Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

f6b4827fdd...18.exe

windows7-x64

10

f6b4827fdd...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/09/2024, 19:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f6b4827fddfafeebc88c1245f181d533_JaffaCakes118.exe

  • Size

    496KB

  • MD5

    f6b4827fddfafeebc88c1245f181d533

  • SHA1

    446ff5efa612e66154203b0df80ecfc6ac89e93e

  • SHA256

    f70966aa442c445dd69509bd0dd51a6fac5c0987ade0e764d62600283e6d0753

  • SHA512

    40babdbea97c1216e0abea01ac05642e5adae3e7c5b998d07676684de2528f45d5af5cb26e9ebbf16b53d383037799452be33e91fdfdbc4841d0ebfd8fe68f7e

  • SSDEEP

    12288:IDCPENnBV5jaHBoFvZstQW012B04Ngjw5qu8jxTQlDrLOM:IEEZBV5jCoFvZsSWG2BdN+w2+O

Score
10/10
ponycredential_accessdiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 10 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 51 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of SetThreadContext 5 IoCs
  • UPX packed file 29 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\f6b4827fddfafeebc88c1245f181d533_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f6b4827fddfafeebc88c1245f181d533_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3004
    • C:\Users\Admin\j29oAE.exe
      C:\Users\Admin\j29oAE.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2108
      • C:\Users\Admin\jaaoliy.exe
        "C:\Users\Admin\jaaoliy.exe"
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:2400
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del j29oAE.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2844
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2820
    • C:\Users\Admin\2men.exe
      C:\Users\Admin\2men.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2656
      • C:\Users\Admin\2men.exe
        "C:\Users\Admin\2men.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2344
      • C:\Users\Admin\2men.exe
        "C:\Users\Admin\2men.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:3008
      • C:\Users\Admin\2men.exe
        "C:\Users\Admin\2men.exe"
        3⤵
        • Executes dropped EXE
        • Maps connected drives based on registry
        • Suspicious behavior: EnumeratesProcesses
        PID:1324
      • C:\Users\Admin\2men.exe
        "C:\Users\Admin\2men.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1820
      • C:\Users\Admin\2men.exe
        "C:\Users\Admin\2men.exe"
        3⤵
        • Executes dropped EXE
        PID:1796
    • C:\Users\Admin\3men.exe
      C:\Users\Admin\3men.exe
      2⤵
      • Modifies security service
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • System policy modification
      PID:664
      • C:\Users\Admin\3men.exe
        C:\Users\Admin\3men.exe startC:\Users\Admin\AppData\Roaming\BFEE0\AC432.exe%C:\Users\Admin\AppData\Roaming\BFEE0
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2164
      • C:\Users\Admin\3men.exe
        C:\Users\Admin\3men.exe startC:\Program Files (x86)\E0BF1\lvvm.exe%C:\Program Files (x86)\E0BF1
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2204
      • C:\Program Files (x86)\LP\32FB\930C.tmp
        "C:\Program Files (x86)\LP\32FB\930C.tmp"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1032
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del f6b4827fddfafeebc88c1245f181d533_JaffaCakes118.exe
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1600
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2496
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1576
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Modify Registry

5
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Query Registry

3
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\BFEE0\0BF1.FEE
    Filesize

    300B

    MD5

    7aaaf6ebf8b4643914105e2e6b6bb8ae

    SHA1

    30a5bace23de49e04c0cf9f5c0df16c3defb3ef0

    SHA256

    54012c4ba21a0474974c33d98231181b31b06621e78af7e4a441c7176cb2d465

    SHA512

    ef066c75c5e6c6b604398e1f5d7e251c21f51d0d4f20e2e5c47bb1c05b9bf4b2f951d7b9327129726712cf1406d9445b8c5fc4fc74d855afb5d096ee6e6f9b9a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\BFEE0\0BF1.FEE
    Filesize

    600B

    MD5

    f9a2e55aa283fb878240aaa0d4a1de05

    SHA1

    fb78e9ea7d90c62aa991812a4361f4014c0b8f4b

    SHA256

    e13937d9b03e0cd2abb0d3cb84c78dfdce67f5dd08afd9f8d8c560ece68fedb0

    SHA512

    f6e4ebee09ac472cecd97032dc30e4970d0f060f8132cdb59cda284ce5029c46956f73d30835a9560a210c4291238efc6774ec8acb1aee10286a973f5e489b26

    Download Submit

  • C:\Users\Admin\AppData\Roaming\BFEE0\0BF1.FEE
    Filesize

    996B

    MD5

    3368a5d72865f82d7d181d2b39fca3a1

    SHA1

    03f767204064ca06d862d6c0603262e1507f2b1f

    SHA256

    97602508b87c31957852e5a4648da13858f05ce733c1f43714f6f29e66c6a562

    SHA512

    e168e4215e47b2b81a86757d6c787b16f71475b3529a617077ef2e60e8be78f523df4ce98ccbfef854c3959726cb98194257eb7fa8d8f86d594ca45f998a12b2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\BFEE0\0BF1.FEE
    Filesize

    1KB

    MD5

    edf6c8a9ad18cfd6788ec9a419461a38

    SHA1

    4b5539af8050e44a1ec916bab61c4d383e119bc3

    SHA256

    7d555b6edd8cdd521125a44d4742204c7c9dd6ae2da250581a9f78f51122f42f

    SHA512

    df16c364276599249a005d09710040a3f37937d0ca00f1998d119070504502d27d8f7ef7f77b3a6c2f7f26cc9c48a012d2d46af5586585742ddc0d813537e367

    Download Submit

  • C:\Users\Admin\jaaoliy.exe
    Filesize

    176KB

    MD5

    420aa645842adc6462d46f8d8c19f110

    SHA1

    faff609f56269987a64b6c2f6860f062d59d2249

    SHA256

    399864ba2745d91c04d626ca7630ffed975ab758894658acbff51c3d71b278b5

    SHA512

    85a8e765fff50496ba18a0b1b7f143f6966a25bc748e582f08c52362a9bd33af19f29aa7815053f21ba9e7e13646cd9f4e45c4bf1545a1e74e18db140df548d6

    Download Submit

  • \Program Files (x86)\LP\32FB\930C.tmp
    Filesize

    96KB

    MD5

    6b9ed8570a1857126c8bf99e0663926c

    SHA1

    94e08d8a0be09be35f37a9b17ec2130febfa2074

    SHA256

    888e4e571a6f78ee81d94ab56bd033d413f9160f1089073176b03c91878aae2d

    SHA512

    23211a1b71f1d05ad7f003231da826220ac4940e48071135cc3fba14708123fa0292e2e71c294a8086d8dc5f90dd32c4da3b41e6857c56f38cb325d78cb14880

    Download Submit

  • \Users\Admin\2men.exe
    Filesize

    132KB

    MD5

    945a713b037b50442ec5d18d3dc0d55e

    SHA1

    2c8881b327a79fafcce27479b78f05487d93c802

    SHA256

    2da470571a64bcdeb56f62c916ee2bffa87ccc6c028b7c8cb0132d09bceedd2f

    SHA512

    0eab4bb5d04725cc20e463ae6959f71064674602f8ee7b3c9b2db75e928b9a0b1bdc94233dc261f6277d02e54a443b42a59b12aaebb8bbf243f0940344fbf385

    Download Submit

  • \Users\Admin\3men.exe
    Filesize

    271KB

    MD5

    0d668203e24463de2bf228f00443b7bc

    SHA1

    eacff981d71f6648f6315e508bfd75e11683dba8

    SHA256

    509d530e99839d7dbc8fccac163420d9dc455fb478fa57fdec1b7a2ef629d7bc

    SHA512

    3251bb1341bd466e71468d72723bd5cf545dbd232327f343b44c51daae8755ed3caa02f74adbb0304912769346fa90dfa4c7036c211836e5650bdb06993ba803

    Download Submit

  • \Users\Admin\j29oAE.exe
    Filesize

    176KB

    MD5

    c4a634088e095eab98183984bb7252d8

    SHA1

    c205f2c1f8040c9205c6c06accd75c0396c59781

    SHA256

    db345985313397a39cc2817134315c8db71ab4c48680e62c0358db406b0eff6a

    SHA512

    b6a30f6d5cc30bee9b9d483629f16c80c5338360cec629f9ee2a3307b73b9743fd71396e408ac72008b84f4b8fded26002c910421853253b52b8b4d530df7a8e

    Download Submit

  • memory/664-288-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/664-179-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1324-74-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1324-75-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1324-174-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1324-65-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1324-69-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1324-67-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1324-76-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1820-177-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1820-79-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1820-81-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1820-86-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1820-88-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1820-84-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2164-181-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2204-290-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2344-47-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2344-48-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2344-38-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2344-40-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2344-102-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2344-42-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2344-44-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2344-45-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2344-51-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/3004-106-0x0000000002980000-0x000000000343A000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/3008-64-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3008-62-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3008-61-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3008-52-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3008-54-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3008-59-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3008-56-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download