Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    96s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    16/01/2025, 16:45

General

  • Target

    JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe

  • Size

    287KB

  • MD5

    7c47715ffa011375f29adbb7100421ed

  • SHA1

    7033c78a800a6e523f0b40be126dcb63a6d118df

  • SHA256

    1e45b0c8a4d2e320ae2167178f260d7306220cc6396070856b3bfa98097eb2a8

  • SHA512

    28e3844d066247b31270c19b3694c5ba3897a770872f1f15250fb69029f96dcd9fbcfcb0f0420fad3e4708a8b31a78e872afac3125c73e8a4057224d25ad1c61

  • SSDEEP

    6144:Jlqp04HDzA6skiQUVwerZIKFGSNUXT0cI/kX1PABS4brjXMMc:j6zA6sxl9rZfGT0cOkX1os4bn

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 9 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies security service 2 TTPs 1 IoCs
  • Pony family
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Disables taskbar notifications via registry modification
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1268
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe startC:\Users\Admin\AppData\Roaming\4D460\7997D.exe%C:\Users\Admin\AppData\Roaming\4D460
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2000
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe startC:\Program Files (x86)\60E2A\lvvm.exe%C:\Program Files (x86)\60E2A
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1704
    • C:\Program Files (x86)\LP\7D64\F7B7.tmp
      "C:\Program Files (x86)\LP\7D64\F7B7.tmp"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1948
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2480
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1988
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x584
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\4D460\0E2A.D46

    Filesize

    996B

    MD5

    d0d3373c017c6aac34e08b5cfbf997c6

    SHA1

    cbb4dce1adeb966a71f4c754b36d747dacb19516

    SHA256

    9e4cfe716508c0a6b6381ffc55dd8a5a35efbc405fe8a85e297d519679361a7d

    SHA512

    f301b2b55f54f4b003c6ad0042ff7e3bbbfb5c9b523115571f6832c37b088bfc7f8a86f940b03021710ab7629a5c4ef6631d0a3a77e23eafdc55c6ade17db891

  • C:\Users\Admin\AppData\Roaming\4D460\0E2A.D46

    Filesize

    600B

    MD5

    e2c9dc355e4607bd60dfb9fc52760205

    SHA1

    0b8780825f2b027e876315b6bf03564f9cdd6d44

    SHA256

    95fa8ef80b8a05d1cc17c173f33c1e526e87d5473e7fb498f875827c26ae824c

    SHA512

    9fe8dcb574d003f47c7df5536b238df8ee884413824243abac92ad4c81b8b49a4cec4204e8b31629784c75acc7a2d916e91dcf254f0c8867f30fa264dddb8b6e

  • C:\Users\Admin\AppData\Roaming\4D460\0E2A.D46

    Filesize

    1KB

    MD5

    9e16ee254b3c135d7e5a73a8cd976d1c

    SHA1

    f4854afadbc54512145bce61c57177759814960f

    SHA256

    a9304dc1e42e4bbad96d57829278d74862dc71cb59841cd82d3c6667472a4e34

    SHA512

    53f45ad36b7fe5c15b2b9ab551e77c9daed96652047d634d7eed64c91786c9fd13dd2dd492bee4c9b6060c3f2bd779b3a9275c28c319636c24f2525e83e9f52e

  • \Program Files (x86)\LP\7D64\F7B7.tmp

    Filesize

    102KB

    MD5

    57401a2069d022a5dc6ffee91de43906

    SHA1

    6e2850bde22f345739bf32031b2c2fb8850e0185

    SHA256

    9792c1645ecabeb90e2a61eb8a34ff0aa685eea55d61cbe47a667a3aca7e437b

    SHA512

    f4498f1ccf80bfd305f2b312e6e09b68271f1468cb3505120539bae7cf72a66609a5fcbd66ed5274fb466fa2c3dc13cf61f83ad3105303c333f19f696c3c96aa

  • memory/1268-1-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

  • memory/1268-3-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

  • memory/1268-2-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

  • memory/1268-166-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

  • memory/1268-12-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

  • memory/1268-13-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

  • memory/1268-294-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

  • memory/1268-300-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

  • memory/1704-165-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

  • memory/1948-295-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

  • memory/2000-16-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

  • memory/2000-15-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

  • memory/2000-17-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB