Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
16/01/2025, 13:35
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe
Resource
win7-20241023-en
General
-
Target
JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe
-
Size
273KB
-
MD5
77e4a09f51ac15c49efe64f2ccf1ad3c
-
SHA1
40e8706615d0467049a2cd959bb18313f37e15d9
-
SHA256
25cef316d6324015889af288605d17cf6d046c6acc7196144f2f4022bf48e1d1
-
SHA512
55b53e0ef9275b54ee9bde11fb5798b9da202c7a7acca5ad1f348adab3d130cf0fa88cfc5c73110cf0a1b9a7e275ca069839bff58e6baa450922a6d39b20a2a7
-
SSDEEP
6144:N8VaXlr/CI6k22BkRreQb1fz5KZikZfedTyTDF:z7TL4heQptwjdeJk
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 7 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2988-66-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2988-68-0x0000000000400000-0x0000000000467000-memory.dmp family_cycbot behavioral1/memory/2952-72-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2988-181-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2480-185-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2988-380-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2988-385-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe -
Pony family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 3004 426D.tmp -
Loads dropped DLL 2 IoCs
pid Process 2988 JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe 2988 JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\3E9.exe = "C:\\Program Files (x86)\\LP\\6263\\3E9.exe" JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
resource yara_rule behavioral1/memory/2988-3-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2988-66-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2952-70-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2952-69-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2988-68-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2952-72-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2988-181-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2480-183-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2480-185-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2988-380-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2988-385-0x0000000000400000-0x000000000046A000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\6263\3E9.exe JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe File opened for modification C:\Program Files (x86)\LP\6263\3E9.exe JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe File opened for modification C:\Program Files (x86)\LP\6263\426D.tmp JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 426D.tmp -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2988 JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe 2988 JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe 2988 JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe 2988 JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe 2988 JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe 2988 JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe 2988 JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe 2988 JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe 2988 JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe 2988 JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe 2988 JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe 2988 JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe 2988 JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe 2988 JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 876 explorer.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeRestorePrivilege 2540 msiexec.exe Token: SeTakeOwnershipPrivilege 2540 msiexec.exe Token: SeSecurityPrivilege 2540 msiexec.exe Token: SeShutdownPrivilege 876 explorer.exe Token: SeShutdownPrivilege 876 explorer.exe Token: SeShutdownPrivilege 876 explorer.exe Token: SeShutdownPrivilege 876 explorer.exe Token: SeShutdownPrivilege 876 explorer.exe Token: SeShutdownPrivilege 876 explorer.exe Token: SeShutdownPrivilege 876 explorer.exe Token: SeShutdownPrivilege 876 explorer.exe Token: SeShutdownPrivilege 876 explorer.exe Token: SeShutdownPrivilege 876 explorer.exe Token: SeShutdownPrivilege 876 explorer.exe Token: SeShutdownPrivilege 876 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe -
Suspicious use of SendNotifyMessage 22 IoCs
pid Process 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe 876 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2988 wrote to memory of 2952 2988 JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe 32 PID 2988 wrote to memory of 2952 2988 JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe 32 PID 2988 wrote to memory of 2952 2988 JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe 32 PID 2988 wrote to memory of 2952 2988 JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe 32 PID 2988 wrote to memory of 2480 2988 JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe 34 PID 2988 wrote to memory of 2480 2988 JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe 34 PID 2988 wrote to memory of 2480 2988 JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe 34 PID 2988 wrote to memory of 2480 2988 JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe 34 PID 2988 wrote to memory of 3004 2988 JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe 37 PID 2988 wrote to memory of 3004 2988 JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe 37 PID 2988 wrote to memory of 3004 2988 JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe 37 PID 2988 wrote to memory of 3004 2988 JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe 37 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe startC:\Users\Admin\AppData\Roaming\33302\04F62.exe%C:\Users\Admin\AppData\Roaming\333022⤵
- System Location Discovery: System Language Discovery
PID:2952
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77e4a09f51ac15c49efe64f2ccf1ad3c.exe startC:\Program Files (x86)\02796\lvvm.exe%C:\Program Files (x86)\027962⤵
- System Location Discovery: System Language Discovery
PID:2480
-
-
C:\Program Files (x86)\LP\6263\426D.tmp"C:\Program Files (x86)\LP\6263\426D.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3004
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2540
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:876
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD573f8d17edf14ee440b2eee26966c4370
SHA13cb776322def609f0016d1cce5b1230b961ac87d
SHA2560fd1eb1ab2df2021c090b9dd2e26558f3cefc05d05b74bf7a6070a966bd34cd2
SHA51229183fb516a13967164583da43280335fd884840cc3c52de87581ca9da0d4dbebad1b9a5bb370e9bc1eeffab64661bb30be653718b2215411944ef2f21892d88
-
Filesize
1KB
MD5d664d9f0e55c4b544e1717cde7ac824a
SHA13b8dac1ae406e601453059830169945f63796ab6
SHA256ead84d9d11f60dd94482b611becacb3f90351104d29618ba31386e2f191c8d08
SHA512e678850c0aa1f308fcb294a1a97d72d730c00a65fa595584274e13d02ec94ccd5b6da006cc85a7ed77215ef5327a332feee6cc14b8920bd007ac0eeade90f5b3
-
Filesize
600B
MD534ea68419f7bad9d6f5a6381abbea3af
SHA173e087f8585ed27939a666eacc3cf8dcc4dd624a
SHA2566c23dae539ebd996fc0d0508724e2436890842c80a875ed593f5a3845d5d4582
SHA5124f48e7599bed2b2a7db8720122bc27482aa37a796145b345d8b6b863a5d7103c9a6b4897ac2da94ea72a21b7c2bef8ca53f8cb9d7c21ccef69e47b1ed1757b45
-
Filesize
300B
MD52bb622e9863896d35d5d4acf4c9d0578
SHA187976febb8361c555a3c76cfa1e3089b0cfdcb08
SHA256712debbda83ffaec882a4b21fac184fc587b0fd5c3c9c4f5e6eb7a183e92f72c
SHA51266df51dca13d913d15ec5fbd7291097e75c6813110f4ef78936b879b29c1a5bd3c8ccfe6cdbf3a36597d7cc16f0ff6dcfb8e53a63466d1b58a5879156c135a6e
-
Filesize
96KB
MD5a26219a94cdad7b6977c8d8e8464c262
SHA141b54268d8f67973e640395f1940238e915e4521
SHA2567acab258a6879bf9bb647ead7beb4d32e36334d16c49fc0642ac61cf25413866
SHA5124cf35e7c7211a4fe7b210b70394a31a812f9663a516c9eb54c9c1b73acee18bd37fffe2abe54149e6b450b9adbbe89cff53a3ef1b1ff1a90d39d09b16de1d75d