Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/01/2025, 07:52
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe
-
Size
274KB
-
MD5
24fd0ec3e4d6053871dfc2d39af9b84b
-
SHA1
2f3f85a2e31eaa679ea8fa3c93878e95748b401c
-
SHA256
2cdb2e3aac502f958197be085974fda90ac9907501f935cfac4776225418e321
-
SHA512
21257343e7f3ab295b5eaf71f7ded14a979c6d34273d8f3faae97ceb64e4fdac646c4a422ded1e4f879bc9694ea087d2a4ad778295119101438600d8c15f94e7
-
SSDEEP
6144:to3xSRRP+Q80V/e1xkALD4tvTiJQ3U21DbryGhNgeSq:to3gmf0V/6ewDwv+I1DbRfjSq
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 7 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2004-9-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2004-11-0x0000000000400000-0x0000000000467000-memory.dmp family_cycbot behavioral1/memory/780-12-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2004-115-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/1364-117-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2004-243-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2004-294-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe -
Pony family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 1632 2C6D.tmp -
Loads dropped DLL 2 IoCs
pid Process 2004 JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe 2004 JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\18D.exe = "C:\\Program Files (x86)\\LP\\D052\\18D.exe" JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
resource yara_rule behavioral1/memory/2004-3-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2004-9-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2004-11-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/780-14-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/780-12-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2004-115-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1364-117-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1364-118-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2004-243-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2004-294-0x0000000000400000-0x000000000046A000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\D052\18D.exe JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe File opened for modification C:\Program Files (x86)\LP\D052\18D.exe JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe File opened for modification C:\Program Files (x86)\LP\D052\2C6D.tmp JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2C6D.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2004 JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe 2004 JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe 2004 JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe 2004 JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe 2004 JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe 2004 JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe 2004 JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe 2004 JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe 2004 JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe 2004 JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe 2004 JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe 2004 JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe 2004 JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe 2004 JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1692 explorer.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeRestorePrivilege 2736 msiexec.exe Token: SeTakeOwnershipPrivilege 2736 msiexec.exe Token: SeSecurityPrivilege 2736 msiexec.exe Token: SeShutdownPrivilege 1692 explorer.exe Token: SeShutdownPrivilege 1692 explorer.exe Token: SeShutdownPrivilege 1692 explorer.exe Token: SeShutdownPrivilege 1692 explorer.exe Token: SeShutdownPrivilege 1692 explorer.exe Token: SeShutdownPrivilege 1692 explorer.exe Token: SeShutdownPrivilege 1692 explorer.exe Token: SeShutdownPrivilege 1692 explorer.exe Token: SeShutdownPrivilege 1692 explorer.exe Token: SeShutdownPrivilege 1692 explorer.exe Token: SeShutdownPrivilege 1692 explorer.exe Token: SeShutdownPrivilege 1692 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2004 wrote to memory of 780 2004 JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe 31 PID 2004 wrote to memory of 780 2004 JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe 31 PID 2004 wrote to memory of 780 2004 JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe 31 PID 2004 wrote to memory of 780 2004 JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe 31 PID 2004 wrote to memory of 1364 2004 JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe 33 PID 2004 wrote to memory of 1364 2004 JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe 33 PID 2004 wrote to memory of 1364 2004 JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe 33 PID 2004 wrote to memory of 1364 2004 JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe 33 PID 2004 wrote to memory of 1632 2004 JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe 36 PID 2004 wrote to memory of 1632 2004 JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe 36 PID 2004 wrote to memory of 1632 2004 JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe 36 PID 2004 wrote to memory of 1632 2004 JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe 36 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2004 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe startC:\Users\Admin\AppData\Roaming\2E68B\D97D0.exe%C:\Users\Admin\AppData\Roaming\2E68B2⤵
- System Location Discovery: System Language Discovery
PID:780
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_24fd0ec3e4d6053871dfc2d39af9b84b.exe startC:\Program Files (x86)\8BCAC\lvvm.exe%C:\Program Files (x86)\8BCAC2⤵
- System Location Discovery: System Language Discovery
PID:1364
-
-
C:\Program Files (x86)\LP\D052\2C6D.tmp"C:\Program Files (x86)\LP\D052\2C6D.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1632
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1692
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
696B
MD5238e8f7ba7c915f4326518395e3694c2
SHA11b7cd678a8a8c680803b860d31038184f95c1f3f
SHA25610b4e6493e80624a63c49fd4ceb59dd758064ea87ef5dfd03b202dae2cef1fa5
SHA512d6de8279434adfa5c647435246e099549230171026f03d9b2f14b4ff150e99be9da6f9f5a967ae5391b986811809549bf11ead2c0833e9d044974f204aaa7e70
-
Filesize
300B
MD5c1875a0126d90dae5b5f4cb6a0f339c7
SHA1ad483dd05b9d46ee65899fca37e9781e0c03f652
SHA25662ce8c9b28ce2e7887db216f906a53b7da6ed401aa3328a8b0db2636628b7d55
SHA512a9d5af6ad0ae4832fcd806f810fbf7106bb8e6fa3e3511856e8a99fd15b3414b2f91c8163a8b0f70fe78576f5328d8e153ea4eaf8963f3c8980d6e831540f00a
-
Filesize
1KB
MD5c283d32351a047567b86db6e0a857111
SHA1a61f4e18954b5736d64d1af4689a036016a7e205
SHA256ff7a542183736fa6fd19fd9c4bc5bed59288c9d1e6d28ed0c1a79e0ccab45feb
SHA512b012ed58f0194642e3d0607cb199b6c48e63aa1bba9ce610e8b05dfa5f7250437fa906053ae751de8634ba7e1044e74bfd5874a750c472cf406921f1efbbf9f5
-
Filesize
97KB
MD59e69e07a1d8f45ef6f404e0708c983a1
SHA131eb2956a5a367bb93b768ba23bea777a60321a3
SHA256bb887b665e41520654a64ca93fc12ee803cc9c38a91cd3688fc44ff57b87853d
SHA51205fac734ccf9b29b05e33d4691e8c11acbadb04652e91e308f5ef86cf1e5a5cafa332d94e665ee725e3de44fec3635433e8a5f0c7e384292ae02ba4ae011e323