Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/12/2024, 16:32
Static task
static1
Behavioral task
behavioral1
Sample
f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe
-
Size
92KB
-
MD5
f4d2317df7b2692127ec91394ad710e0
-
SHA1
7eaf17dab2fffd7a098e5b3a28ef058f92b521bc
-
SHA256
359fea228489bf2a6e3ae4c1b21b8f4287854b4dfba73e31b9ff4f618a67cdc7
-
SHA512
72d47c56445dc29e9c241a990e0862f038b535dcf4950694287d0d6f4beab7e13137c99b59ef148efafd554ed43f21325d554f57fff00912bce11ef9cadb8808
-
SSDEEP
1536:4XRvprtjevt2ikjRD6kr+p+aJEA8MekeZpTzXcMK3/cJI8vHmY+T:4XB36vt2xD6G+1JEArIJrcMK3/cG8f
Malware Config
Extracted
pony
http://kurtst.pw:4915/doc/black.php
http://kurtst.pw:888/doc/black.php
-
payload_url
http://kytrus.pw:888/pic/Flash.exe
Signatures
-
Pony family
-
Drops file in Drivers directory 3 IoCs
description ioc Process File created C:\Windows\system32\drivers\etc\tmp.tmp f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe File created C:\Windows\system32\drivers\etc\hosts.sam cmd.exe File opened for modification C:\Windows\system32\drivers\etc\hosts.sam cmd.exe -
Deletes itself 1 IoCs
pid Process 2804 cmd.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs
pid Process 2768 cmd.exe 2788 at.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2804 cmd.exe 2236 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2236 PING.EXE -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeImpersonatePrivilege 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe Token: SeTcbPrivilege 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe Token: SeCreateTokenPrivilege 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe Token: SeBackupPrivilege 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe Token: SeRestorePrivilege 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe Token: SeAssignPrimaryTokenPrivilege 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe Token: SeImpersonatePrivilege 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe Token: SeTcbPrivilege 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe Token: SeCreateTokenPrivilege 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe Token: SeBackupPrivilege 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe Token: SeRestorePrivilege 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe Token: SeAssignPrimaryTokenPrivilege 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe Token: SeImpersonatePrivilege 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe Token: SeTcbPrivilege 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe Token: SeCreateTokenPrivilege 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe Token: SeBackupPrivilege 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe Token: SeRestorePrivilege 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe Token: SeAssignPrimaryTokenPrivilege 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe Token: SeImpersonatePrivilege 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe Token: SeTcbPrivilege 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe Token: SeCreateTokenPrivilege 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe Token: SeBackupPrivilege 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe Token: SeRestorePrivilege 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe Token: SeAssignPrimaryTokenPrivilege 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2888 wrote to memory of 2768 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe 31 PID 2888 wrote to memory of 2768 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe 31 PID 2888 wrote to memory of 2768 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe 31 PID 2888 wrote to memory of 2768 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe 31 PID 2888 wrote to memory of 2804 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe 32 PID 2888 wrote to memory of 2804 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe 32 PID 2888 wrote to memory of 2804 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe 32 PID 2888 wrote to memory of 2804 2888 f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe 32 PID 2768 wrote to memory of 2788 2768 cmd.exe 35 PID 2768 wrote to memory of 2788 2768 cmd.exe 35 PID 2768 wrote to memory of 2788 2768 cmd.exe 35 PID 2768 wrote to memory of 2788 2768 cmd.exe 35 PID 2804 wrote to memory of 2236 2804 cmd.exe 36 PID 2804 wrote to memory of 2236 2804 cmd.exe 36 PID 2804 wrote to memory of 2236 2804 cmd.exe 36 PID 2804 wrote to memory of 2236 2804 cmd.exe 36 -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:2888 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy C:\Windows\system32\drivers\etc\hosts C:\Windows\system32\drivers\etc\hosts.sam /Y && at 16:36:00 /every:M,T,W,Th,F,S,Su cmd.exe "/c attrib -H C:\Windows\system32\drivers\etc\hosts && copy C:\Users\Admin\AppData\Local\Temp\259490191aq C:\Windows\system32\drivers\etc\hosts /Y && attrib +H C:\Windows\system32\drivers\etc\hosts"2⤵
- Drops file in Drivers directory
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\at.exeat 16:36:00 /every:M,T,W,Th,F,S,Su cmd.exe "/c attrib -H C:\Windows\system32\drivers\etc\hosts && copy C:\Users\Admin\AppData\Local\Temp\259490191aq C:\Windows\system32\drivers\etc\hosts /Y && attrib +H C:\Windows\system32\drivers\etc\hosts"3⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
PID:2788
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping -n 6 localhost && erase "C:\Users\Admin\AppData\Local\Temp\f4d2317df7b2692127ec91394ad710e0_JaffaCakes118.exe"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\PING.EXEping -n 6 localhost3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2236
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3