Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14/01/2025, 16:49
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe
-
Size
276KB
-
MD5
40be4a80bda341d45bdce52fd71f1016
-
SHA1
1c1d22748408df3aecc294d82f54d4196fc20f07
-
SHA256
1ba4cdf98fe8dfb296395d03ac1528f8b505799b25f025a21746574acf7af1ee
-
SHA512
592902f6a410ce4e280b0102b0631f645bea67dca57991434b551c17b616e0be85fe6f8d70c18d38372afb180cb72b5d63fccb454b5816d8eaf0474778dffc06
-
SSDEEP
6144:gJx+g2CJuBZ4fdhpXhn6UHWTlX2twd49i6L5Sp8:L9ZCPBh6U2TlXd4Y6LEp
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 8 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2748-4-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2748-5-0x0000000000400000-0x0000000000467000-memory.dmp family_cycbot behavioral1/memory/2748-15-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2780-19-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2748-171-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/1000-173-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2748-308-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2748-314-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe -
Pony family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 1756 6CD7.tmp -
Loads dropped DLL 2 IoCs
pid Process 2748 JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe 2748 JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\E38.exe = "C:\\Program Files (x86)\\LP\\48B6\\E38.exe" JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
resource yara_rule behavioral1/memory/2748-3-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2748-4-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2748-5-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2748-15-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2780-17-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2780-19-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2748-171-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1000-173-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2748-308-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2748-314-0x0000000000400000-0x000000000046A000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\48B6\E38.exe JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe File opened for modification C:\Program Files (x86)\LP\48B6\E38.exe JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe File opened for modification C:\Program Files (x86)\LP\48B6\6CD7.tmp JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6CD7.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2748 JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe 2748 JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe 2748 JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe 2748 JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe 2748 JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe 2748 JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe 2748 JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe 2748 JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe 2748 JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe 2748 JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe 2748 JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe 2748 JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe 2748 JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe 2748 JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2512 explorer.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeRestorePrivilege 2824 msiexec.exe Token: SeTakeOwnershipPrivilege 2824 msiexec.exe Token: SeSecurityPrivilege 2824 msiexec.exe Token: SeShutdownPrivilege 2512 explorer.exe Token: SeShutdownPrivilege 2512 explorer.exe Token: SeShutdownPrivilege 2512 explorer.exe Token: SeShutdownPrivilege 2512 explorer.exe Token: SeShutdownPrivilege 2512 explorer.exe Token: SeShutdownPrivilege 2512 explorer.exe Token: SeShutdownPrivilege 2512 explorer.exe Token: SeShutdownPrivilege 2512 explorer.exe Token: SeShutdownPrivilege 2512 explorer.exe Token: SeShutdownPrivilege 2512 explorer.exe Token: SeShutdownPrivilege 2512 explorer.exe Token: SeShutdownPrivilege 2512 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2748 wrote to memory of 2780 2748 JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe 32 PID 2748 wrote to memory of 2780 2748 JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe 32 PID 2748 wrote to memory of 2780 2748 JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe 32 PID 2748 wrote to memory of 2780 2748 JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe 32 PID 2748 wrote to memory of 1000 2748 JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe 36 PID 2748 wrote to memory of 1000 2748 JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe 36 PID 2748 wrote to memory of 1000 2748 JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe 36 PID 2748 wrote to memory of 1000 2748 JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe 36 PID 2748 wrote to memory of 1756 2748 JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe 37 PID 2748 wrote to memory of 1756 2748 JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe 37 PID 2748 wrote to memory of 1756 2748 JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe 37 PID 2748 wrote to memory of 1756 2748 JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe 37 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2748 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe startC:\Users\Admin\AppData\Roaming\699DD\F5B48.exe%C:\Users\Admin\AppData\Roaming\699DD2⤵
- System Location Discovery: System Language Discovery
PID:2780
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40be4a80bda341d45bdce52fd71f1016.exe startC:\Program Files (x86)\DD70E\lvvm.exe%C:\Program Files (x86)\DD70E2⤵
- System Location Discovery: System Language Discovery
PID:1000
-
-
C:\Program Files (x86)\LP\48B6\6CD7.tmp"C:\Program Files (x86)\LP\48B6\6CD7.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1756
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2512
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50769b39aff5422cbf33ebafbe158744d
SHA1e851e18a4b3db110ccf979ffa6de93e8f3ef3315
SHA256a6cc026a5e941469b50100eebd02b7ffdc08066b934a5b59ed24d444fd87393d
SHA512c5e6fdcdcfba373841f9547b4c76f012eb87654f9e54d16b91298e57b760448617a9449dc6b53adc789e6db89ffa21c5d3d729e27a5345a64ccfec0c3be93181
-
Filesize
600B
MD5183f2d86bb24cd55a4686e0bd701fc92
SHA184126db887539f57376190c9ef8657cf40544202
SHA25652c7cb5242233f4e0f523689cc3b7e22f9fbea3e6e267db7f90263c25cac81cd
SHA512ec671359989e6e7a46a76e3837da08f29f94dd7a728e04d0644f92b9712fd44dacdbed9cbe1c3cb6c093cd4b5ce56e4dd85c0fe0f814337c00e89f74b5d97490
-
Filesize
96KB
MD5b1fe9cd43e3c6a1dc3dbec8ab8931dca
SHA12e0c15719ca6bf30b60bb9dce5784e2b5e393702
SHA25657baaf3b29e65c7ccc724edb82a485a2f4c95520a2d3577c858cbf7c1b0eca7f
SHA51249ef4f35a4c7fbbe349dd9b1375183d433c47989ba4dc33eee3bb19112fce6fa6ec0c2d1d977356665de2da00b394af16a1d36241c1372070d9fc1bd033d70be