Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17/01/2025, 12:55

General

  • Target

    JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe

  • Size

    1.9MB

  • MD5

    8c450ef4b459456b4b037dbb321619a5

  • SHA1

    3a84b8c946a16accb03cb173c87ab465fbbd1194

  • SHA256

    4e398a335174371bee9882621b81bef435d9b8c013bd934b9f2f956703b8c7be

  • SHA512

    8a11f93a2bf39272c7e768ff636a36a4faa2d424aad6588b59d188355e23627a2107fb58f77f5520caeed48138b0683d6397951426c6e0aaedcae42c6986558e

  • SSDEEP

    49152:ydOjNXMu8VaWg/IbwsYRxUGXET3pbjX6JyytOdsi3:IOjtMaWZUxUfT35X06si

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 7 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies security service 2 TTPs 1 IoCs
  • Pony family
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Disables taskbar notifications via registry modification
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 14 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 2 IoCs
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 35 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Users\Admin\AppData\Local\Temp\dwme.exe
      "C:\Users\Admin\AppData\Local\Temp\dwme.exe"
      2⤵
      • Modifies security service
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2740
      • C:\Users\Admin\AppData\Local\Temp\dwme.exe
        C:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Users\Admin\AppData\Roaming\A9146\7D81A.exe%C:\Users\Admin\AppData\Roaming\A9146
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1728
      • C:\Users\Admin\AppData\Local\Temp\dwme.exe
        C:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Program Files (x86)\464C9\lvvm.exe%C:\Program Files (x86)\464C9
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:308
      • C:\Program Files (x86)\LP\1A3A\7EF0.tmp
        "C:\Program Files (x86)\LP\1A3A\7EF0.tmp"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2808
    • C:\Users\Admin\AppData\Roaming\dwme.exe
      C:\Users\Admin\AppData\Roaming\dwme.exe auto
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2704
    • C:\Windows\SysWOW64\Cloud AV 2012v121.exe
      C:\Windows\system32\Cloud AV 2012v121.exe 5985C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Users\Admin\AppData\Roaming\gS2ibF3pn5Q6W7R\Cloud AV 2012v121.exe
        C:\Users\Admin\AppData\Roaming\gS2ibF3pn5Q6W7R\Cloud AV 2012v121.exe 5985C:\Windows\SysWOW64\Cloud AV 2012v121.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:2596
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2348
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2072

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\A9146\64C9.914

    Filesize

    300B

    MD5

    79fc18557d026ab468892c6106633ad4

    SHA1

    8786bd927c5f97c44f776a29efa8300a3ee3e03e

    SHA256

    af53c8b9634fda741431ba598511f095c3c520a9529da103370a10ad0194c3b5

    SHA512

    84a4233efd7be69570f068a8ee5896208c2578c99a1683f711e68ce4f612f6d455b2e89618fe9dd6e3f91c1da68589e024f1307c27d19ff9febc814dee3ae85d

  • C:\Users\Admin\AppData\Roaming\A9146\64C9.914

    Filesize

    696B

    MD5

    4f6dc49499df64dd6599a5723703b523

    SHA1

    8d095b6055fb96c9ee7f042ffb9d232aa8e6a6a5

    SHA256

    31b194134661f88549b2263a80f07e9cd7b24e5be7488a9260cf5590d9855b22

    SHA512

    77709fd8a9b427174ec03fb1a1c5600d9d56f0a08c110c32042374452da17f599355c3c7cdbb395b028686b02f7f9e0688ebd6ceddbb30de99f809e79b4112fd

  • C:\Users\Admin\AppData\Roaming\A9146\64C9.914

    Filesize

    1KB

    MD5

    42bf2dcb117bb0d85c775016e00330c6

    SHA1

    5137088ccc567320055693e9ce107797efa3aeb7

    SHA256

    297f60ed99994647ebe5c714bda74d7a547db207367bf35ab4e924680ca27a6d

    SHA512

    fd36c2cbba246e4f16c33b093f6b37654aef157481892d4031c81e1ae7172a981fcc786627b95efd4bd6f7460beb40e7a9bdacc611c61a87975f81915890d5dc

  • C:\Users\Admin\AppData\Roaming\A9146\64C9.914

    Filesize

    1KB

    MD5

    4dd5188bb5a743ecd187397cbc4deff2

    SHA1

    95f7b1659bc5d9a28a8535efeb9f828831a77eba

    SHA256

    ebc1e0d2a5d2ddd2468ba277701e869a1d9c3f57ac7013bbc8ae5879010c3bc9

    SHA512

    9b58bbf9a8722096b50781b6a70fb60f3e803d227d452f2519fbbd534626d6e613d1b33ac1852dc8f706a01d197b7e5b587c4ae4a8fa8f5d22953fc13ac7f2a9

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Cloud AV 2012\Cloud AV 2012.lnk

    Filesize

    1KB

    MD5

    c46896dabbedb7001bc7f8b129368826

    SHA1

    ccb3bfdd216e26b542d76243ce16dd8a19963f99

    SHA256

    f8a1a2fb3288bda49c7fdb347bf66b756e471dd3047883c60f6076171b4169e2

    SHA512

    1da3516f4d64b8ada0b381e88bf92a586010ace14ffc6f5f9991be67c83a59b4e65ef62fa9003e384c25751e6bb012bd6a1c00ddfea4952200a6263178e2d70e

  • C:\Users\Admin\AppData\Roaming\ahst.lni

    Filesize

    1KB

    MD5

    832714f96516cf127eeccbc92937c0bb

    SHA1

    ad7aef128242e0ff0d1b91e984d87fcea41cf07e

    SHA256

    4af5eff1f446f1d6a4f7bbcb3ad39b6dcf76bbede7819deb4f13822733f99506

    SHA512

    9a5649f2aa84344465905eebcc8f300f01690217971eae91548b023c70e3cc0bb1a02d4fe6bea48be7c86d78d7e29e08db99e12454b2eb9f3e045e9a4a883413

  • C:\Users\Admin\AppData\Roaming\w5sQJ6dEKf\Cloud AV 2012.ico

    Filesize

    12KB

    MD5

    bb87f71a6e7f979fcb716926d452b6a8

    SHA1

    f41e3389760eaea099720e980e599a160f0413b9

    SHA256

    14c9c49d8ead9ab59a56c328008f59c20b32c3ad22c00e02d34e16ad7086fe84

    SHA512

    e1d14363274e367ea600afc357d012233fc68f0636e8d05b29992e762d31e9a55b4fa38b08613c2ca528d7fb0f547774a3a3dc79aada32c2c7359c3edcdb549d

  • C:\Users\Admin\Desktop\Cloud AV 2012.lnk

    Filesize

    1KB

    MD5

    48720c52fe63052e0944e22a0fb4decc

    SHA1

    0493a546116713e9fc73d99a055508bddd1a971f

    SHA256

    9bf143f08bd5438cb8a6d55b49a3216f948abfaf427a72946b0c4754e36bd832

    SHA512

    ca94814a81804064e764f960dd40294609f13207b01bcff81609f3953b0b20e816dfde753c4488ce2b7a475e722568646e6651ae587f07e1d6c2f7fb93f4c97e

  • C:\Windows\System32\drivers\etc\hosts

    Filesize

    1KB

    MD5

    da92c10d26caf9083835ea4e9c9d39d9

    SHA1

    5248b4965b5b3aeca5dd12f59dcae26d0186b052

    SHA256

    ccf1bd93891bb2e22540ef9baf3acc2e7a30c46054cb12b08567a43ac3fdc8ae

    SHA512

    28e848434bba3facc9a92a9d6fdfc1257261d01a818ef389db3b37c0103451d51c62efa6ac41453f42de22e685d7f55d00405a63dec8dd2928e856fb18becff5

  • C:\Windows\System32\drivers\etc\hosts

    Filesize

    1KB

    MD5

    f48cfb5db32cdf990f35a5ef9146dbf4

    SHA1

    09b4f991e17aba915160f6c153c6d78e2d4aa4d9

    SHA256

    72439cac78aae2122ddea93a12f562ea85c9fb909bef25cae982480a2d51f397

    SHA512

    385c74297ee70bdce1cf2dbcafd95e1d96f1b9ffd0fac713d614f84b9d02c28359276434ea164082ae46b312f40dd9911a27526df2ef3613118a0efc9271d301

  • \Program Files (x86)\LP\1A3A\7EF0.tmp

    Filesize

    99KB

    MD5

    ac9682380b3c94ffe32d0aca1a53d53e

    SHA1

    7c1485c7d2720d433306ff5c86fd944331bc4447

    SHA256

    cd0e4cd89551d243fd1365950d28470d56a09f29e834d13288f6ca1aff4c1626

    SHA512

    978eaa0bfd1c62d4e7eaac0470ed29dfcc683aef8b087fbd76caf1218d700010d1bb2ae1d155811665e52c842326bef1779d082161b72c8c25c8e6167ea12eb9

  • \Users\Admin\AppData\Local\Temp\dwme.exe

    Filesize

    279KB

    MD5

    c97ff984c8643e9a8404592683cd7162

    SHA1

    9f0e2724d047c794b4457fb799cc6e96438a7292

    SHA256

    1c5529c199a8a1744246396812a2e90c847ca78a6a438592010fe1b0573fdf32

    SHA512

    f18481023fc45bc8618dd2aa481d806d1c799b5a635ed2ad64be0ed3f26470330973bfa04a56349f8cc473761bab1ea1780d07c7d77b5895b4aef0219e7a4bf6

  • \Windows\SysWOW64\Cloud AV 2012v121.exe

    Filesize

    1.9MB

    MD5

    8c450ef4b459456b4b037dbb321619a5

    SHA1

    3a84b8c946a16accb03cb173c87ab465fbbd1194

    SHA256

    4e398a335174371bee9882621b81bef435d9b8c013bd934b9f2f956703b8c7be

    SHA512

    8a11f93a2bf39272c7e768ff636a36a4faa2d424aad6588b59d188355e23627a2107fb58f77f5520caeed48138b0683d6397951426c6e0aaedcae42c6986558e

  • memory/308-221-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

  • memory/1728-152-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

  • memory/2168-28-0x0000000000400000-0x0000000000914000-memory.dmp

    Filesize

    5.1MB

  • memory/2168-0-0x0000000002DD0000-0x00000000031E5000-memory.dmp

    Filesize

    4.1MB

  • memory/2168-139-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

  • memory/2168-26-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

  • memory/2168-1-0x0000000000400000-0x0000000000914000-memory.dmp

    Filesize

    5.1MB

  • memory/2168-2-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

  • memory/2596-155-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

  • memory/2596-327-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

  • memory/2596-224-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

  • memory/2596-43-0x0000000002B60000-0x0000000002F75000-memory.dmp

    Filesize

    4.1MB

  • memory/2596-337-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

  • memory/2596-308-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

  • memory/2704-41-0x00000000021D0000-0x00000000022D0000-memory.dmp

    Filesize

    1024KB

  • memory/2704-42-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

  • memory/2740-387-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

  • memory/2740-319-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

  • memory/2740-148-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

  • memory/2740-217-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

  • memory/2808-324-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

  • memory/2812-39-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

  • memory/2812-29-0x0000000002E30000-0x0000000003245000-memory.dmp

    Filesize

    4.1MB