Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
04/10/2024, 03:22
General
-
Target
11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe
-
Size
282KB
-
MD5
11a13418d08527a1df11a91aa6560863
-
SHA1
ff4fb55fe1aa7ffbb79775b16ade23afd395d39b
-
SHA256
737ba07e36e4c3eeb668b5425b332178c504194abe72000e2605a53555087b90
-
SHA512
74af708b092a83bdeb8d7c0b0e72ecb7e2508241360d8d8861b333180c9823ae3cd19feb9436d8fc8239791d63970622daa8fde1276b39c7cd33e9aafda50536
-
SSDEEP
6144:Izf/4vdu9hHaZBynO1qQZq2kwJD7DOZa6emP/CvL:Izf/X9hHXQY2kqD7DOw6eeaT
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
UPX packed file 10 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of FindShellTrayWindow 28 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\11a13418d08527a1df11a91aa6560863_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\F3635\222BB.exe%C:\Users\Admin\AppData\Roaming\F36352⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\11a13418d08527a1df11a91aa6560863_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe startC:\Program Files (x86)\353D3\lvvm.exe%C:\Program Files (x86)\353D32⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\LP\BBAF\609.tmp"C:\Program Files (x86)\LP\BBAF\609.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD5183d3de7d2fadd51ed1a5c4e1909dbb1
SHA1441b8c2e2c13b6a99c9c0971c406a6df5b437775
SHA256935be873be7d562d72acb4eb16f0b77147f031ca4cbf9f58725e03ac03cef54d
SHA512942c25246479b31cafbe0e8ed4e75304080deef503f51494d31faef61f6ce55ec943de44540a0c8476f028cffcffa4960da01a274d1a61eaa961780789320a0e
-
Filesize
600B
MD5362f9216565fc9fd590ac83951bd95d2
SHA1b47b034a0819c0353f235f6f73b81efd372ac522
SHA25673f8c8a6a22c32271fb795f0ccb41fa51d0ef8303678986cd66b71236223f358
SHA512f4605cd589f0a9fc50399883e94bc902357706b6a0507263baaaa63b4555ad8c948f203c3b32b384ccd888d3d01f02459a219263205343ddb9dd5401b763858b
-
Filesize
1KB
MD594d38e4b33ca9b955b90c80d6897d6ef
SHA158a7d6e54c2b05281845b443d7ce1d194954dc9d
SHA256752e491a442f1f9a4586cb688a5303103ce7f7725424e13c7c5d2712c663e13e
SHA512735ec9ed652f78b8f97f732a30341f748fc94682f5ab6d16550fcf2c29c234ea52c1c69da8cff3cdbe7413222fa0216500290b57e98c3ec95e95c01b3695c250
-
Filesize
100KB
MD5f6b59ae007f25be4bbc0d78790009c1f
SHA14224ca50f71600bd3973bd5b7400d6feb3bbfe23
SHA256ce2f2ae20dcacc1d713f241a3d230e708786eab37f4477fe53c39bea935ad8c5
SHA512c5250c43efd9f914277ec16ca973686fa44d03afccb1ba3982f61ef3b9b709ade34e526b108dbab163b078dadef8afe0a62a45d90573d583f0aa92e0e8d74c98
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
112KB
-
Filesize
428KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB