Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03/12/2024, 04:58
Static task
static1
Behavioral task
behavioral1
Sample
bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe
-
Size
329KB
-
MD5
bbcf778115c3bc52ccf78be5afdc36a4
-
SHA1
afc259a86f0ec3a20ebc77fc3ded45097fc98a3b
-
SHA256
e261b60c2939239a2b7365026bd41a5ca9a380b16830e69e9da14b611f214009
-
SHA512
57348b0820303d10fdb045ecd29f46ae136d5bf70d789d7f8fe634447bef351fa9d485941b29023147582330d5bdf3dd305e34bf143919f88ef954e9db161c02
-
SSDEEP
6144:lVuhljEB/TZvZ9xkiH1fN/OUVNkEsJtb3p2SObkdz5Slb0iavszTaXSsjT:HIpI7ZhbH1f1Ouybb3p2SObe1yb0i7TS
Malware Config
Extracted
cybergate
2.6
vítima
reylocoip.no-ip.org:82
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Windows Live
-
install_file
Messenger.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
título da mensagem
-
password
abcd1234
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Cybergate family
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\Windows Live\\Messenger.exe" bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\Windows Live\\Messenger.exe" bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DXW8777-Y48T-8Q6G-31L1-P617JU47IU17} bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DXW8777-Y48T-8Q6G-31L1-P617JU47IU17}\StubPath = "c:\\dir\\install\\Windows Live\\Messenger.exe Restart" bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DXW8777-Y48T-8Q6G-31L1-P617JU47IU17} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DXW8777-Y48T-8Q6G-31L1-P617JU47IU17}\StubPath = "c:\\dir\\install\\Windows Live\\Messenger.exe" explorer.exe -
Executes dropped EXE 2 IoCs
pid Process 5060 Messenger.exe 1048 Messenger.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\dir\\install\\Windows Live\\Messenger.exe" bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\dir\\install\\Windows Live\\Messenger.exe" bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3528 set thread context of 3948 3528 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 83 PID 5060 set thread context of 1048 5060 Messenger.exe 87 -
resource yara_rule behavioral2/memory/3948-17-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral2/memory/3948-18-0x0000000024010000-0x0000000024072000-memory.dmp upx -
Program crash 1 IoCs
pid pid_target Process procid_target 2228 1048 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Messenger.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2824 explorer.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3528 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe Token: SeDebugPrivilege 2824 explorer.exe Token: SeDebugPrivilege 2824 explorer.exe Token: SeDebugPrivilege 5060 Messenger.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3528 wrote to memory of 3948 3528 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 83 PID 3528 wrote to memory of 3948 3528 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 83 PID 3528 wrote to memory of 3948 3528 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 83 PID 3528 wrote to memory of 3948 3528 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 83 PID 3528 wrote to memory of 3948 3528 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 83 PID 3528 wrote to memory of 3948 3528 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 83 PID 3528 wrote to memory of 3948 3528 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 83 PID 3528 wrote to memory of 3948 3528 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 83 PID 3528 wrote to memory of 3948 3528 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 83 PID 3528 wrote to memory of 3948 3528 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 83 PID 3528 wrote to memory of 3948 3528 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 83 PID 3528 wrote to memory of 3948 3528 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 83 PID 3528 wrote to memory of 3948 3528 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 83 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56 PID 3948 wrote to memory of 3520 3948 bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Users\Admin\AppData\Local\Temp\bbcf778115c3bc52ccf78be5afdc36a4_JaffaCakes118.exe
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- System Location Discovery: System Language Discovery
PID:2296
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2824 -
C:\dir\install\Windows Live\Messenger.exe"C:\dir\install\Windows Live\Messenger.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5060 -
C:\dir\install\Windows Live\Messenger.exe
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 5327⤵
- Program crash
PID:2228
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1048 -ip 10481⤵PID:3452
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
229KB
MD5f7a1c5cf3d4c58051cb9b451b812fe3b
SHA18002ae28fb6bc2e7767e02b76422df5312d14378
SHA256b4f4bbcb4ae642102d970a448799a7100383c82dc9f1354d6a39a572dd233a27
SHA512efbb7a33f86537e3adae71beb2259598538e2586011a90d302377171cd760d1ff71e269a80c39b27866d23392170000e5c06b3ced39cf0c210f443ed6c5c1a15
-
Filesize
8B
MD56f064ccd018989a0d2b4f44e566edd40
SHA191560ff34bb704b833591e1de856b1af55a701e7
SHA25663bbd240967016116d0c849575a0f8d5d60caf27cc8b8232b308c41edb7bb572
SHA512861b9d9f2d6046fc426e8e5974f675a3f37b3bbb753346de440e152e8a3a098b85b4d63c7fd8e28ae9eca51cf917c33284fa72cc9ff7e65b2d00857027ede552
-
Filesize
8B
MD5f2b31ee869d96860e8bd422cf4a16f73
SHA1c1de099c8b9b4edbe1d8d9c885ef63b5fcc51ec2
SHA2566a8b17b9f784cd98803cf437233d42c5359de86c8199aedb42d85d75f60da5dd
SHA51250ae335900e383d00c68f2371a4086afa57f69aa4ac617140873afdacebc2000e5475ae5ed6f35229f69657ef6dbb3af33a89600bb8e842f925d76d4437b12d9
-
Filesize
8B
MD5bec5f45ef390c7f107bd82cec18a17d1
SHA13a1cdc7d24ea4f41e72253e43588376a913427d3
SHA256dc728f5b22d9668fd33817d1490d19daae76482e1ff2a6b3f6cf676f17d9263c
SHA512a40d0294202e6ce197688b7209aa3230bd3988943af0841e951be0f61c47bb4c9c8943bb4630d6205cd03e232ec7c01d7d8fe3ac5719fa89438e0f06004771cd
-
Filesize
8B
MD5fd83b5f1041c0659ebea8224ac736364
SHA11490dd0cacfb6cd61c0b73f9ab80f75209d80d15
SHA256783f7aa8f34b242415cc75bf74eb91697e24314e0b415810ff470cb976f1cc95
SHA5121003a9664c934db418bfd4e3c7c566c7e1029becb921532202c469c65b6ce59fdc2a558a2c17dd5beb541e34e210946c2550f6076b4f8f421802cdc68b67f10c
-
Filesize
15B
MD5e21bd9604efe8ee9b59dc7605b927a2a
SHA13240ecc5ee459214344a1baac5c2a74046491104
SHA25651a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA51242052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493
-
Filesize
329KB
MD5bbcf778115c3bc52ccf78be5afdc36a4
SHA1afc259a86f0ec3a20ebc77fc3ded45097fc98a3b
SHA256e261b60c2939239a2b7365026bd41a5ca9a380b16830e69e9da14b611f214009
SHA51257348b0820303d10fdb045ecd29f46ae136d5bf70d789d7f8fe634447bef351fa9d485941b29023147582330d5bdf3dd305e34bf143919f88ef954e9db161c02