Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
17/01/2025, 08:16 UTC
General
-
Target
JaffaCakes118_861b58ac92718610c177f44d18c6a2d6.exe
-
Size
284KB
-
MD5
861b58ac92718610c177f44d18c6a2d6
-
SHA1
a2b83c976d9eae9ce692a20c02a46324ae1dc58d
-
SHA256
104debcaa328428ff321b474b144344af6af19495a3cfe5e9e9bd1921e2a8438
-
SHA512
7c2f53701425b0ce90a7dc3cb63f51e1436f934af6dc69401e3f1706a6048014effd207fc1fe57a4c8f2f11d41c59557d54ad33c084039267e3008afc5a9bbae
-
SSDEEP
6144:GSliSmk/UN/HNn/s9FPSSdEnAh0QgL91b5r10xUpBCySeK3kc:GeLmKoWZ5EnDL9q
Score
10/10
Malware Config
Signatures
-
Cycbot
Cycbot is a backdoor and trojan written in C++..
-
Cycbot family
-
Detects Cycbot payload 7 IoCs
Cycbot is a backdoor and trojan written in C++.
-
Modifies security service 2 TTPs 1 IoCs
-
Pony family
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
UPX packed file 11 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of FindShellTrayWindow 28 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_861b58ac92718610c177f44d18c6a2d6.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_861b58ac92718610c177f44d18c6a2d6.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_861b58ac92718610c177f44d18c6a2d6.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_861b58ac92718610c177f44d18c6a2d6.exe startC:\Users\Admin\AppData\Roaming\2C562\9BEB1.exe%C:\Users\Admin\AppData\Roaming\2C5622⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_861b58ac92718610c177f44d18c6a2d6.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_861b58ac92718610c177f44d18c6a2d6.exe startC:\Program Files (x86)\6282C\lvvm.exe%C:\Program Files (x86)\6282C2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\LP\B1D2\4C8A.tmp"C:\Program Files (x86)\LP\B1D2\4C8A.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
-
DNScrl.microsoft.comRemote address:8.8.8.8:53Requestcrl.microsoft.comIN AResponsecrl.microsoft.comIN CNAMEcrl.www.ms.akadns.netcrl.www.ms.akadns.netIN CNAMEa1363.dscg.akamai.neta1363.dscg.akamai.netIN A2.19.252.157a1363.dscg.akamai.netIN A2.19.252.132 -
GEThttp://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crlRemote address:2.19.252.157:80RequestGET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 26 Sep 2024 02:21:11 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
ResponseHTTP/1.1 200 OK
Content-Length: 1036
Content-Type: application/octet-stream
Content-MD5: +oTkvMkqpdtzWrUHEQQM3g==
Last-Modified: Thu, 12 Dec 2024 00:06:56 GMT
ETag: 0x8DD1A40E476D877
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 4de8ec0b-c01e-0047-3936-4c3cb1000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Fri, 17 Jan 2025 08:17:02 GMT
Connection: keep-alive
-
DNSwww.microsoft.comRemote address:8.8.8.8:53Requestwww.microsoft.comIN AResponsewww.microsoft.comIN CNAMEwww.microsoft.com-c-3.edgekey.netwww.microsoft.com-c-3.edgekey.netIN CNAMEwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netIN CNAMEe13678.dscb.akamaiedge.nete13678.dscb.akamaiedge.netIN A95.100.245.144
-
GEThttp://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crlRemote address:95.100.245.144:80RequestGET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sun, 18 Aug 2024 00:23:49 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.microsoft.com
ResponseHTTP/1.1 200 OK
Content-Length: 1078
Content-Type: application/octet-stream
Content-MD5: HqJzZuA065RHozzmOcAUiQ==
Last-Modified: Tue, 14 Jan 2025 20:41:31 GMT
ETag: 0x8DD34DBD43549F4
x-ms-request-id: 520653ca-301e-006c-42ca-66bc7d000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Fri, 17 Jan 2025 08:17:02 GMT
Connection: keep-alive
TLS_version: UNKNOWN
ms-cv: CASMicrosoftCVd76cdcdb.0
ms-cv-esi: CASMicrosoftCVd76cdcdb.0
X-RTag: RT
-
DNScsc3-2004-crl.verisign.comRemote address:8.8.8.8:53Requestcsc3-2004-crl.verisign.comIN AResponse
-
DNSalleducationalsoftware.comRemote address:8.8.8.8:53Requestalleducationalsoftware.comIN AResponse
-
DNSouwm0l-v.hoststorageforyou.comRemote address:8.8.8.8:53Requestouwm0l-v.hoststorageforyou.comIN AResponse
-
DNSp3upmcxhoo.wwwmediahosts.comRemote address:8.8.8.8:53Requestp3upmcxhoo.wwwmediahosts.comIN AResponse
-
DNSp3upmcxhoo.wwwmediahosts.comRemote address:8.8.8.8:53Requestp3upmcxhoo.wwwmediahosts.comIN A
-
DNSor6rgt.hoststorageforyou.comRemote address:8.8.8.8:53Requestor6rgt.hoststorageforyou.comIN AResponse
-
DNS-dgif5q.hoststorageforyou.comRemote address:8.8.8.8:53Request-dgif5q.hoststorageforyou.comIN AResponse
-
DNSTRANSERSDATAFORME.COMRemote address:8.8.8.8:53RequestTRANSERSDATAFORME.COMIN AResponse
-
DNSwww.google.comRemote address:8.8.8.8:53Requestwww.google.comIN AResponsewww.google.comIN A142.250.187.196
-
GEThttp://www.google.com/Remote address:142.250.187.196:80RequestGET / HTTP/1.0
Connection: close
Host: www.google.com
Accept: */*
ResponseHTTP/1.0 302 Found
Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGL2kqLwGIjDQPb3vvB9YrfIWeDkDT3hfAtGkqs9FC-0eeIT9h4ofZPVp1Ca393CglFHhwN6068MyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
x-hallmonitor-challenge: CgwIvaSovAYQurfUmwESBLXXsFM
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-OLCN9CZ8oqSG13BWqEKedg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Fri, 17 Jan 2025 08:18:05 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AZ6Zc-Uc_ePhcmLf7Kl7J2oHIcVNsaLIjFEgmX4EzE3rTRH7Bc7zGO6O9A; expires=Wed, 16-Jul-2025 08:18:05 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
-
GEThttp://www.google.com/Remote address:142.250.187.196:80RequestGET / HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com
ResponseHTTP/1.1 302 Found
Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGL2kqLwGIjDQPb3vvB9YrfIWeDkDT3hfAtGkqs9FC-0eeIT9h4ofZPVp1Ca393CglFHhwN6068MyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
x-hallmonitor-challenge: CgwIvaSovAYQ4L75zwISBLXXsFM
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-vFZOnQUGEnonFQ5VwfLCbg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Fri, 17 Jan 2025 08:18:05 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AZ6Zc-VQxcU07ajd7RN5I-G5fDOARnsiDFlodLRQwB0Pm8GdPvyOTWDkOg0; expires=Wed, 16-Jul-2025 08:18:05 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Connection: close
-
GEThttp://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGL2kqLwGIjDQPb3vvB9YrfIWeDkDT3hfAtGkqs9FC-0eeIT9h4ofZPVp1Ca393CglFHhwN6068MyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMRemote address:142.250.187.196:80RequestGET /sorry/index?continue=http://www.google.com/&q=EgS117BTGL2kqLwGIjDQPb3vvB9YrfIWeDkDT3hfAtGkqs9FC-0eeIT9h4ofZPVp1Ca393CglFHhwN6068MyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com
ResponseHTTP/1.1 429 Too Many Requests
Date: Fri, 17 Jan 2025 08:18:05 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/html
Server: HTTP server (unknown)
Content-Length: 3086
X-XSS-Protection: 0
Connection: close
-
2.19.252.157:80http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crlhttp
HTTP Request
GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crlHTTP Response
200 -
95.100.245.144:80http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crlhttp
HTTP Request
GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crlHTTP Response
200 -
127.0.0.1:54626 -
127.0.0.1:54626
-
127.0.0.1:54626
-
127.0.0.1:54626
-
127.0.0.1:54626
-
127.0.0.1:54626
-
127.0.0.1:54626
-
127.0.0.1:54626
-
127.0.0.1:54626
-
127.0.0.1:54626
-
127.0.0.1:54626
-
127.0.0.1:54626
-
127.0.0.1:54626
-
127.0.0.1:54626
-
127.0.0.1:54626
-
127.0.0.1:54626
-
127.0.0.1:54626
-
142.250.187.196:80http://www.google.com/http
HTTP Request
GET http://www.google.com/HTTP Response
302 -
142.250.187.196:80http://www.google.com/http
HTTP Request
GET http://www.google.com/HTTP Response
302 -
127.0.0.1:54626
-
127.0.0.1:54626
-
142.250.187.196:80http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGL2kqLwGIjDQPb3vvB9YrfIWeDkDT3hfAtGkqs9FC-0eeIT9h4ofZPVp1Ca393CglFHhwN6068MyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMhttp
HTTP Request
GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGL2kqLwGIjDQPb3vvB9YrfIWeDkDT3hfAtGkqs9FC-0eeIT9h4ofZPVp1Ca393CglFHhwN6068MyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMHTTP Response
429
-
8.8.8.8:53crl.microsoft.comdns
DNS Request
crl.microsoft.com
DNS Response
2.19.252.1572.19.252.132
-
8.8.8.8:53www.microsoft.comdns
DNS Request
www.microsoft.com
DNS Response
95.100.245.144
-
8.8.8.8:53csc3-2004-crl.verisign.comdns
DNS Request
csc3-2004-crl.verisign.com
-
8.8.8.8:53alleducationalsoftware.comdns
DNS Request
alleducationalsoftware.com
-
8.8.8.8:53ouwm0l-v.hoststorageforyou.comdns
DNS Request
ouwm0l-v.hoststorageforyou.com
-
8.8.8.8:53p3upmcxhoo.wwwmediahosts.comdns
DNS Request
p3upmcxhoo.wwwmediahosts.com
DNS Request
p3upmcxhoo.wwwmediahosts.com
-
8.8.8.8:53or6rgt.hoststorageforyou.comdns
DNS Request
or6rgt.hoststorageforyou.com
-
8.8.8.8:53-dgif5q.hoststorageforyou.comdns
DNS Request
-dgif5q.hoststorageforyou.com
-
8.8.8.8:53TRANSERSDATAFORME.COMdns
DNS Request
TRANSERSDATAFORME.COM
-
8.8.8.8:53www.google.comdns
DNS Request
www.google.com
DNS Response
142.250.187.196
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD57d16b182978a99308267e12fe1d42028
SHA1d3c371dc9a43e99da08f632612617ea14bb28916
SHA256641dc18be12d5ca581e7182cc63d145fe82dcecc6f3efe4985cebeb1e7d9bd64
SHA512b006591102eb1a0f0266204c3c3b119c58e99c6e18c8edb7239991ca88d91f60b3422e239bca5706322b11023123d740d664ac471524478cebf2e86c4ac016a2
-
Filesize
600B
MD586af102e6bc6ae0de502b58b7a410168
SHA1005e7707705f70041a85574a033962b3bcc6fcdf
SHA2567a1377b9857fc22252a83066992a9b811283f3f323f7a0f9e305a9b283201ca9
SHA512f45cbc74a52ff4e669bdb77f40c5b60625f309219f81fdee7b5a20ebe115d89fa403981d5cca601307862ebea04a6c04657ef0acacd22acf8e880f532e7465d3
-
Filesize
100KB
MD550777c38a35804872660aa71c7eb52d2
SHA1c94bdd4378d0e9f0bb2a71edca520bd49251a7aa
SHA25644761b2153a01f2cd930d6b87fc3e2ba09e8940e4d096b556e99c74f26938faa
SHA5120beaa0e126af6adab4867e40fbfe554b829a769bd22af5aad1cfe5f63d569c16c2a003d7b98724efdf8fe255b6c8b124487c999db70c2012ba68faa130fa9ce4
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
416KB
-
Filesize
424KB
-
Filesize
416KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
116KB
-
Filesize
116KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
424KB