Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14/01/2025, 16:49

General

  • Target

    JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe

  • Size

    276KB

  • MD5

    40be4a80bda341d45bdce52fd71f1016

  • SHA1

    1c1d22748408df3aecc294d82f54d4196fc20f07

  • SHA256

    1ba4cdf98fe8dfb296395d03ac1528f8b505799b25f025a21746574acf7af1ee

  • SHA512

    592902f6a410ce4e280b0102b0631f645bea67dca57991434b551c17b616e0be85fe6f8d70c18d38372afb180cb72b5d63fccb454b5816d8eaf0474778dffc06

  • SSDEEP

    6144:gJx+g2CJuBZ4fdhpXhn6UHWTlX2twd49i6L5Sp8:L9ZCPBh6U2TlXd4Y6LEp

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 8 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies security service 2 TTPs 1 IoCs
  • Pony family
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Disables taskbar notifications via registry modification
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2748
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe startC:\Users\Admin\AppData\Roaming\699DD\F5B48.exe%C:\Users\Admin\AppData\Roaming\699DD
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2780
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe startC:\Program Files (x86)\DD70E\lvvm.exe%C:\Program Files (x86)\DD70E
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1000
    • C:\Program Files (x86)\LP\48B6\6CD7.tmp
      "C:\Program Files (x86)\LP\48B6\6CD7.tmp"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1756
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2824
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2512

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\699DD\D70E.99D

    Filesize

    1KB

    MD5

    0769b39aff5422cbf33ebafbe158744d

    SHA1

    e851e18a4b3db110ccf979ffa6de93e8f3ef3315

    SHA256

    a6cc026a5e941469b50100eebd02b7ffdc08066b934a5b59ed24d444fd87393d

    SHA512

    c5e6fdcdcfba373841f9547b4c76f012eb87654f9e54d16b91298e57b760448617a9449dc6b53adc789e6db89ffa21c5d3d729e27a5345a64ccfec0c3be93181

  • C:\Users\Admin\AppData\Roaming\699DD\D70E.99D

    Filesize

    600B

    MD5

    183f2d86bb24cd55a4686e0bd701fc92

    SHA1

    84126db887539f57376190c9ef8657cf40544202

    SHA256

    52c7cb5242233f4e0f523689cc3b7e22f9fbea3e6e267db7f90263c25cac81cd

    SHA512

    ec671359989e6e7a46a76e3837da08f29f94dd7a728e04d0644f92b9712fd44dacdbed9cbe1c3cb6c093cd4b5ce56e4dd85c0fe0f814337c00e89f74b5d97490

  • \Program Files (x86)\LP\48B6\6CD7.tmp

    Filesize

    96KB

    MD5

    b1fe9cd43e3c6a1dc3dbec8ab8931dca

    SHA1

    2e0c15719ca6bf30b60bb9dce5784e2b5e393702

    SHA256

    57baaf3b29e65c7ccc724edb82a485a2f4c95520a2d3577c858cbf7c1b0eca7f

    SHA512

    49ef4f35a4c7fbbe349dd9b1375183d433c47989ba4dc33eee3bb19112fce6fa6ec0c2d1d977356665de2da00b394af16a1d36241c1372070d9fc1bd033d70be

  • memory/1000-173-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/1756-309-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/1756-310-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2748-0-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2748-3-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2748-171-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2748-5-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

  • memory/2748-4-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2748-2-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

  • memory/2748-308-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2748-15-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2748-314-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2780-19-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2780-17-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB