Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

a8c5404c95...18.exe

windows7-x64

10

a8c5404c95...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    104s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    27/11/2024, 16:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a8c5404c956ca47d8238a44d8f6372f7_JaffaCakes118.exe

  • Size

    263KB

  • MD5

    a8c5404c956ca47d8238a44d8f6372f7

  • SHA1

    02bffd8845b2146535fbb36614966ec5ca87f9aa

  • SHA256

    e562e3914c803e810408ade487358bb779fb18047e4d83af99692912e568e308

  • SHA512

    9ea9054015a6e7e7f222cf0dc29821a84a5c15135282cb6776f85b0a2dfcc79a11ac2196dc59cb56c36b0455dcd30a804956c970dde2a1aaefe060efc133f83d

  • SSDEEP

    6144:CNg8v7yFwU5i8jjM/rxeEeEp6BLorz/Ui:CXv7yFwrl/rzeM6BLo

Score
10/10
cycbotponybackdoorcredential_accessdiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 8 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony family
    pony
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\a8c5404c956ca47d8238a44d8f6372f7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a8c5404c956ca47d8238a44d8f6372f7_JaffaCakes118.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2524
    • C:\Users\Admin\AppData\Local\Temp\a8c5404c956ca47d8238a44d8f6372f7_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\a8c5404c956ca47d8238a44d8f6372f7_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\42C3E\82278.exe%C:\Users\Admin\AppData\Roaming\42C3E
      2⤵
        PID:1832
      • C:\Users\Admin\AppData\Local\Temp\a8c5404c956ca47d8238a44d8f6372f7_JaffaCakes118.exe
        C:\Users\Admin\AppData\Local\Temp\a8c5404c956ca47d8238a44d8f6372f7_JaffaCakes118.exe startC:\Program Files (x86)\3EBA8\lvvm.exe%C:\Program Files (x86)\3EBA8
        2⤵
          PID:1868
        • C:\Program Files (x86)\LP\7814\2397.tmp
          "C:\Program Files (x86)\LP\7814\2397.tmp"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1600
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2968
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:596
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x5c8
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2604

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Active Setup

      1
      T1547.014

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Active Setup

      1
      T1547.014

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Defense Evasion

      Modify Registry

      4
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      3
      T1552

      Credentials In Files

      3
      T1552.001

      Discovery

      Query Registry

      2
      T1012

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Collection

      Data from Local System

      2
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\42C3E\EBA8.2C3
        Filesize

        996B

        MD5

        daf1cbf4bfe10190db49b916b17023f2

        SHA1

        f24b74ea1fa475d759b0a05a7ed4095495264a51

        SHA256

        b43935763a79160c0bf3f60d4ef35b7e3ee8d40899806d1d72427ca8de9a0c66

        SHA512

        201c58c4beec21f4625b434010fe0e6cc4e64a16db8c81aef1e43961d6c25329f9201254758d2f96e6bc73f9a68357d994d1388d727deb3bdd9f9f558518b668

        Download Submit

      • C:\Users\Admin\AppData\Roaming\42C3E\EBA8.2C3
        Filesize

        600B

        MD5

        945327912456c862984bdeb309a79bdd

        SHA1

        d278d78324c7b7be99b5a469e77532f1aa3fee2b

        SHA256

        e8ac099b2ef9f5fe987a63105ddc5b40198213413bf84ebeca111c1f99a8ee36

        SHA512

        793768f7ef659980240b6e1567bf2653d246305d07e927bb55bac24c6e1793b23746a6a3c4f81b5f651f4fd1e6582000caa8401b15784a961e6b9bba76e6e209

        Download Submit

      • \Program Files (x86)\LP\7814\2397.tmp
        Filesize

        95KB

        MD5

        b3665f15b4cd433e21ac50c2f224b101

        SHA1

        b96fc19237dd9767418f23dab9451489c75bf5b6

        SHA256

        d7c3b90a540de9a91bb01c49e5f632a8e9085dfd774e627b31799018dcd6aed9

        SHA512

        b2e030be29ac15267cd1613070aac2f5282680a6d3a56878e6e44f5eba58b8870e1a05dbc7418f7b67a271b8a184902d483863465e2e2692a9929cec740e20bd

        Download Submit

      • memory/1600-310-0x0000000000400000-0x000000000041B000-memory.dmp

        Filesize

        108KB

        Download

      • memory/1600-309-0x0000000000400000-0x000000000041B000-memory.dmp

        Filesize

        108KB

        Download

      • memory/1832-17-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

        Download

      • memory/1832-18-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

        Download

      • memory/1868-179-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

        Download

      • memory/2524-2-0x0000000000400000-0x0000000000466000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2524-4-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

        Download

      • memory/2524-3-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

        Download

      • memory/2524-180-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

        Download

      • memory/2524-0-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

        Download

      • memory/2524-307-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

        Download

      • memory/2524-15-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

        Download

      • memory/2524-6-0x0000000000400000-0x0000000000466000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2524-314-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

        Download