Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
96s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19/01/2025, 18:52
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe
Resource
win7-20241010-en
General
-
Target
JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe
-
Size
287KB
-
MD5
d016e63391e47d45f244e7205ebc712b
-
SHA1
05de4503b14933267a9498a52920290ab88a9898
-
SHA256
23ae88ebe838fb372e2ab3c6be466606c510936d8b8910ef941bc7cf919623da
-
SHA512
f88bbf558213a3adda2e0e1a7721384a2c65bfd7a3c227a0990fa44954b0f25e7c842db6dbcdd887009e6fc6396456d7aa0b4513c41e3f630edf62205c75644b
-
SSDEEP
6144:Jlq904HDzA6skiQUVwerZIKFGSNUXT0cI/kX1PABS4brjXMMc:jizA6sxl9rZfGT0cOkX1os4bn
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 9 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/432-3-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/432-4-0x0000000000400000-0x0000000000468000-memory.dmp family_cycbot behavioral1/memory/432-13-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/2504-18-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/432-19-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/1768-190-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/432-191-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/432-327-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/432-333-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe -
Pony family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 1608 AB4D.tmp -
Loads dropped DLL 2 IoCs
pid Process 432 JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe 432 JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FE4.exe = "C:\\Program Files (x86)\\LP\\1C3E\\FE4.exe" JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
resource yara_rule behavioral1/memory/432-2-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/432-3-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/432-4-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral1/memory/432-13-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2504-16-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2504-18-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/432-19-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1768-190-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/432-191-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/432-327-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/432-333-0x0000000000400000-0x000000000046B000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\1C3E\FE4.exe JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe File opened for modification C:\Program Files (x86)\LP\1C3E\FE4.exe JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe File opened for modification C:\Program Files (x86)\LP\1C3E\AB4D.tmp JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AB4D.tmp -
Modifies registry class 5 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 432 JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe 432 JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe 432 JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe 432 JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe 432 JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe 432 JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe 432 JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe 432 JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe 432 JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe 432 JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe 432 JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe 432 JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe 432 JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe 432 JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1028 explorer.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeRestorePrivilege 2556 msiexec.exe Token: SeTakeOwnershipPrivilege 2556 msiexec.exe Token: SeSecurityPrivilege 2556 msiexec.exe Token: SeShutdownPrivilege 1028 explorer.exe Token: SeShutdownPrivilege 1028 explorer.exe Token: SeShutdownPrivilege 1028 explorer.exe Token: SeShutdownPrivilege 1028 explorer.exe Token: SeShutdownPrivilege 1028 explorer.exe Token: SeShutdownPrivilege 1028 explorer.exe Token: SeShutdownPrivilege 1028 explorer.exe Token: SeShutdownPrivilege 1028 explorer.exe Token: SeShutdownPrivilege 1028 explorer.exe Token: SeShutdownPrivilege 1028 explorer.exe Token: 33 2356 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2356 AUDIODG.EXE Token: 33 2356 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2356 AUDIODG.EXE Token: SeShutdownPrivilege 1028 explorer.exe Token: SeShutdownPrivilege 1028 explorer.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe -
Suspicious use of SendNotifyMessage 19 IoCs
pid Process 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 432 wrote to memory of 2504 432 JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe 30 PID 432 wrote to memory of 2504 432 JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe 30 PID 432 wrote to memory of 2504 432 JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe 30 PID 432 wrote to memory of 2504 432 JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe 30 PID 432 wrote to memory of 1768 432 JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe 32 PID 432 wrote to memory of 1768 432 JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe 32 PID 432 wrote to memory of 1768 432 JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe 32 PID 432 wrote to memory of 1768 432 JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe 32 PID 432 wrote to memory of 1608 432 JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe 36 PID 432 wrote to memory of 1608 432 JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe 36 PID 432 wrote to memory of 1608 432 JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe 36 PID 432 wrote to memory of 1608 432 JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe 36 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:432 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe startC:\Users\Admin\AppData\Roaming\E1603\7451C.exe%C:\Users\Admin\AppData\Roaming\E16032⤵
- System Location Discovery: System Language Discovery
PID:2504
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d016e63391e47d45f244e7205ebc712b.exe startC:\Program Files (x86)\03B01\lvvm.exe%C:\Program Files (x86)\03B012⤵
- System Location Discovery: System Language Discovery
PID:1768
-
-
C:\Program Files (x86)\LP\1C3E\AB4D.tmp"C:\Program Files (x86)\LP\1C3E\AB4D.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1608
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1028
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5981⤵
- Suspicious use of AdjustPrivilegeToken
PID:2356
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102KB
MD557401a2069d022a5dc6ffee91de43906
SHA16e2850bde22f345739bf32031b2c2fb8850e0185
SHA2569792c1645ecabeb90e2a61eb8a34ff0aa685eea55d61cbe47a667a3aca7e437b
SHA512f4498f1ccf80bfd305f2b312e6e09b68271f1468cb3505120539bae7cf72a66609a5fcbd66ed5274fb466fa2c3dc13cf61f83ad3105303c333f19f696c3c96aa
-
Filesize
600B
MD57077c46ffd13f41111e5d81c68a294cc
SHA1023773b830f1bcd36cea0c65a5e613f6451c7673
SHA256b3c2bc32d9bb51933fb3804810e449d149eb9d9b40b7b52652edf74c2084ceb0
SHA512933861006d7d07ececc544b4a60654b602f44faece000ad536e3fb1013fa96c503e077a457c6b4701348a515c16d6e4364024078bc1cd06ddc46dadc18a92e8b
-
Filesize
996B
MD50eb900353305104edc33a0073d71839e
SHA1e7729461625b6085f6a7e873f826565d5890e42d
SHA256ec6aee44dacad921dc6a9517e831f510f65e58c82393619cae5f6b01a3a486de
SHA5127bc46c0bee97b41b59d7bc5711d42a4cf2e444b2282fd3bf461b7506c515a6fc6bff9b29108ac50b43c211e7b435c5c0b29149f3f3291936750077252cab013a
-
Filesize
1KB
MD520e123e29a3ae2c5a81ed37315bd06b0
SHA1fc97b845825b7333c0627034e7b9d4b2ce9a8a22
SHA256fc7dc714a445faa436058d603a24ced4986e80e037b897ac99c3ed836d31b42d
SHA512abd57ca76fce33c5374f23acea83b23b0567e2a498089b725b8b683ead35907d9e79d2d07b90a531b252f9fa8e1e0b263d29c5d40661689e80298f181767f7d8