Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
102s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19/01/2025, 01:24
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe
-
Size
286KB
-
MD5
b988d6975230394f5f615aee46d214c3
-
SHA1
572c0364bec0440b6f71ef188fd5031b7b84fcb5
-
SHA256
2723e872db2fb6029f0ebe3ace179c81e2f0bea3d308b2ccf5f36e05a268156c
-
SHA512
c4c77e4b495d929e58f584b189737b701e369fa34e8abd2dcc25f64d931cd84c761596819c84c91c07374429014d737cd64573caf0bff678b34c8af440258a6e
-
SSDEEP
6144:USg71Q2N/XQiFDpqcElFvVz+cXsPA6WGCQqVLiPkR+wWq0zf:USr2FgOqcKFNz1KdCQOLiPfq0
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 8 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2608-3-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/2608-12-0x0000000000400000-0x0000000000468000-memory.dmp family_cycbot behavioral1/memory/2608-13-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/1992-17-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/792-124-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/2608-167-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/2608-303-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/2608-309-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe -
Pony family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 2624 F779.tmp -
Loads dropped DLL 2 IoCs
pid Process 2608 JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe 2608 JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\98E.exe = "C:\\Program Files (x86)\\LP\\BEFD\\98E.exe" JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
resource yara_rule behavioral1/memory/2608-2-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2608-3-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2608-12-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral1/memory/2608-13-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1992-17-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/792-124-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2608-167-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2608-303-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2608-309-0x0000000000400000-0x000000000046B000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\BEFD\98E.exe JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe File opened for modification C:\Program Files (x86)\LP\BEFD\F779.tmp JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe File opened for modification C:\Program Files (x86)\LP\BEFD\98E.exe JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F779.tmp -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2608 JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe 2608 JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe 2608 JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe 2608 JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe 2608 JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe 2608 JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe 2608 JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe 2608 JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe 2608 JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe 2608 JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe 2608 JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe 2608 JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe 2608 JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe 2608 JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1104 explorer.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeRestorePrivilege 1660 msiexec.exe Token: SeTakeOwnershipPrivilege 1660 msiexec.exe Token: SeSecurityPrivilege 1660 msiexec.exe Token: SeShutdownPrivilege 1104 explorer.exe Token: SeShutdownPrivilege 1104 explorer.exe Token: SeShutdownPrivilege 1104 explorer.exe Token: SeShutdownPrivilege 1104 explorer.exe Token: SeShutdownPrivilege 1104 explorer.exe Token: SeShutdownPrivilege 1104 explorer.exe Token: SeShutdownPrivilege 1104 explorer.exe Token: SeShutdownPrivilege 1104 explorer.exe Token: SeShutdownPrivilege 1104 explorer.exe Token: SeShutdownPrivilege 1104 explorer.exe Token: 33 1580 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1580 AUDIODG.EXE Token: 33 1580 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1580 AUDIODG.EXE Token: SeShutdownPrivilege 1104 explorer.exe Token: SeShutdownPrivilege 1104 explorer.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe -
Suspicious use of SendNotifyMessage 19 IoCs
pid Process 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2608 wrote to memory of 1992 2608 JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe 30 PID 2608 wrote to memory of 1992 2608 JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe 30 PID 2608 wrote to memory of 1992 2608 JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe 30 PID 2608 wrote to memory of 1992 2608 JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe 30 PID 2608 wrote to memory of 792 2608 JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe 32 PID 2608 wrote to memory of 792 2608 JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe 32 PID 2608 wrote to memory of 792 2608 JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe 32 PID 2608 wrote to memory of 792 2608 JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe 32 PID 2608 wrote to memory of 2624 2608 JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe 36 PID 2608 wrote to memory of 2624 2608 JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe 36 PID 2608 wrote to memory of 2624 2608 JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe 36 PID 2608 wrote to memory of 2624 2608 JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe 36 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2608 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b988d6975230394f5f615aee46d214c3.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe startC:\Users\Admin\AppData\Roaming\DE11F\36DBE.exe%C:\Users\Admin\AppData\Roaming\DE11F2⤵
- System Location Discovery: System Language Discovery
PID:1992
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b988d6975230394f5f615aee46d214c3.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b988d6975230394f5f615aee46d214c3.exe startC:\Program Files (x86)\1FB29\lvvm.exe%C:\Program Files (x86)\1FB292⤵
- System Location Discovery: System Language Discovery
PID:792
-
-
C:\Program Files (x86)\LP\BEFD\F779.tmp"C:\Program Files (x86)\LP\BEFD\F779.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2624
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1104
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5ac1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1580
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD5408db9bed7b46fe9f6c4c4b9d44c6b6e
SHA1c58eeec458609db58bc2ada9e3544f0e58cf6e15
SHA2568d97e3606a794a110c9feff6aa3c4430f72cca474a9455f13201f959acdb33fb
SHA5127187113045a16bff5c82cdc961f80522ff0b9af065f95f3f7eaf80594a127f7ee26ee825bcd54b49e8d2e30643fcc44c596b967049ccd8ff4030885547586034
-
Filesize
600B
MD56488ec58a1f19997884ccd65f3a7484d
SHA1365cc5b412c6f7c24a4cf4ce982779ed5f4ff1f4
SHA256563e3ad3cb7f8b68b69a0ede24af9f3b0c8edcdc9cdc42af74ba4fe191312cc6
SHA512ebca39813b149ad2fc90fed166ce5772e9b6cf40d4965ddd7186cfcfccbe457b310a083c0c975304b6ab874064f3c443792247dab2f293917a64debc32949708
-
Filesize
1KB
MD569aa7acd6560f1c94ade62e10234f79f
SHA15f43aa0c9aa0d604d5ce2a71061d933e9f1b8920
SHA2562c4360474c106ee2a21285a709b3048b003a6e05b6cfb76fc1071ffacb6a1209
SHA512bb6fa1c7990cf1780f666e892fbc7de690e56e55da78e14074e6e195d4d64186f47f2c15850a627e0feae8ec9f7307e0f306a59f2075fdfedab8cf845cabd8f1
-
Filesize
100KB
MD52c654a4257f5fd0796617d4a636f041c
SHA1ccdc54ed5b229ec785d3ac4004772cdfd2e5710d
SHA256b57439b30156b8271d8bb19ca30e5ebad4f9b0667683061a48658fa5ee4f2e2a
SHA512d3a61a5688e583c08d3fc40316856f8fb84269515dc81fa3ed14a05e97f6c52e3abdf75f8355ad22255e0b774361f72cb155b9beec8a9db0385d60a380faa919