • 127.0.0.1:49697
      • 127.0.0.1:49697
      • 127.0.0.1:49697
      • 127.0.0.1:49697
      • 127.0.0.1:49697
      • 127.0.0.1:49697
      • 127.0.0.1:49697
      • 127.0.0.1:49697
      • 127.0.0.1:49697
      • 127.0.0.1:49697
      • 127.0.0.1:49697
      • 127.0.0.1:49697
      • 127.0.0.1:49697
      • 127.0.0.1:49697
      • 127.0.0.1:49697
      • 127.0.0.1:49697
      • 127.0.0.1:49697
      • 127.0.0.1:49697
      • 127.0.0.1:49697
      • 142.250.180.4:80
        http://www.google.com/
        http
        5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
        446 B
        1.5kB
        8
        5

        HTTP Request

        GET http://www.google.com/

        HTTP Response

        302
      • 142.250.180.4:80
        http://www.google.com/
        http
        5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
        359 B
        1.5kB
        6
        5

        HTTP Request

        GET http://www.google.com/

        HTTP Response

        302
      • 127.0.0.1:49697
        5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
      • 142.250.180.4:80
        http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGPfK6LQGIjDHuq3eSAjElvC9MaESFq0Yhwi7GaPgL3xnlnSp_pwh6iAsq1eLMrA9GHioBcAAoGoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
        http
        5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
        960 B
        3.7kB
        10
        9

        HTTP Request

        GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGPfK6LQGIjDHuq3eSAjElvC9MaESFq0Yhwi7GaPgL3xnlnSp_pwh6iAsq1eLMrA9GHioBcAAoGoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

        HTTP Response

        429
      • 127.0.0.1:49697
        5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
      • 8.8.8.8:53
        csc3-2004-crl.verisign.com
        dns
        5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
        72 B
        127 B
        1
        1

        DNS Request

        csc3-2004-crl.verisign.com

      • 8.8.8.8:53
        cx7m.hoststorageforyou.com
        dns
        5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
        144 B
        145 B
        2
        1

        DNS Request

        cx7m.hoststorageforyou.com

        DNS Request

        cx7m.hoststorageforyou.com

      • 8.8.8.8:53
        patentgenius.com
        dns
        5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
        124 B
        135 B
        2
        1

        DNS Request

        patentgenius.com

        DNS Request

        patentgenius.com

      • 8.8.8.8:53
        5ptgqew2ey.wwwmediahosts.com
        dns
        5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
        74 B
        147 B
        1
        1

        DNS Request

        5ptgqew2ey.wwwmediahosts.com

      • 8.8.8.8:53
        -z92.wwwmediahosts.com
        dns
        5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
        68 B
        141 B
        1
        1

        DNS Request

        -z92.wwwmediahosts.com

      • 8.8.8.8:53
        6yqi.hoststorageforyou.com
        dns
        5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
        72 B
        145 B
        1
        1

        DNS Request

        6yqi.hoststorageforyou.com

      • 8.8.8.8:53
        TRANSERSDATAFORME.COM
        dns
        3A04.tmp
        67 B
        140 B
        1
        1

        DNS Request

        TRANSERSDATAFORME.COM

      • 8.8.8.8:53
        www.google.com
        dns
        5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
        60 B
        76 B
        1
        1

        DNS Request

        www.google.com

        DNS Response

        142.250.180.4

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\1FFA9\9F06.FFA

        Filesize

        996B

        MD5

        0836ef6f36e76603d17e41c1f60d6ff2

        SHA1

        61624bc59d1ace41d8ee1bf12c7569cb43b6b384

        SHA256

        f234ba7a5d13b4f3b26ab3c6d8b327550f788ae17adfe79c1cd82259fc42098b

        SHA512

        5d861a4484acd3464c8e4ebd8131f494f6078374bf106dc02d77cc0be400bbc1638e7840cef56baff9a7c151461dc2abae9e9d85b7c7c89ab9f79c28d0c28834

      • C:\Users\Admin\AppData\Roaming\1FFA9\9F06.FFA

        Filesize

        600B

        MD5

        15476410dc014f35b7dad512d4d20153

        SHA1

        9250d8a68aa0db60891a82a01cd66203e4cadcd4

        SHA256

        ecc8c23809cda18792722bee5c4c2e3333653aa9b832071f8ef997f79386b569

        SHA512

        d640075be5f98deb00e98b24d347a7687e6b624b02fd2e0ba90c98eb061e1e87f1ef28dd14d40a762b9935609129b0b29e9e170145382cf5b53f7428203d8db3

      • C:\Users\Admin\AppData\Roaming\1FFA9\9F06.FFA

        Filesize

        1KB

        MD5

        90d1dac0852abba04b1fa0748b98c9ba

        SHA1

        383991f905f257a71b9321dbfd49ff2f12d0514a

        SHA256

        b3fe67d7ab58cfadf2ed6baee599138116396623d5b59b0f6c0cc150703cab00

        SHA512

        bf38d1be2175920c5d7f8d897d0854f95031b34862e2f522d0599dfda6f1e887ee3de7a9d67459a338cd498cd91b3e0a89c6288f446014b6976413d00a57c8c9

      • \Program Files (x86)\LP\8891\3A04.tmp

        Filesize

        101KB

        MD5

        c932041a7e800a1a80890dbe7d984243

        SHA1

        275e521889eaca58e193a5e7a6675fd08a6b6418

        SHA256

        2890d67e3a1b817a45e95fb5d7238c2761fad5a0c9fec3280e1be2c1a00d5c02

        SHA512

        b111ade33c5982232722d81f9c1329c3d875aa1be7a8870371cff9eba51390c05d70b9ce680241932463459fb550ded667a702e754a762f88d88e73b850275ef

      • memory/1580-302-0x0000000000400000-0x000000000041C000-memory.dmp

        Filesize

        112KB

      • memory/1900-14-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

      • memory/1900-13-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

      • memory/2320-122-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

      • memory/2320-126-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

      • memory/2320-1-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

      • memory/2320-11-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

      • memory/2320-301-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

      • memory/2320-2-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

      • memory/2320-305-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

      • memory/2320-306-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

      • memory/2948-124-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

      • memory/2948-125-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.