Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15/01/2025, 11:47

General

  • Target

    JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe

  • Size

    1.9MB

  • MD5

    560c57996398b6d5fcda78ca1372dfe7

  • SHA1

    2881fb19501b0bfb91cd80b0270e7bbc04853a27

  • SHA256

    72a9721c2098fa1760d735bf2482caee20df5b3b56437ab776639825f4f0f8a7

  • SHA512

    f520e3bc1d3df2dfe34758dbab202a476223973db52b3b8d0e262d5816a1d184d919b9d53e4ef0f2b93f4b1b63ee3bf211254fd2051a32a2987978496bf4db44

  • SSDEEP

    24576:Uc9ZDtTS7od7341D2+jjqBicDSdwAO3BECoRypw649dq3YayQUP99R11GJ:Ucdh73WD2IcicDsZO3Bjw964zqOt114

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 7 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies security service 2 TTPs 1 IoCs
  • Pony family
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Disables taskbar notifications via registry modification
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 14 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 2 IoCs
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 23 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Users\Admin\AppData\Local\Temp\dwme.exe
      "C:\Users\Admin\AppData\Local\Temp\dwme.exe"
      2⤵
      • Modifies security service
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2820
      • C:\Users\Admin\AppData\Local\Temp\dwme.exe
        C:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Users\Admin\AppData\Roaming\EADC2\DBD8E.exe%C:\Users\Admin\AppData\Roaming\EADC2
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1368
      • C:\Users\Admin\AppData\Local\Temp\dwme.exe
        C:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Program Files (x86)\C2966\lvvm.exe%C:\Program Files (x86)\C2966
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:112
      • C:\Program Files (x86)\LP\8E3E\D124.tmp
        "C:\Program Files (x86)\LP\8E3E\D124.tmp"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1872
    • C:\Users\Admin\AppData\Roaming\dwme.exe
      C:\Users\Admin\AppData\Roaming\dwme.exe auto
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2716
    • C:\Windows\SysWOW64\Cloud AV 2012v121.exe
      C:\Windows\system32\Cloud AV 2012v121.exe 5985C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2304
      • C:\Users\Admin\AppData\Roaming\pNyxA0uvSiFpGaH\Cloud AV 2012v121.exe
        C:\Users\Admin\AppData\Roaming\pNyxA0uvSiFpGaH\Cloud AV 2012v121.exe 5985C:\Windows\SysWOW64\Cloud AV 2012v121.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:2652
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2148
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1268

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\EADC2\2966.ADC

    Filesize

    300B

    MD5

    7b1235fbfef86c5e53a2e4fb6e38765a

    SHA1

    12371b3665c123668cd0b243c41ab06c2c10e854

    SHA256

    5d80b7cc60ca67127125e0c4462136bff3873c80bdec98b7bffea2f8b18639aa

    SHA512

    c3fdaf3280ca392d2ce9d0e3bc4d2bce09ce4c12c2b653edff354335c3615592ae12aada9f2a1a3316c8674ef0dad4959978e314f3dc098ade2a2cb020d6fd47

  • C:\Users\Admin\AppData\Roaming\EADC2\2966.ADC

    Filesize

    696B

    MD5

    7fdea80b614e9c89dc668191affdc131

    SHA1

    23dc28a6264451d4338df3eaa0b7422b4b2468bf

    SHA256

    7d54a5e5dd04353d521d7132838813554cf10d4f2a618eb2b7b5ccd975c26e74

    SHA512

    13e5ed1e3cbe2312a582f5e5bf5e1fe073216ae4ada6f747f0b7b2e1d021b76d08b93f8957df8bcad4c2c08bf3d5b3eb7449b20392161500561856759280ac08

  • C:\Users\Admin\AppData\Roaming\EADC2\2966.ADC

    Filesize

    1KB

    MD5

    12509006c636251a57d0bc705090b737

    SHA1

    6d9609cd463790dd11b1484f6a1ef9f6c2c0a1e7

    SHA256

    632dbec073f5db24b78b99cf6a89b62d199754922fb14703e9e9b86d85090cfc

    SHA512

    a7ffd0248e4711fc5cb978952dc465f2f42d2064a55777c0019d5a4a674a3505d69448930993cdf2f1f92363415b7bb9c7052729b2ff9d38f7a20c5e7e000f60

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Cloud AV 2012\Cloud AV 2012.lnk

    Filesize

    1KB

    MD5

    3aec0d13044e467c048095ce87568da5

    SHA1

    784cbec652a210d3139fd4360b98fc7b6dc8fdbe

    SHA256

    07cfe63f5811d4a1fd1eb14243611ed191dadb733aeecac1437cf5e8196dac61

    SHA512

    c118b29d0bfa892fa9754d054745123d5a1dfccd478eb5220fdebcac92ece67426066bafceed7087eb6c5a9463631204aae64a47e2e9b19b7fd08d92c643b3b3

  • C:\Users\Admin\AppData\Roaming\ahst.lni

    Filesize

    1KB

    MD5

    e7f5da6edc5f0e41120248aa7ce7bc90

    SHA1

    6ac49387d136200c5406dc6232c731cf17f2421c

    SHA256

    afaac1d908ff3b41c5ecc81c1db731b4bd06b6105ff53982570e15173632d9e6

    SHA512

    f980ed1ed3e9a3f2b62c08fa4408e2e324ee0941e4e994257361a68a736490c2864f2bfdeee14ea3cc684b68bcc0d43749716d10ad5030477652f69507cb7c3f

  • C:\Users\Admin\AppData\Roaming\x1ivD2onFpHsJd\Cloud AV 2012.ico

    Filesize

    12KB

    MD5

    bb87f71a6e7f979fcb716926d452b6a8

    SHA1

    f41e3389760eaea099720e980e599a160f0413b9

    SHA256

    14c9c49d8ead9ab59a56c328008f59c20b32c3ad22c00e02d34e16ad7086fe84

    SHA512

    e1d14363274e367ea600afc357d012233fc68f0636e8d05b29992e762d31e9a55b4fa38b08613c2ca528d7fb0f547774a3a3dc79aada32c2c7359c3edcdb549d

  • C:\Users\Admin\Desktop\Cloud AV 2012.lnk

    Filesize

    1KB

    MD5

    dcbef6ada34d04a250e091ae2a6e3fa3

    SHA1

    a88c3f8d7ca6648685070cf48296506ee98ff530

    SHA256

    601195cc2c0e7786ef988e418cbeaa8fc7c7131c157e9027da06152f493947f0

    SHA512

    aba33ce8c56574068651fe5dd28bd6c44db28fc406de23c06a545f2285c0417a025402a928b299ba7f7c2069617de59b4151e3e37b9cd1aceeafb09c469828ba

  • C:\Windows\System32\drivers\etc\hosts

    Filesize

    1KB

    MD5

    7b9ba10c96d2d607c3d386d2a91ba265

    SHA1

    5f058d62033bf4f9f5b43d19205f07661439d299

    SHA256

    36383c9b0bb89aec491d1b9cd71d894f8c9708687bc4b35108446f07dc626b68

    SHA512

    b3787f350b3fbf006f71b7a243df286dbb2c5f5d9a733151c99cbb417a75022a213e0575f0660c259614b876883e769de1fbdae4d032c22d57e8a89e94535a82

  • C:\Windows\System32\drivers\etc\hosts

    Filesize

    1KB

    MD5

    f48cfb5db32cdf990f35a5ef9146dbf4

    SHA1

    09b4f991e17aba915160f6c153c6d78e2d4aa4d9

    SHA256

    72439cac78aae2122ddea93a12f562ea85c9fb909bef25cae982480a2d51f397

    SHA512

    385c74297ee70bdce1cf2dbcafd95e1d96f1b9ffd0fac713d614f84b9d02c28359276434ea164082ae46b312f40dd9911a27526df2ef3613118a0efc9271d301

  • \Program Files (x86)\LP\8E3E\D124.tmp

    Filesize

    98KB

    MD5

    452ca0be44887092384b55fbb84d79c7

    SHA1

    c51135c52fdff98dacc66b1bbb5dd215b90d3a8b

    SHA256

    fe1aa7fbb7f031ee7e5213dd6656d1502f127f6ddbd5b9aab8f6d880031ea688

    SHA512

    9fb18a250f93fba63cf40e8efe58ef687ad197f764f1f16b23a9cbf6efc64fe60a75b523ff1c8876fa70f597f8149139410396c03db58294fce5019ea627ff07

  • \Users\Admin\AppData\Local\Temp\dwme.exe

    Filesize

    277KB

    MD5

    6c7fd9ac3c7b209e7d376732d24fcc9e

    SHA1

    0f0627913b903f8f3ffb4e72036369d5b0a3130f

    SHA256

    31ea4bb0be33dc11d75951c1fcc0496a90fdb0057c262579326f89d42b927ff9

    SHA512

    518e91820855d8088b474bc843d5d1fb72349b9f37b15dc89f8e72c45a9b935bc1a357f999a5371020edcf739a79636c22478c11a291192a5ac28c164e54e4af

  • \Windows\SysWOW64\Cloud AV 2012v121.exe

    Filesize

    1.9MB

    MD5

    560c57996398b6d5fcda78ca1372dfe7

    SHA1

    2881fb19501b0bfb91cd80b0270e7bbc04853a27

    SHA256

    72a9721c2098fa1760d735bf2482caee20df5b3b56437ab776639825f4f0f8a7

    SHA512

    f520e3bc1d3df2dfe34758dbab202a476223973db52b3b8d0e262d5816a1d184d919b9d53e4ef0f2b93f4b1b63ee3bf211254fd2051a32a2987978496bf4db44

  • memory/112-198-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/1368-123-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/1872-307-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

  • memory/1872-308-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

  • memory/2228-2-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

  • memory/2228-29-0x0000000000400000-0x0000000000914000-memory.dmp

    Filesize

    5.1MB

  • memory/2228-28-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

  • memory/2228-0-0x0000000002FD0000-0x00000000033E5000-memory.dmp

    Filesize

    4.1MB

  • memory/2228-1-0x0000000000400000-0x0000000000914000-memory.dmp

    Filesize

    5.1MB

  • memory/2304-40-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

  • memory/2304-30-0x0000000002F00000-0x0000000003315000-memory.dmp

    Filesize

    4.1MB

  • memory/2652-204-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

  • memory/2652-126-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

  • memory/2652-294-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

  • memory/2652-44-0x0000000003020000-0x0000000003435000-memory.dmp

    Filesize

    4.1MB

  • memory/2652-309-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

  • memory/2716-43-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2820-194-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2820-119-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2820-302-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2820-371-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB