Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

fb0932b0ee...18.exe

windows7-x64

10

fb0932b0ee...18.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    97s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    27/09/2024, 22:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fb0932b0ee1c241483f0de55c384dfee_JaffaCakes118.exe

  • Size

    496KB

  • MD5

    fb0932b0ee1c241483f0de55c384dfee

  • SHA1

    4cf463ec09cecd7bd6869693c1cfd7c0d287fa8e

  • SHA256

    0e5e78aa194601a67dec4c8645062eee0770e35c94a094f6aabe453037dc6020

  • SHA512

    2d7fcbadf59fd0213c918ec0ec7f37c32fac5e7da1e562a00c6ac0cb4296799904447ff75f9aa923009c46b9aae570d090931bb6eda778d153f39551368f0aec

  • SSDEEP

    12288:iDCPENnBV5jaHBoFvZstQW012B04Ngjw5qu8jxTQlDrLOM:iEEZBV5jCoFvZsSWG2BdN+w2+O

Score
10/10
ponycredential_accessdiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 10 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of SetThreadContext 5 IoCs
  • UPX packed file 29 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\fb0932b0ee1c241483f0de55c384dfee_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fb0932b0ee1c241483f0de55c384dfee_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Users\Admin\j29oAE.exe
      C:\Users\Admin\j29oAE.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2488
      • C:\Users\Admin\gzkor.exe
        "C:\Users\Admin\gzkor.exe"
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:2260
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del j29oAE.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2776
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2716
    • C:\Users\Admin\2men.exe
      C:\Users\Admin\2men.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2572
      • C:\Users\Admin\2men.exe
        "C:\Users\Admin\2men.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2904
      • C:\Users\Admin\2men.exe
        "C:\Users\Admin\2men.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2576
      • C:\Users\Admin\2men.exe
        "C:\Users\Admin\2men.exe"
        3⤵
        • Executes dropped EXE
        • Maps connected drives based on registry
        • Suspicious behavior: EnumeratesProcesses
        PID:2816
      • C:\Users\Admin\2men.exe
        "C:\Users\Admin\2men.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1804
      • C:\Users\Admin\2men.exe
        "C:\Users\Admin\2men.exe"
        3⤵
        • Executes dropped EXE
        PID:2804
    • C:\Users\Admin\3men.exe
      C:\Users\Admin\3men.exe
      2⤵
      • Modifies security service
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • System policy modification
      PID:2104
      • C:\Users\Admin\3men.exe
        C:\Users\Admin\3men.exe startC:\Users\Admin\AppData\Roaming\60630\128E9.exe%C:\Users\Admin\AppData\Roaming\60630
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2272
      • C:\Users\Admin\3men.exe
        C:\Users\Admin\3men.exe startC:\Program Files (x86)\30EB1\lvvm.exe%C:\Program Files (x86)\30EB1
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2776
      • C:\Program Files (x86)\LP\E916\43E3.tmp
        "C:\Program Files (x86)\LP\E916\43E3.tmp"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2032
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del fb0932b0ee1c241483f0de55c384dfee_JaffaCakes118.exe
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2208
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2004
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3044
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2056
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x4a0
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Modify Registry

5
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Query Registry

3
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\60630\0EB1.063
    Filesize

    600B

    MD5

    ee8eebb59e4d821821a94b727a05db09

    SHA1

    9560109b24743bfe448d75239bcbbeb6a4093bd5

    SHA256

    18dcabdcb4f08ee8507184bf5e4ddccfde7c4f412665330c28d9a33ed71f9607

    SHA512

    4441d2c78c62a2f0ea4cbf9406583bbf12c0540c055316d5d8395caa3584fd2ff224c7c8ca6bfc6bd41477334fc3d6c4841d18ddf0a984a9d52776664ebabe4b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\60630\0EB1.063
    Filesize

    996B

    MD5

    9ec0c14b810298ee63893e5b30273887

    SHA1

    f701e10e4b54a51b62505595ceeceff6d382e158

    SHA256

    41756578ac40c17253fc6abd9d54f2a2fd7f1dc988f424eb5eded4dfa2072ae0

    SHA512

    397627f3b06037ba208ba4817ffb5b7f01fa3aac314838ac1b3af0a512289fff74f74a3c3ba5f20a718b4087ee1652300394f05b18a5d52c450a5b6ada0c3795

    Download Submit

  • C:\Users\Admin\AppData\Roaming\60630\0EB1.063
    Filesize

    1KB

    MD5

    fea02d0036816b2cc663a1b91827c604

    SHA1

    025b49dc66f4dc7e99bb937603c337e78ff7c223

    SHA256

    acb2a813ce42d87eebea758a5740c6410c4a5444a42ca64f0f91d3c98fa7e9ef

    SHA512

    55e8436dca536f4ae310e536d216fb2687c1aab9f945aae94d8b420dc34849c19788afbcb53215e509271185749cb6a84356fa8d55b6943ea284ae9286760175

    Download Submit

  • \Program Files (x86)\LP\E916\43E3.tmp
    Filesize

    96KB

    MD5

    6b9ed8570a1857126c8bf99e0663926c

    SHA1

    94e08d8a0be09be35f37a9b17ec2130febfa2074

    SHA256

    888e4e571a6f78ee81d94ab56bd033d413f9160f1089073176b03c91878aae2d

    SHA512

    23211a1b71f1d05ad7f003231da826220ac4940e48071135cc3fba14708123fa0292e2e71c294a8086d8dc5f90dd32c4da3b41e6857c56f38cb325d78cb14880

    Download Submit

  • \Users\Admin\2men.exe
    Filesize

    132KB

    MD5

    945a713b037b50442ec5d18d3dc0d55e

    SHA1

    2c8881b327a79fafcce27479b78f05487d93c802

    SHA256

    2da470571a64bcdeb56f62c916ee2bffa87ccc6c028b7c8cb0132d09bceedd2f

    SHA512

    0eab4bb5d04725cc20e463ae6959f71064674602f8ee7b3c9b2db75e928b9a0b1bdc94233dc261f6277d02e54a443b42a59b12aaebb8bbf243f0940344fbf385

    Download Submit

  • \Users\Admin\3men.exe
    Filesize

    271KB

    MD5

    0d668203e24463de2bf228f00443b7bc

    SHA1

    eacff981d71f6648f6315e508bfd75e11683dba8

    SHA256

    509d530e99839d7dbc8fccac163420d9dc455fb478fa57fdec1b7a2ef629d7bc

    SHA512

    3251bb1341bd466e71468d72723bd5cf545dbd232327f343b44c51daae8755ed3caa02f74adbb0304912769346fa90dfa4c7036c211836e5650bdb06993ba803

    Download Submit

  • \Users\Admin\gzkor.exe
    Filesize

    176KB

    MD5

    a9136720b21a2aab1a09bd3dafc4755c

    SHA1

    2ce3da57b014374f64d4ecfcd1f29bd4309043a8

    SHA256

    0609841cdb36cfea9cdf8d1bf629de99657cd2cca2862b475bb31b8a0810e20d

    SHA512

    16ddeb666e431a8ca2b9e77c8a4a3bb816559d8a04b4947643104ff950dc7ee4531a7b31432202a6d4cfa27314c86d511aad7f49401c9bbe8fa25dfefeb45645

    Download Submit

  • \Users\Admin\j29oAE.exe
    Filesize

    176KB

    MD5

    c4a634088e095eab98183984bb7252d8

    SHA1

    c205f2c1f8040c9205c6c06accd75c0396c59781

    SHA256

    db345985313397a39cc2817134315c8db71ab4c48680e62c0358db406b0eff6a

    SHA512

    b6a30f6d5cc30bee9b9d483629f16c80c5338360cec629f9ee2a3307b73b9743fd71396e408ac72008b84f4b8fded26002c910421853253b52b8b4d530df7a8e

    Download Submit

  • memory/1804-82-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1804-87-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1804-85-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1804-89-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1804-88-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1804-121-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1804-80-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2104-244-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2104-123-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2272-125-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2488-28-0x00000000039A0000-0x000000000445A000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2576-63-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2576-65-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2576-53-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2576-62-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2576-55-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2576-60-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2576-57-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2776-246-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2816-75-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2816-68-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2816-77-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2816-70-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2816-76-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2816-118-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2816-66-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2904-103-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2904-39-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2904-41-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2904-43-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2904-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2904-50-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2904-48-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2904-49-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download