Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
14/01/2025, 16:49
General
-
Target
JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe
-
Size
276KB
-
MD5
40be4a80bda341d45bdce52fd71f1016
-
SHA1
1c1d22748408df3aecc294d82f54d4196fc20f07
-
SHA256
1ba4cdf98fe8dfb296395d03ac1528f8b505799b25f025a21746574acf7af1ee
-
SHA512
592902f6a410ce4e280b0102b0631f645bea67dca57991434b551c17b616e0be85fe6f8d70c18d38372afb180cb72b5d63fccb454b5816d8eaf0474778dffc06
-
SSDEEP
6144:gJx+g2CJuBZ4fdhpXhn6UHWTlX2twd49i6L5Sp8:L9ZCPBh6U2TlXd4Y6LEp
Malware Config
Signatures
-
Cycbot
Cycbot is a backdoor and trojan written in C++..
-
Cycbot family
-
Detects Cycbot payload 8 IoCs
Cycbot is a backdoor and trojan written in C++.
-
Modifies security service 2 TTPs 1 IoCs
-
Pony family
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
UPX packed file 10 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of FindShellTrayWindow 28 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe startC:\Users\Admin\AppData\Roaming\699DD\F5B48.exe%C:\Users\Admin\AppData\Roaming\699DD2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe startC:\Program Files (x86)\DD70E\lvvm.exe%C:\Program Files (x86)\DD70E2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\LP\48B6\6CD7.tmp"C:\Program Files (x86)\LP\48B6\6CD7.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50769b39aff5422cbf33ebafbe158744d
SHA1e851e18a4b3db110ccf979ffa6de93e8f3ef3315
SHA256a6cc026a5e941469b50100eebd02b7ffdc08066b934a5b59ed24d444fd87393d
SHA512c5e6fdcdcfba373841f9547b4c76f012eb87654f9e54d16b91298e57b760448617a9449dc6b53adc789e6db89ffa21c5d3d729e27a5345a64ccfec0c3be93181
-
Filesize
600B
MD5183f2d86bb24cd55a4686e0bd701fc92
SHA184126db887539f57376190c9ef8657cf40544202
SHA25652c7cb5242233f4e0f523689cc3b7e22f9fbea3e6e267db7f90263c25cac81cd
SHA512ec671359989e6e7a46a76e3837da08f29f94dd7a728e04d0644f92b9712fd44dacdbed9cbe1c3cb6c093cd4b5ce56e4dd85c0fe0f814337c00e89f74b5d97490
-
Filesize
96KB
MD5b1fe9cd43e3c6a1dc3dbec8ab8931dca
SHA12e0c15719ca6bf30b60bb9dce5784e2b5e393702
SHA25657baaf3b29e65c7ccc724edb82a485a2f4c95520a2d3577c858cbf7c1b0eca7f
SHA51249ef4f35a4c7fbbe349dd9b1375183d433c47989ba4dc33eee3bb19112fce6fa6ec0c2d1d977356665de2da00b394af16a1d36241c1372070d9fc1bd033d70be
-
Filesize
424KB
-
Filesize
108KB
-
Filesize
108KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
412KB
-
Filesize
424KB
-
Filesize
412KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
424KB