Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    19/07/2024, 08:34

General

  • Target

    5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe

  • Size

    286KB

  • MD5

    5b30734c86e13b3ecf4c464f8c1f1a66

  • SHA1

    d6023ba18d36ab1f3a79e722966cb03a7e02ddff

  • SHA256

    563410ebee67ab9c295168c8d26eff9ea363250c2e8a44066acbe85d14e2ad52

  • SHA512

    e6ec5ffe5e79b63742558a86510d92c5ccc50525c9a6745096e61c0bcd52532ca9d39867c9c83d0ea56765cb5d71cb0def2e5f8da6bee6036186868f6cd250a4

  • SSDEEP

    6144:OVq+UoZyYg4M4crK5XKOKzOVGPwyOV8N0cSCbdJ2rjm:OV2ajbx6pPwPuN0cbb/oi

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Disables taskbar notifications via registry modification
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 3 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2320
    • C:\Users\Admin\AppData\Local\Temp\5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\1FFA9\C7688.exe%C:\Users\Admin\AppData\Roaming\1FFA9
      2⤵
        PID:1900
      • C:\Users\Admin\AppData\Local\Temp\5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
        C:\Users\Admin\AppData\Local\Temp\5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe startC:\Program Files (x86)\A9F06\lvvm.exe%C:\Program Files (x86)\A9F06
        2⤵
          PID:2948
        • C:\Program Files (x86)\LP\8891\3A04.tmp
          "C:\Program Files (x86)\LP\8891\3A04.tmp"
          2⤵
          • Executes dropped EXE
          PID:1580
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2512
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1180

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\1FFA9\9F06.FFA

        Filesize

        996B

        MD5

        0836ef6f36e76603d17e41c1f60d6ff2

        SHA1

        61624bc59d1ace41d8ee1bf12c7569cb43b6b384

        SHA256

        f234ba7a5d13b4f3b26ab3c6d8b327550f788ae17adfe79c1cd82259fc42098b

        SHA512

        5d861a4484acd3464c8e4ebd8131f494f6078374bf106dc02d77cc0be400bbc1638e7840cef56baff9a7c151461dc2abae9e9d85b7c7c89ab9f79c28d0c28834

      • C:\Users\Admin\AppData\Roaming\1FFA9\9F06.FFA

        Filesize

        600B

        MD5

        15476410dc014f35b7dad512d4d20153

        SHA1

        9250d8a68aa0db60891a82a01cd66203e4cadcd4

        SHA256

        ecc8c23809cda18792722bee5c4c2e3333653aa9b832071f8ef997f79386b569

        SHA512

        d640075be5f98deb00e98b24d347a7687e6b624b02fd2e0ba90c98eb061e1e87f1ef28dd14d40a762b9935609129b0b29e9e170145382cf5b53f7428203d8db3

      • C:\Users\Admin\AppData\Roaming\1FFA9\9F06.FFA

        Filesize

        1KB

        MD5

        90d1dac0852abba04b1fa0748b98c9ba

        SHA1

        383991f905f257a71b9321dbfd49ff2f12d0514a

        SHA256

        b3fe67d7ab58cfadf2ed6baee599138116396623d5b59b0f6c0cc150703cab00

        SHA512

        bf38d1be2175920c5d7f8d897d0854f95031b34862e2f522d0599dfda6f1e887ee3de7a9d67459a338cd498cd91b3e0a89c6288f446014b6976413d00a57c8c9

      • \Program Files (x86)\LP\8891\3A04.tmp

        Filesize

        101KB

        MD5

        c932041a7e800a1a80890dbe7d984243

        SHA1

        275e521889eaca58e193a5e7a6675fd08a6b6418

        SHA256

        2890d67e3a1b817a45e95fb5d7238c2761fad5a0c9fec3280e1be2c1a00d5c02

        SHA512

        b111ade33c5982232722d81f9c1329c3d875aa1be7a8870371cff9eba51390c05d70b9ce680241932463459fb550ded667a702e754a762f88d88e73b850275ef

      • memory/1580-302-0x0000000000400000-0x000000000041C000-memory.dmp

        Filesize

        112KB

      • memory/1900-14-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

      • memory/1900-13-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

      • memory/2320-122-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

      • memory/2320-126-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

      • memory/2320-1-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

      • memory/2320-11-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

      • memory/2320-301-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

      • memory/2320-2-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

      • memory/2320-305-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

      • memory/2320-306-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

      • memory/2948-124-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

      • memory/2948-125-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB