Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

f3f14d9e9d...18.exe

windows7-x64

10

f3f14d9e9d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    96s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    15/12/2024, 12:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f3f14d9e9d00cc5042719271483a5d87_JaffaCakes118.exe

  • Size

    283KB

  • MD5

    f3f14d9e9d00cc5042719271483a5d87

  • SHA1

    46b2dcb37ba8834f222e853b141ecc00984f7882

  • SHA256

    eaafd44c71f155d0226c4a7ac2ac26eda5ef205c92422cde9136aba2d5088127

  • SHA512

    6bf059142b9d9debd9f64fe63b74695df02344de602c3066325d0acee97e1f35c7d8ee65a99644218e9b2fdd34d58a9721ffc30831c70f0d1aed9e5ab599c851

  • SSDEEP

    6144:YFB4TgURnE22PeSNJCBbYmBxFgx7W6zbls/MOrMznAAuBexFv2F:YF4ztdOeSNsU4/gxtB87AsAuInv

Score
10/10
cycbotponybackdoorcredential_accessdiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 7 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony family
    pony
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 29 IoCs
  • Suspicious use of SendNotifyMessage 19 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\f3f14d9e9d00cc5042719271483a5d87_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f3f14d9e9d00cc5042719271483a5d87_JaffaCakes118.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1236
    • C:\Users\Admin\AppData\Local\Temp\f3f14d9e9d00cc5042719271483a5d87_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\f3f14d9e9d00cc5042719271483a5d87_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\3293F\7451C.exe%C:\Users\Admin\AppData\Roaming\3293F
      2⤵
      • System Location Discovery: System Language Discovery
      PID:852
    • C:\Program Files (x86)\LP\1C33\AFEE.tmp
      "C:\Program Files (x86)\LP\1C33\AFEE.tmp"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2484
    • C:\Users\Admin\AppData\Local\Temp\f3f14d9e9d00cc5042719271483a5d87_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\f3f14d9e9d00cc5042719271483a5d87_JaffaCakes118.exe startC:\Program Files (x86)\3F920\lvvm.exe%C:\Program Files (x86)\3F920
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1564
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2880
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3032
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x450
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Modify Registry

4
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Query Registry

2
T1012

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\3293F\F920.293
    Filesize

    600B

    MD5

    1e6815e85e0d3e6bfcbb51433bfeb079

    SHA1

    153c018f995402c54f5c0b97b8e79781abe04361

    SHA256

    6b56f3f86db994950d1d9a8a594532ab9cb72e1add987cd51c1d7bdc66b36c34

    SHA512

    e4bfde005578a2452bfb810fddbf05635bb9a20b12a0d99aeb1230fdf3231125c299c5b61cd479ef7957a791223d41f20d6d7fbb69dc2e5a2aade34adc4cc0aa

    Download Submit

  • C:\Users\Admin\AppData\Roaming\3293F\F920.293
    Filesize

    1KB

    MD5

    c1b3fdac7222ae8ee8b53f7517bb54dd

    SHA1

    d4d4092d2aa632258acfb0925e422f33d5322362

    SHA256

    eeeee5c7adb029fb84d0e2fddc6f397e1bdf0d52c5310012cc08eaae51c00d7f

    SHA512

    883202ad6ca3a642a71919d67eb1eece1726e696bd08ddce2a0c4c5f03b8badbf95b90fc5a098995e26ca46302769c7e1ef9c0df88fc23fccfb46742a257b31f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\3293F\F920.293
    Filesize

    1KB

    MD5

    7a6cbab4d2f15e9392cd3a0cd6c481a4

    SHA1

    c4c4c62ee2d13e4b57878c89b73d28069b2e38d7

    SHA256

    2017e67098096779522d2f603b6337d220e5ae999cccaf1c1d3e626b2dd28790

    SHA512

    e6a48419d13addad37731d40e9eca20091c5c915123eb74686726eafd6eac41ff8666a458679170619e34f623d37fb65a53de59067728046acabaa4b63429487

    Download Submit

  • C:\Users\Admin\AppData\Roaming\3293F\F920.293
    Filesize

    897B

    MD5

    ef916822ee4ffe443c9be402361abc53

    SHA1

    f1e7f09c6cea0a9416f52346e85c3c5fe2c573af

    SHA256

    b98baaf63a52b3651d73c38a3319164760a0215e74523caef28d8b68460a65d2

    SHA512

    5096720d45086d12ddcf6964641709a7e715d348871069b5f50b6bd71a84aeb51c4c2678444e1c841342e223a7b6368d6d71a518c62174243017274139429b7a

    Download Submit

  • \Program Files (x86)\LP\1C33\AFEE.tmp
    Filesize

    100KB

    MD5

    8659e2fdb286421874e997e5b1d56ae4

    SHA1

    e3b46183011a317dd80baf92ff9ef1b2da53cc05

    SHA256

    80ceedded02c13a9c4ade2d2242b2bb295bc122b5c7c0f6b3332b0f4fceae2b8

    SHA512

    ae12fd737c0a6f765ebe7a6e312230220e5fb79d42c1478a6f00edf5e67b6dec201aee90d3082b7817726c6501c7c94ce4a8eab72b2a00547bfdc382bbf2a8dc

    Download Submit

  • memory/852-58-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/1236-59-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/1236-2-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/1236-4-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

    Download

  • memory/1236-184-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/1236-3-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/1236-1-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

    Download

  • memory/1236-313-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/1564-182-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2484-296-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download