Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/01/2025, 05:54
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe
-
Size
276KB
-
MD5
bf3d1da540c6a1ef116ea71b32fb9b13
-
SHA1
2e3788bd4b66efcaa9885bfc1b549a4ab059682e
-
SHA256
293887a9bb8213ea8a1cb57c91d9ddf815c5e94b53e9ac7dea9276dc562a3ef9
-
SHA512
0639fff6732efe44cfd6b0f4eab6146a2580a7ab48bd4048f04fe34bcd71825901fb4fc2bc0c9562e453414a92b953414a0968bd04045931d6d50b6f724f3b15
-
SSDEEP
6144:jajFNKSFgtgBhuNe240x0SpO5OT5ARcAZDNMUY:+NfFgyCP0SSOyc2s
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 6 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/1852-11-0x0000000000400000-0x0000000000469000-memory.dmp family_cycbot behavioral1/memory/320-13-0x0000000000400000-0x0000000000469000-memory.dmp family_cycbot behavioral1/memory/1852-122-0x0000000000400000-0x0000000000469000-memory.dmp family_cycbot behavioral1/memory/1968-124-0x0000000000400000-0x0000000000469000-memory.dmp family_cycbot behavioral1/memory/1852-303-0x0000000000400000-0x0000000000469000-memory.dmp family_cycbot behavioral1/memory/1852-307-0x0000000000400000-0x0000000000469000-memory.dmp family_cycbot -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe -
Pony family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 2328 279D.tmp -
Loads dropped DLL 2 IoCs
pid Process 1852 JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe 1852 JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\533.exe = "C:\\Program Files (x86)\\LP\\A50B\\533.exe" JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
resource yara_rule behavioral1/memory/1852-11-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/320-13-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1852-122-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1968-124-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1852-303-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1852-307-0x0000000000400000-0x0000000000469000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\A50B\533.exe JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe File opened for modification C:\Program Files (x86)\LP\A50B\533.exe JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe File opened for modification C:\Program Files (x86)\LP\A50B\279D.tmp JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 279D.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1852 JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe 1852 JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe 1852 JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe 1852 JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe 1852 JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe 1852 JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe 1852 JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe 1852 JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe 1852 JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe 1852 JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe 1852 JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe 1852 JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe 1852 JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe 1852 JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 956 explorer.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeRestorePrivilege 2800 msiexec.exe Token: SeTakeOwnershipPrivilege 2800 msiexec.exe Token: SeSecurityPrivilege 2800 msiexec.exe Token: SeShutdownPrivilege 956 explorer.exe Token: SeShutdownPrivilege 956 explorer.exe Token: SeShutdownPrivilege 956 explorer.exe Token: SeShutdownPrivilege 956 explorer.exe Token: SeShutdownPrivilege 956 explorer.exe Token: SeShutdownPrivilege 956 explorer.exe Token: SeShutdownPrivilege 956 explorer.exe Token: SeShutdownPrivilege 956 explorer.exe Token: SeShutdownPrivilege 956 explorer.exe Token: SeShutdownPrivilege 956 explorer.exe Token: SeShutdownPrivilege 956 explorer.exe Token: SeShutdownPrivilege 956 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
pid Process 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1852 wrote to memory of 320 1852 JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe 31 PID 1852 wrote to memory of 320 1852 JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe 31 PID 1852 wrote to memory of 320 1852 JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe 31 PID 1852 wrote to memory of 320 1852 JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe 31 PID 1852 wrote to memory of 1968 1852 JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe 34 PID 1852 wrote to memory of 1968 1852 JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe 34 PID 1852 wrote to memory of 1968 1852 JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe 34 PID 1852 wrote to memory of 1968 1852 JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe 34 PID 1852 wrote to memory of 2328 1852 JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe 37 PID 1852 wrote to memory of 2328 1852 JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe 37 PID 1852 wrote to memory of 2328 1852 JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe 37 PID 1852 wrote to memory of 2328 1852 JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe 37 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1852 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe startC:\Users\Admin\AppData\Roaming\B8B21\733A5.exe%C:\Users\Admin\AppData\Roaming\B8B212⤵
- System Location Discovery: System Language Discovery
PID:320
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe startC:\Program Files (x86)\2146A\lvvm.exe%C:\Program Files (x86)\2146A2⤵
- System Location Discovery: System Language Discovery
PID:1968
-
-
C:\Program Files (x86)\LP\A50B\279D.tmp"C:\Program Files (x86)\LP\A50B\279D.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2328
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:956
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD5ef092db3be2a81c05169d5a02c72aebb
SHA1bff8dacca7eaa9555616a1d3f7625dc5530f8ac9
SHA256db6a4d084a73ffc67b0cb6c4dc6dc02511b6b9e7d09f99df3f86036cadacfe7f
SHA512692bb37511c8343a301907f483068462df95ba9173001ef3cb197ec22e10cfc2a9e9c1875a161ab545b13e13d5a5bc5734f1c24d4cd4bfb5eda3c395e52ecdf3
-
Filesize
600B
MD54f6dc83a8b72c2a72058e0f52da43748
SHA1e51010c856717f46d46a5e50539ec3413a3b2f83
SHA256c289020b548720e6cb6a777baac9f937243ef4c75a78a5c2dc44a855ae3c4a6a
SHA5122cfab815cd4e130fcc9ecc65b91d89bb43b75fe5995fec6886b4187e856a636a1ac0334246a39ccdf19b8845e663ada3d2529225a759c205f1ff0379d3481b14
-
Filesize
1KB
MD5a91c11c7923a934789d1afa71c70ca34
SHA1315fdbc3126e490f5123787f7e5f2ecf5851279f
SHA256f22de75493269ed79ba55877e00326d710d9bfc31dab9165a43a68e3453ad7bc
SHA5123fcab002a33fe2472d249ed0ce77b71aa160b91afedee8f22e1cbaa65654cba14d1efc7740d2972cb4873a094a723b8e32270a6ba5f3d09285284f88fd126ab5
-
Filesize
97KB
MD5dd599d77a7eb284a9a73a7eaf08acd63
SHA1ca3f9298d279361f73909f564d28e58c86456a61
SHA25676bfc108e1d1146dee49cf23866c6293d298e988ae0006ce3c9644b31a96697a
SHA512ac076022ba245c271dac5e0c5ae452046a58d27a15da21f6f042f964b3a9d05828c958534bde0d331c9d698021249276b9baa8e1afaeda1e4a7a7045b32baa2b