Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    11/12/2024, 02:09

General

  • Target

    df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe

  • Size

    684KB

  • MD5

    df79f1fe2a4c23d2841dee29e264a376

  • SHA1

    7ff3fe1fecb0e4dfb03cdfc46d3b64a952146180

  • SHA256

    93f0db4969baf8887c4f2336109b53cb0477dfcfde43364b9fd64441ef42bb09

  • SHA512

    b016d2ac37f7cd6d2333dc35181658464dc2974c8c59ac95f6c2b498e5604138c3376b2a4fdf1e116755c0d9584b924bfb5cd4ac23f89259aeb868fcc21a3ddd

  • SSDEEP

    12288:aj+AbsdYfNIvK5B+DWyzPtMs484wSeCi/f5ZntMreOKjP36Iy:6XJ2iyxVnki3tM6OX

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 3 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies security service 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Disables taskbar notifications via registry modification
  • Deletes itself 1 IoCs
  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 12 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 52 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 22 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\csrss.exe
    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    1⤵
    • Executes dropped EXE
    • Drops desktop.ini file(s)
    • Suspicious use of UnmapMainImage
    PID:336
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    1⤵
      PID:848
    • C:\Users\Admin\AppData\Local\Temp\df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe"
      1⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2432
      • C:\Users\Admin\AppData\Local\Temp\df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe
        df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2660
        • C:\Users\Admin\yA6npPl9.exe
          C:\Users\Admin\yA6npPl9.exe
          3⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2684
          • C:\Users\Admin\mooigud.exe
            "C:\Users\Admin\mooigud.exe"
            4⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:2664
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c tasklist&&del yA6npPl9.exe
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2624
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              5⤵
              • Enumerates processes with tasklist
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:3028
        • C:\Users\Admin\achost.exe
          C:\Users\Admin\achost.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1324
          • C:\Users\Admin\achost.exe
            achost.exe
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:2292
        • C:\Users\Admin\bchost.exe
          C:\Users\Admin\bchost.exe
          3⤵
          • Modifies security service
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1728
          • C:\Users\Admin\bchost.exe
            C:\Users\Admin\bchost.exe startC:\Users\Admin\AppData\Roaming\582B9\1DED3.exe%C:\Users\Admin\AppData\Roaming\582B9
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:1868
          • C:\Users\Admin\bchost.exe
            C:\Users\Admin\bchost.exe startC:\Program Files (x86)\B90A0\lvvm.exe%C:\Program Files (x86)\B90A0
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:1780
        • C:\Users\Admin\cchost.exe
          C:\Users\Admin\cchost.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2156
          • C:\Windows\explorer.exe
            0000005C*
            4⤵
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            PID:592
        • C:\Users\Admin\dchost.exe
          C:\Users\Admin\dchost.exe
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1316
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe
          3⤵
          • Deletes itself
          • System Location Discovery: System Language Discovery
          PID:2044
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1052
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2752

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\582B9\90A0.82B

      Filesize

      600B

      MD5

      f841cde9a1f6018aad81355062c77605

      SHA1

      c666cba61847b7aac93d08e6cdb710537ce733e0

      SHA256

      c52a252bee70ac2ed5c2a461b26fc0a06271674a3b04d873804e92fb476b3b01

      SHA512

      e3c915a4c23998879c2ba095c9344ade54da1e3dc5dfdaf0821437f54f3ebdd8ee25f8f9793ff930e4fedf965ee299eb434435bc089e64ec25e5aec21c302974

    • C:\Users\Admin\AppData\Roaming\582B9\90A0.82B

      Filesize

      996B

      MD5

      91887b859a6580b9858d5593c49b1281

      SHA1

      68e4482da30e8130cc5ef5dc07bc4513b5423c85

      SHA256

      e682e38599fbfaee9bf7499297b7e7308d803912fd79c7059516b04d9fd44dd7

      SHA512

      26d8df4e0dce97e691698114a3bbe4c6700db59684090840562c7971aaca3a3becb60fbae1f21ed27495adcf8776024ff1ca1cfe97976a458de9e91a8f1c4b0a

    • C:\Users\Admin\AppData\Roaming\582B9\90A0.82B

      Filesize

      1KB

      MD5

      483fc164468993d714cf57ebf9078b7a

      SHA1

      a139cde9b28ae84903d3f8793a5feb2d5d106ade

      SHA256

      2a58bff7cbde121c70837bf8a0a42ca75b26c7d4bdbd86e68f859ff3033634e8

      SHA512

      b839f5444cb72e367b3f25b657a5276717d0c3396d9e4c24172a461719d1af8c39849e58703ef2a7e4c17b4e76f05b6f0444e3b3397978ed8c31c73a317a0dc9

    • C:\Users\Admin\cchost.exe

      Filesize

      148KB

      MD5

      64266f59ace9947e641694499d87549b

      SHA1

      e0a8411743f0280ce5efcd5f754aa17ee3f2fdce

      SHA256

      a71cde63f2964b8282b6726bc6fe8c8f5d77878ca4e69e2fe9087abb362ab0e0

      SHA512

      14a7d8c012eae52196732cf2b451bb1f87497388c5f31a5086186e3554a8d69fb02495b4c56779cf31eec80ed82dbd71c39199c99d9c409cd9bafbdca2396037

    • C:\Windows\system32\consrv.DLL

      Filesize

      53KB

      MD5

      d3bd9c7e7a29daa24c66dc62cd5f5633

      SHA1

      3895247052b6244659e73334e6398677dafa0ac1

      SHA256

      6b87925d0e03ab5daa4760b1a62bed66c49cb489d011e2c9633eb0fe466df83f

      SHA512

      e243a2272887b02417b08b0d0728689c8f01cc57d473ed811ba98c2f5aa4d985d02d0fd7772bc33356474abcc815609ab7a6c0e905d6fe884fb7bc70bc67e9d0

    • \??\globalroot\systemroot\assembly\temp\@

      Filesize

      2KB

      MD5

      5e381e2d47d956b50d829d408092dada

      SHA1

      f1769111bf834ff3c4f050e351024a2030871db0

      SHA256

      13e19f5e701342f29f1b91612349409e6c454af2ccffcb61132097d50ba05a2e

      SHA512

      6441159ac7dfa9f3d6cc4ee09d392a65010e926b8a5d37831462dd3235d8610ab1d9ea972e1112edeec24b09605c75a20973b89a50fd3950259f8d7041c386fd

    • \Users\Admin\achost.exe

      Filesize

      84KB

      MD5

      0f28771c5c63ba1ee758b0598b747e2a

      SHA1

      bbf814808225de2dc0624ceb150bb38765696c03

      SHA256

      82a73d06a9cc73ce5546f7f3634466088180e17993cc1fc79304fffd9c322156

      SHA512

      9b68022e9e9d9b9e83eed5d82a2afa0f88afd3c7a1ce562d58745b9089a750294b0e003f1dbfaad144c7de4b5dc7f184342ee4d762da8b0465edceafcd9f75fb

    • \Users\Admin\bchost.exe

      Filesize

      172KB

      MD5

      d82e4d57ce973815501ee96404e0a41f

      SHA1

      7a963af97583f3a978b0ba28807105be82d2d5ed

      SHA256

      e598647ccb381e4113d6bf03d2e18bdb39f33071e541907d6309b93805ede7fc

      SHA512

      5bbb242e37f353f501733508477995949536c0ad859254c1a61e76a25490e55ffcd7d8fcf72c7388ce59c9516b7d2b8faae35daf76dd0e1c09aa8fbe57ae8882

    • \Users\Admin\dchost.exe

      Filesize

      24KB

      MD5

      b16b0d79216cb4dd198455e77fb24d51

      SHA1

      1bfddfa7fc31643083568507b5f30510bb9bf181

      SHA256

      bbebcee985c17aa7f20f842bb722d331ea69a104f5d880254b8da61df3610d0c

      SHA512

      5fd8d58d098b726f4668394c1f76bcaacd46c9824525c70c887a3dbd4b0fdedd292f2c13ab21da5708b7493612da7c40b2d5fd4fdf6987df52b574f5ee637b9b

    • \Users\Admin\mooigud.exe

      Filesize

      172KB

      MD5

      50f57eca739be18629787e3c85f7f9ff

      SHA1

      8ba3f5153105a1301ddc65a917483562e750cd28

      SHA256

      367cfeccae1c453d7faa5e9b3618994366e758150722ef118e79a91bf692cd52

      SHA512

      06609ef3eb1dcac80e50e680b3d1c4d85a5feee754e28fdaedb6c741a1e95803585edd98391a258ecf4d1237436b0327f819c0ecd0ffc68a140f2b4af995c991

    • \Users\Admin\yA6npPl9.exe

      Filesize

      172KB

      MD5

      0cecbddc80b2521b7c155678faaadb7c

      SHA1

      3bf737f74c7792fa523dda57d547170efbe4cb6b

      SHA256

      b51359458b30c171625de6e1f0eab133193a66d5d4c8c0f96fb763c4d90c10e3

      SHA512

      ff71bf9bb4cfb429459f2dfc6fa8d52e7870f038a44c7b65c2c6f333a6bf609666eb4a636ffadb6fe17e660b66462b637692323e9821372c822b27f9e83ad2fb

    • memory/592-263-0x00000000003F0000-0x0000000000409000-memory.dmp

      Filesize

      100KB

    • memory/1324-56-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/1324-79-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/1728-177-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

    • memory/1780-176-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

    • memory/1868-103-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

    • memory/2156-261-0x0000000000400000-0x0000000000443000-memory.dmp

      Filesize

      268KB

    • memory/2292-66-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

    • memory/2292-59-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

    • memory/2292-74-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

    • memory/2292-69-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

    • memory/2292-61-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

    • memory/2292-63-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

    • memory/2292-81-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

    • memory/2292-71-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

    • memory/2292-82-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

    • memory/2432-0-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

    • memory/2432-1-0x0000000000230000-0x0000000000260000-memory.dmp

      Filesize

      192KB

    • memory/2432-17-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

    • memory/2660-104-0x00000000002C0000-0x00000000002EE000-memory.dmp

      Filesize

      184KB

    • memory/2660-49-0x00000000002C0000-0x00000000002EE000-memory.dmp

      Filesize

      184KB

    • memory/2660-4-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

    • memory/2660-6-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

    • memory/2660-252-0x0000000001C50000-0x0000000001C93000-memory.dmp

      Filesize

      268KB

    • memory/2660-12-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

    • memory/2660-258-0x0000000001C50000-0x0000000001C93000-memory.dmp

      Filesize

      268KB

    • memory/2660-54-0x00000000002C0000-0x00000000002EE000-memory.dmp

      Filesize

      184KB

    • memory/2660-57-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

    • memory/2660-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/2660-2-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

    • memory/2660-83-0x00000000002C0000-0x00000000002EE000-memory.dmp

      Filesize

      184KB