Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/09/2024, 22:13

General

  • Target

    d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe

  • Size

    285KB

  • MD5

    d08d38f7c1f0b8274d2df4d6005c9cd7

  • SHA1

    976f3b6b6fef5fdd82cbc9c10c743b310196000d

  • SHA256

    ca08ebe87319833c7ea87b1618c7e6c11a8c701b0f14256d618c116ee83d90a7

  • SHA512

    c3954f197603bf21e886a1b53be7249c3c5f24464172a0f3c842721b1db628fd276ab1e22d3d1819a3f1d5cc36371c8b9a7e58581867636538597cbe88ac0336

  • SSDEEP

    6144:q31JYTtoMLh+3p26R+7O1ysus4rGLZDPb9fU2Zum:2wcp2WuvyZDPxfU2ZZ

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Disables taskbar notifications via registry modification
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2268
    • C:\Users\Admin\AppData\Local\Temp\d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\48457\7D81A.exe%C:\Users\Admin\AppData\Roaming\48457
      2⤵
        PID:896
      • C:\Users\Admin\AppData\Local\Temp\d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe
        C:\Users\Admin\AppData\Local\Temp\d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe startC:\Program Files (x86)\576F8\lvvm.exe%C:\Program Files (x86)\576F8
        2⤵
          PID:568
        • C:\Program Files (x86)\LP\1A34\868E.tmp
          "C:\Program Files (x86)\LP\1A34\868E.tmp"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2176
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2704
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1740

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\48457\76F8.845

        Filesize

        996B

        MD5

        f40fdfa5adbdd292d6b3df015b422290

        SHA1

        5f3d8ffce54eb7927b180c080a4f0da46ed7441a

        SHA256

        bb5e037cff006e8a67ebb6e839817536d081a3f806862d90cdff66c73f9a4160

        SHA512

        1aab4e56449fcc7f6799932feeaf98f6ef0f5cc02fa925b0113b5032a2fbafcdcb103064986eb31f91d8d4d8bf10552601812e19982ace294bc96fd8270b5b1f

      • C:\Users\Admin\AppData\Roaming\48457\76F8.845

        Filesize

        600B

        MD5

        dcd51a0434db5e21e6faac7e3a83c8cf

        SHA1

        12348bc1fcf481383ee161c6ec6cb7f4f745451d

        SHA256

        4982753263198dd92fd42237a1040a043cd2fb1ef91822b7dd23f9553e6e4dbb

        SHA512

        716e531eba8423d45caf2734e6d10df2e6e217800dd73a5df6f8aaafb6ad158d080f842b2fde6626785c79e9d8dd952e9ae573fa21f71ccbf4a0b3b8da935b39

      • C:\Users\Admin\AppData\Roaming\48457\76F8.845

        Filesize

        1KB

        MD5

        783492dcc62ec5b7ba83ab44eddd3bd3

        SHA1

        8c2838c46425fa324a242f3eacb94c59e5b041f4

        SHA256

        ffe72ffadf7c464fdb7b54cc2fb7fab3dfd295d0af9d4141295b8e45459e5265

        SHA512

        2066004fe4971e985615a6703f12c069a1a68f1424d6f28d629eb2b2c114bb6ad4ea2a360dcb5c4c96416efca9cc72e488b0d1fee959f54edaa11378ec8aac19

      • C:\Users\Admin\AppData\Roaming\48457\76F8.845

        Filesize

        300B

        MD5

        534f026328614736c233df4a57f00117

        SHA1

        54e1bea297ffed3a254ba29be4fb85dba6c34663

        SHA256

        896b1a4e0cf436f3fe2c4d84b63a3092f87db0874463956c99635f7354616649

        SHA512

        e325f1571cb9f78382c0813c51146b48e547be2c62c8eb5c2c12af783418b5489b5fbd0ed60999e8b540e5ab325493eb29ffa56193464cf4cf4eb692d8436e3d

      • \Program Files (x86)\LP\1A34\868E.tmp

        Filesize

        101KB

        MD5

        d05e213f1756ab068c1d0c2ff369f13f

        SHA1

        d4fd2de345b7cd63a60f74529cef21c2ef1ddd02

        SHA256

        e66de59c866eb7d4576a153630b056450c79ca0a1063c09e3f46223c144d4db7

        SHA512

        f713d260921e07b8521de257548630439375f574e2fc68bec305809e80df6d70a1674642e94572aecd6e3692a64587f3e9e5f3506ea6dadfd9cc46aa3f7e8422

      • memory/568-122-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

      • memory/896-15-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

      • memory/896-13-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

      • memory/896-16-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

      • memory/2176-306-0x0000000000400000-0x000000000041C000-memory.dmp

        Filesize

        112KB

      • memory/2268-120-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

      • memory/2268-2-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

      • memory/2268-1-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

      • memory/2268-11-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

      • memory/2268-305-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

      • memory/2268-14-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

      • memory/2268-309-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB