Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    16/01/2025, 13:35

General

  • Target

    JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe

  • Size

    273KB

  • MD5

    77e4a09f51ac15c49efe64f2ccf1ad3c

  • SHA1

    40e8706615d0467049a2cd959bb18313f37e15d9

  • SHA256

    25cef316d6324015889af288605d17cf6d046c6acc7196144f2f4022bf48e1d1

  • SHA512

    55b53e0ef9275b54ee9bde11fb5798b9da202c7a7acca5ad1f348adab3d130cf0fa88cfc5c73110cf0a1b9a7e275ca069839bff58e6baa450922a6d39b20a2a7

  • SSDEEP

    6144:N8VaXlr/CI6k22BkRreQb1fz5KZikZfedTyTDF:z7TL4heQptwjdeJk

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 7 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies security service 2 TTPs 1 IoCs
  • Pony family
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Disables taskbar notifications via registry modification
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 22 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2988
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe startC:\Users\Admin\AppData\Roaming\33302\04F62.exe%C:\Users\Admin\AppData\Roaming\33302
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2952
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe startC:\Program Files (x86)\02796\lvvm.exe%C:\Program Files (x86)\02796
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2480
    • C:\Program Files (x86)\LP\6263\426D.tmp
      "C:\Program Files (x86)\LP\6263\426D.tmp"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3004
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2540
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:876

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\33302\2796.330

    Filesize

    996B

    MD5

    73f8d17edf14ee440b2eee26966c4370

    SHA1

    3cb776322def609f0016d1cce5b1230b961ac87d

    SHA256

    0fd1eb1ab2df2021c090b9dd2e26558f3cefc05d05b74bf7a6070a966bd34cd2

    SHA512

    29183fb516a13967164583da43280335fd884840cc3c52de87581ca9da0d4dbebad1b9a5bb370e9bc1eeffab64661bb30be653718b2215411944ef2f21892d88

  • C:\Users\Admin\AppData\Roaming\33302\2796.330

    Filesize

    1KB

    MD5

    d664d9f0e55c4b544e1717cde7ac824a

    SHA1

    3b8dac1ae406e601453059830169945f63796ab6

    SHA256

    ead84d9d11f60dd94482b611becacb3f90351104d29618ba31386e2f191c8d08

    SHA512

    e678850c0aa1f308fcb294a1a97d72d730c00a65fa595584274e13d02ec94ccd5b6da006cc85a7ed77215ef5327a332feee6cc14b8920bd007ac0eeade90f5b3

  • C:\Users\Admin\AppData\Roaming\33302\2796.330

    Filesize

    600B

    MD5

    34ea68419f7bad9d6f5a6381abbea3af

    SHA1

    73e087f8585ed27939a666eacc3cf8dcc4dd624a

    SHA256

    6c23dae539ebd996fc0d0508724e2436890842c80a875ed593f5a3845d5d4582

    SHA512

    4f48e7599bed2b2a7db8720122bc27482aa37a796145b345d8b6b863a5d7103c9a6b4897ac2da94ea72a21b7c2bef8ca53f8cb9d7c21ccef69e47b1ed1757b45

  • C:\Users\Admin\AppData\Roaming\33302\2796.330

    Filesize

    300B

    MD5

    2bb622e9863896d35d5d4acf4c9d0578

    SHA1

    87976febb8361c555a3c76cfa1e3089b0cfdcb08

    SHA256

    712debbda83ffaec882a4b21fac184fc587b0fd5c3c9c4f5e6eb7a183e92f72c

    SHA512

    66df51dca13d913d15ec5fbd7291097e75c6813110f4ef78936b879b29c1a5bd3c8ccfe6cdbf3a36597d7cc16f0ff6dcfb8e53a63466d1b58a5879156c135a6e

  • \Program Files (x86)\LP\6263\426D.tmp

    Filesize

    96KB

    MD5

    a26219a94cdad7b6977c8d8e8464c262

    SHA1

    41b54268d8f67973e640395f1940238e915e4521

    SHA256

    7acab258a6879bf9bb647ead7beb4d32e36334d16c49fc0642ac61cf25413866

    SHA512

    4cf35e7c7211a4fe7b210b70394a31a812f9663a516c9eb54c9c1b73acee18bd37fffe2abe54149e6b450b9adbbe89cff53a3ef1b1ff1a90d39d09b16de1d75d

  • memory/2480-185-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2480-183-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2952-70-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2952-72-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2952-69-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2988-68-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

  • memory/2988-181-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2988-0-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2988-66-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2988-3-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2988-2-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

  • memory/2988-380-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2988-385-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/3004-381-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/3004-382-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB