Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29/09/2024, 03:31

General

  • Target

    fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe

  • Size

    284KB

  • MD5

    fdb7408c370b3778fd7cffcb02116ba1

  • SHA1

    d597e2d622017f2091b7abb657b85498ae12f8ca

  • SHA256

    2a96a8f20bb83a4bdcb425fbd15b8217e941f030951d230e790bed786d42758e

  • SHA512

    c996a0ee7e6f60783c4e15d4e039514601cd5ad8ea2d3943b14caa2a42649b578bada3c1cbd0a964849383118107e3c3ed358b49300ea69173ccbbdaffebb0b2

  • SSDEEP

    6144:V0lJsa0dPA4NNXw0hlx1qepW2cV4/LoDgCJM9/fACv:+DzklN9zx1qGMV4/LT79Zv

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Disables taskbar notifications via registry modification
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 22 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2408
    • C:\Users\Admin\AppData\Local\Temp\fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\C2379\ACAEA.exe%C:\Users\Admin\AppData\Roaming\C2379
      2⤵
        PID:1824
      • C:\Users\Admin\AppData\Local\Temp\fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe
        C:\Users\Admin\AppData\Local\Temp\fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe startC:\Program Files (x86)\7907B\lvvm.exe%C:\Program Files (x86)\7907B
        2⤵
          PID:1448
        • C:\Program Files (x86)\LP\EA3C\52A2.tmp
          "C:\Program Files (x86)\LP\EA3C\52A2.tmp"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1744
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2428
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:748

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\C2379\907B.237

        Filesize

        996B

        MD5

        2dee27ea64735073478fab7493762a6e

        SHA1

        90b7e8c63ff61fdfad8c2da484ce6ffc3c063d74

        SHA256

        153cf3dab669512ab3fbf0a2ca588d463a95368f20e2dea5454f5f35de4443da

        SHA512

        d3e868691ccd9cd9fe28eb65815642037cfa9871ec82743d1ef575526677d8451af58f3197570d268eea64bb8958dcd2787fce75aa99829079419b350b8c43d5

      • C:\Users\Admin\AppData\Roaming\C2379\907B.237

        Filesize

        600B

        MD5

        8a436c51395b4fe30722fd74c95e9553

        SHA1

        2cb3b5c9eb02b72672ba33b4c3b883f1afb12049

        SHA256

        d2a7e68205c0a40df7e40446fa3ab9f6367166658921ac139b2701633f072f2b

        SHA512

        9d62db5f74a988ee2137ce9dfcc0bca9a33a17fe1ab4e66325a6255bd5b94435da1dce2020e437c4372fba5d5569037f4c9257bb1bf45db329a1758361a299ba

      • C:\Users\Admin\AppData\Roaming\C2379\907B.237

        Filesize

        1KB

        MD5

        a6b56ff41abd1b5f3dcec7c20f7d978a

        SHA1

        33b2c5f8d1353ca446d30bd241374499459e9b18

        SHA256

        8b593678b2aaa584f0ff61a5f4c6af7d63817add011fb72135afddbf5f82433d

        SHA512

        8e57be0a114b7354590932ed0d1d9c6c87af6b88f17f3ee5db876947360f2a8180527f92a8787f22162443f0523b96f81798e3a1636b0d43c22b895dc7938eb0

      • \Program Files (x86)\LP\EA3C\52A2.tmp

        Filesize

        101KB

        MD5

        1cec7ecd2bbbcc39e9dbcab83d7d67cf

        SHA1

        13a0cb757993e63c2b360c9ce1f17a3aac342ffe

        SHA256

        5d767de0b9378b94cf82683458078a385989098464566fbb92b48c4bab435d20

        SHA512

        6fd95f2fd2918ae66b420044fc1da82b1724d615c6d71cae2533a37e0851a99f20aaf7b360fa5059b6b67b414dbc7e023f1f5e86eab25f20ade834e501e6a39c

      • memory/1448-123-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

      • memory/1448-126-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

      • memory/1448-124-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

      • memory/1744-302-0x0000000000400000-0x000000000041C000-memory.dmp

        Filesize

        112KB

      • memory/1824-13-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

      • memory/1824-16-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

      • memory/1824-17-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

      • memory/2408-121-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

      • memory/2408-1-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

      • memory/2408-14-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

      • memory/2408-11-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

      • memory/2408-301-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

      • memory/2408-2-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

      • memory/2408-305-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB