Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/01/2025, 05:54

General

  • Target

    JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe

  • Size

    276KB

  • MD5

    bf3d1da540c6a1ef116ea71b32fb9b13

  • SHA1

    2e3788bd4b66efcaa9885bfc1b549a4ab059682e

  • SHA256

    293887a9bb8213ea8a1cb57c91d9ddf815c5e94b53e9ac7dea9276dc562a3ef9

  • SHA512

    0639fff6732efe44cfd6b0f4eab6146a2580a7ab48bd4048f04fe34bcd71825901fb4fc2bc0c9562e453414a92b953414a0968bd04045931d6d50b6f724f3b15

  • SSDEEP

    6144:jajFNKSFgtgBhuNe240x0SpO5OT5ARcAZDNMUY:+NfFgyCP0SSOyc2s

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 6 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies security service 2 TTPs 1 IoCs
  • Pony family
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Disables taskbar notifications via registry modification
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 17 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1852
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe startC:\Users\Admin\AppData\Roaming\B8B21\733A5.exe%C:\Users\Admin\AppData\Roaming\B8B21
      2⤵
      • System Location Discovery: System Language Discovery
      PID:320
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bf3d1da540c6a1ef116ea71b32fb9b13.exe startC:\Program Files (x86)\2146A\lvvm.exe%C:\Program Files (x86)\2146A
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1968
    • C:\Program Files (x86)\LP\A50B\279D.tmp
      "C:\Program Files (x86)\LP\A50B\279D.tmp"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2328
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2800
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:956

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\B8B21\146A.8B2

    Filesize

    996B

    MD5

    ef092db3be2a81c05169d5a02c72aebb

    SHA1

    bff8dacca7eaa9555616a1d3f7625dc5530f8ac9

    SHA256

    db6a4d084a73ffc67b0cb6c4dc6dc02511b6b9e7d09f99df3f86036cadacfe7f

    SHA512

    692bb37511c8343a301907f483068462df95ba9173001ef3cb197ec22e10cfc2a9e9c1875a161ab545b13e13d5a5bc5734f1c24d4cd4bfb5eda3c395e52ecdf3

  • C:\Users\Admin\AppData\Roaming\B8B21\146A.8B2

    Filesize

    600B

    MD5

    4f6dc83a8b72c2a72058e0f52da43748

    SHA1

    e51010c856717f46d46a5e50539ec3413a3b2f83

    SHA256

    c289020b548720e6cb6a777baac9f937243ef4c75a78a5c2dc44a855ae3c4a6a

    SHA512

    2cfab815cd4e130fcc9ecc65b91d89bb43b75fe5995fec6886b4187e856a636a1ac0334246a39ccdf19b8845e663ada3d2529225a759c205f1ff0379d3481b14

  • C:\Users\Admin\AppData\Roaming\B8B21\146A.8B2

    Filesize

    1KB

    MD5

    a91c11c7923a934789d1afa71c70ca34

    SHA1

    315fdbc3126e490f5123787f7e5f2ecf5851279f

    SHA256

    f22de75493269ed79ba55877e00326d710d9bfc31dab9165a43a68e3453ad7bc

    SHA512

    3fcab002a33fe2472d249ed0ce77b71aa160b91afedee8f22e1cbaa65654cba14d1efc7740d2972cb4873a094a723b8e32270a6ba5f3d09285284f88fd126ab5

  • \Program Files (x86)\LP\A50B\279D.tmp

    Filesize

    97KB

    MD5

    dd599d77a7eb284a9a73a7eaf08acd63

    SHA1

    ca3f9298d279361f73909f564d28e58c86456a61

    SHA256

    76bfc108e1d1146dee49cf23866c6293d298e988ae0006ce3c9644b31a96697a

    SHA512

    ac076022ba245c271dac5e0c5ae452046a58d27a15da21f6f042f964b3a9d05828c958534bde0d331c9d698021249276b9baa8e1afaeda1e4a7a7045b32baa2b

  • memory/320-13-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

  • memory/1852-0-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

  • memory/1852-11-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

  • memory/1852-122-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

  • memory/1852-303-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

  • memory/1852-307-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

  • memory/1968-124-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

  • memory/2328-304-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB