Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/01/2025, 07:01
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exe
-
Size
276KB
-
MD5
c095f0aa40c5fd9b02b9bea330bbda19
-
SHA1
03239597e0f410db60b11c902923e7998531b1a7
-
SHA256
4fa20cded385460c2406587c3c485b6d892f181a7bfa071370aaaabd01448523
-
SHA512
c5e0431947968c632fd2b1090339c770515e8cad8d1214206979eef3a04653156f0f9fad4f8f8e6ba194b31fa8c054816d3a3f2e27fe95392b584c8ac6f4a719
-
SSDEEP
6144:FJa1xHmE4OiqFJ4F9tAS947DJ1RUlyL7Ls0TaQ8eGs1jYJY4mUI:FJWBmE7HFqDmS67um3s0TaQ832Y6
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 8 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/1960-15-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/1960-14-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/1964-16-0x0000000000400000-0x0000000000467000-memory.dmp family_cycbot behavioral1/memory/1964-17-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/1016-86-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/1964-87-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/1964-164-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/1964-200-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exe -
Pony family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 1164 3C93.tmp -
Loads dropped DLL 2 IoCs
pid Process 1964 JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exe 1964 JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\D11.exe = "C:\\Program Files (x86)\\LP\\D3A5\\D11.exe" JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
resource yara_rule behavioral1/memory/1964-2-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1960-15-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1960-14-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1964-16-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/1964-17-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1016-85-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1016-86-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1964-87-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1964-164-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1964-200-0x0000000000400000-0x000000000046A000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\D3A5\D11.exe JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exe File opened for modification C:\Program Files (x86)\LP\D3A5\3C93.tmp JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exe File opened for modification C:\Program Files (x86)\LP\D3A5\D11.exe JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3C93.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1964 JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exe 1964 JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exe 1964 JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exe 1964 JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exe 1964 JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exe 1964 JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exe 1964 JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exe 1964 JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 580 explorer.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeRestorePrivilege 2380 msiexec.exe Token: SeTakeOwnershipPrivilege 2380 msiexec.exe Token: SeSecurityPrivilege 2380 msiexec.exe Token: SeShutdownPrivilege 580 explorer.exe Token: SeShutdownPrivilege 580 explorer.exe Token: SeShutdownPrivilege 580 explorer.exe Token: SeShutdownPrivilege 580 explorer.exe Token: SeShutdownPrivilege 580 explorer.exe Token: SeShutdownPrivilege 580 explorer.exe Token: SeShutdownPrivilege 580 explorer.exe Token: SeShutdownPrivilege 580 explorer.exe Token: SeShutdownPrivilege 580 explorer.exe Token: SeShutdownPrivilege 580 explorer.exe Token: SeShutdownPrivilege 580 explorer.exe Token: SeShutdownPrivilege 580 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
pid Process 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1964 wrote to memory of 1960 1964 JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exe 32 PID 1964 wrote to memory of 1960 1964 JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exe 32 PID 1964 wrote to memory of 1960 1964 JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exe 32 PID 1964 wrote to memory of 1960 1964 JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exe 32 PID 1964 wrote to memory of 1016 1964 JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exe 34 PID 1964 wrote to memory of 1016 1964 JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exe 34 PID 1964 wrote to memory of 1016 1964 JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exe 34 PID 1964 wrote to memory of 1016 1964 JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exe 34 PID 1964 wrote to memory of 1164 1964 JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exe 36 PID 1964 wrote to memory of 1164 1964 JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exe 36 PID 1964 wrote to memory of 1164 1964 JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exe 36 PID 1964 wrote to memory of 1164 1964 JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exe 36 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exe startC:\Users\Admin\AppData\Roaming\567D4\13ED3.exe%C:\Users\Admin\AppData\Roaming\567D42⤵
- System Location Discovery: System Language Discovery
PID:1960
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c095f0aa40c5fd9b02b9bea330bbda19.exe startC:\Program Files (x86)\D4175\lvvm.exe%C:\Program Files (x86)\D41752⤵
- System Location Discovery: System Language Discovery
PID:1016
-
-
C:\Program Files (x86)\LP\D3A5\3C93.tmp"C:\Program Files (x86)\LP\D3A5\3C93.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1164
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2380
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:580
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e6a52c7469c6c6aab8e2a46c797bd3cb
SHA1f53207e6d8203160efb6fbaa139b5eb91dbc3f77
SHA256e3c80684e4c5da924c8b8eb9837229dc78ebf751df1fd7e58bf13a8d7c3bc9b1
SHA512bebe08958586b076b2107553eb93f08649767f9a90e4e849d01878760ec6dfe1bcf08a74a545c1de0eb49e9334750aabb97416c402db669d99e5e59e89b8ca43
-
Filesize
1KB
MD58138ef21caf04ba05b78b1b50c4c325d
SHA1140f029dc998c8f75fd14f61b6a06abf136f6bd7
SHA2561e9bf1c312cce57e93e019ec299956b451a261746473fc6d129a788da1c17a95
SHA5120f267b3e13ff126130183bda7687c4fc93645d7547c9a3b4a1fcd18b9253295466c0ac1c0ce28eddce9d01b4f6a7ad21abf78a279c703bf0ad87048297b4946b
-
Filesize
600B
MD5cf8d0ba55a982d5d298f083933cf5234
SHA1b9b0ffc52bf5eecd33436bad4a0ce08f11938562
SHA256dc0a3d0779f109345b8cf228b4d58c705b005a7b574d3518ff82b90d52085142
SHA51254a3a365e910f0d4eeaeb94a9922ba6f004662c27e501e5e988006d8948c6ed28f58d6443d7cd1861c02fc72d602d05f0ea6556678ef1c83636c581334cbd89d
-
Filesize
996B
MD5c3dee1a706f4322a0280ccd93567c3ab
SHA19b50c031c054068953112fe98394ae8b650c7f65
SHA256cbc282f342a014e4f6b56d8a95b0f1dff02b64432cfd5f8444ba4a276e24a828
SHA512b15f6d4b926d8a2e497d384697934e8e9f7652a3f16253599701872d4a72422ff1be9d0459f380fd19f127dc0c4d0b37e482bae0df8f0de066f276791c2c3e3b
-
Filesize
103KB
MD586d203aa2caa9884b7b360153e9ea8c1
SHA1a10e4e44dfc2a2ace55bf60eb769da2dcc79ca73
SHA2560e8be7424ef08580c27c82cdc0226abeef27ce7664a16491c4d5c7eecbe6272d
SHA512491afdef0e57cd084ac76493755c3dff971f1aef06bd4bc3d13447e159f3a32e8b9cc39e30af4f934badaeb2d922a18cf40dfc933b32b9afcb9b64d3a9349567