Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
96s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
16/01/2025, 16:45
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe
Resource
win7-20241010-en
General
-
Target
JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe
-
Size
287KB
-
MD5
7c47715ffa011375f29adbb7100421ed
-
SHA1
7033c78a800a6e523f0b40be126dcb63a6d118df
-
SHA256
1e45b0c8a4d2e320ae2167178f260d7306220cc6396070856b3bfa98097eb2a8
-
SHA512
28e3844d066247b31270c19b3694c5ba3897a770872f1f15250fb69029f96dcd9fbcfcb0f0420fad3e4708a8b31a78e872afac3125c73e8a4057224d25ad1c61
-
SSDEEP
6144:Jlqp04HDzA6skiQUVwerZIKFGSNUXT0cI/kX1PABS4brjXMMc:j6zA6sxl9rZfGT0cOkX1os4bn
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 9 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/1268-3-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/1268-12-0x0000000000400000-0x0000000000468000-memory.dmp family_cycbot behavioral1/memory/1268-13-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/2000-16-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/2000-17-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/1704-165-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/1268-166-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/1268-294-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/1268-300-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe -
Pony family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 1948 F7B7.tmp -
Loads dropped DLL 2 IoCs
pid Process 1268 JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe 1268 JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\166.exe = "C:\\Program Files (x86)\\LP\\7D64\\166.exe" JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
resource yara_rule behavioral1/memory/1268-2-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1268-3-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1268-12-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral1/memory/1268-13-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2000-16-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2000-17-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1704-165-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1268-166-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1268-294-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1268-300-0x0000000000400000-0x000000000046B000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\7D64\166.exe JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe File opened for modification C:\Program Files (x86)\LP\7D64\166.exe JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe File opened for modification C:\Program Files (x86)\LP\7D64\F7B7.tmp JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F7B7.tmp -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1268 JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe 1268 JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe 1268 JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe 1268 JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe 1268 JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe 1268 JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe 1268 JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe 1268 JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe 1268 JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe 1268 JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe 1268 JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe 1268 JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe 1268 JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe 1268 JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1988 explorer.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeRestorePrivilege 2480 msiexec.exe Token: SeTakeOwnershipPrivilege 2480 msiexec.exe Token: SeSecurityPrivilege 2480 msiexec.exe Token: SeShutdownPrivilege 1988 explorer.exe Token: SeShutdownPrivilege 1988 explorer.exe Token: SeShutdownPrivilege 1988 explorer.exe Token: SeShutdownPrivilege 1988 explorer.exe Token: SeShutdownPrivilege 1988 explorer.exe Token: SeShutdownPrivilege 1988 explorer.exe Token: SeShutdownPrivilege 1988 explorer.exe Token: SeShutdownPrivilege 1988 explorer.exe Token: SeShutdownPrivilege 1988 explorer.exe Token: SeShutdownPrivilege 1988 explorer.exe Token: 33 932 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 932 AUDIODG.EXE Token: 33 932 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 932 AUDIODG.EXE Token: SeShutdownPrivilege 1988 explorer.exe Token: SeShutdownPrivilege 1988 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe 1988 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1268 wrote to memory of 2000 1268 JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe 30 PID 1268 wrote to memory of 2000 1268 JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe 30 PID 1268 wrote to memory of 2000 1268 JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe 30 PID 1268 wrote to memory of 2000 1268 JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe 30 PID 1268 wrote to memory of 1704 1268 JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe 32 PID 1268 wrote to memory of 1704 1268 JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe 32 PID 1268 wrote to memory of 1704 1268 JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe 32 PID 1268 wrote to memory of 1704 1268 JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe 32 PID 1268 wrote to memory of 1948 1268 JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe 36 PID 1268 wrote to memory of 1948 1268 JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe 36 PID 1268 wrote to memory of 1948 1268 JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe 36 PID 1268 wrote to memory of 1948 1268 JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe 36 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1268 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe startC:\Users\Admin\AppData\Roaming\4D460\7997D.exe%C:\Users\Admin\AppData\Roaming\4D4602⤵
- System Location Discovery: System Language Discovery
PID:2000
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7c47715ffa011375f29adbb7100421ed.exe startC:\Program Files (x86)\60E2A\lvvm.exe%C:\Program Files (x86)\60E2A2⤵
- System Location Discovery: System Language Discovery
PID:1704
-
-
C:\Program Files (x86)\LP\7D64\F7B7.tmp"C:\Program Files (x86)\LP\7D64\F7B7.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1948
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2480
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1988
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5841⤵
- Suspicious use of AdjustPrivilegeToken
PID:932
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD5d0d3373c017c6aac34e08b5cfbf997c6
SHA1cbb4dce1adeb966a71f4c754b36d747dacb19516
SHA2569e4cfe716508c0a6b6381ffc55dd8a5a35efbc405fe8a85e297d519679361a7d
SHA512f301b2b55f54f4b003c6ad0042ff7e3bbbfb5c9b523115571f6832c37b088bfc7f8a86f940b03021710ab7629a5c4ef6631d0a3a77e23eafdc55c6ade17db891
-
Filesize
600B
MD5e2c9dc355e4607bd60dfb9fc52760205
SHA10b8780825f2b027e876315b6bf03564f9cdd6d44
SHA25695fa8ef80b8a05d1cc17c173f33c1e526e87d5473e7fb498f875827c26ae824c
SHA5129fe8dcb574d003f47c7df5536b238df8ee884413824243abac92ad4c81b8b49a4cec4204e8b31629784c75acc7a2d916e91dcf254f0c8867f30fa264dddb8b6e
-
Filesize
1KB
MD59e16ee254b3c135d7e5a73a8cd976d1c
SHA1f4854afadbc54512145bce61c57177759814960f
SHA256a9304dc1e42e4bbad96d57829278d74862dc71cb59841cd82d3c6667472a4e34
SHA51253f45ad36b7fe5c15b2b9ab551e77c9daed96652047d634d7eed64c91786c9fd13dd2dd492bee4c9b6060c3f2bd779b3a9275c28c319636c24f2525e83e9f52e
-
Filesize
102KB
MD557401a2069d022a5dc6ffee91de43906
SHA16e2850bde22f345739bf32031b2c2fb8850e0185
SHA2569792c1645ecabeb90e2a61eb8a34ff0aa685eea55d61cbe47a667a3aca7e437b
SHA512f4498f1ccf80bfd305f2b312e6e09b68271f1468cb3505120539bae7cf72a66609a5fcbd66ed5274fb466fa2c3dc13cf61f83ad3105303c333f19f696c3c96aa