Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...ea.exe

windows7-x64

10

JaffaCakes...ea.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20/01/2025, 03:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_dad294cc0220656002f3bbd030d0d3ea.exe

  • Size

    274KB

  • MD5

    dad294cc0220656002f3bbd030d0d3ea

  • SHA1

    9a6718b1e3f56fc62be414579865da418099bd14

  • SHA256

    1dc41b4be881fc20ce71519e48251f6be1ffa776f73faac2a70ed4dcbc31be63

  • SHA512

    27ea795744caf52ab9846cede2972d9ecadc2a15b024868a5826226159e27072477e33f472bbf232db1f05c375fc60a00962e0448503e69dc73ab574ee7e9901

  • SSDEEP

    6144:R18u7ntij35zenYp5wiQxVQVNb89woYZ69U1SfTLB0AzQglMqBr1iW9Txz2oRcru:Lz0gnYpTu8BrZWU1Sfn6ADaW9x2oRIp5

Score
10/10
cycbotponybackdoorcredential_accessdiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 7 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony family
    pony
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dad294cc0220656002f3bbd030d0d3ea.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dad294cc0220656002f3bbd030d0d3ea.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1804
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dad294cc0220656002f3bbd030d0d3ea.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dad294cc0220656002f3bbd030d0d3ea.exe startC:\Users\Admin\AppData\Roaming\0D4DA\E4023.exe%C:\Users\Admin\AppData\Roaming\0D4DA
      2⤵
        PID:2920
      • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dad294cc0220656002f3bbd030d0d3ea.exe
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dad294cc0220656002f3bbd030d0d3ea.exe startC:\Program Files (x86)\DA7DC\lvvm.exe%C:\Program Files (x86)\DA7DC
        2⤵
          PID:900
        • C:\Program Files (x86)\LP\2310\3BC8.tmp
          "C:\Program Files (x86)\LP\2310\3BC8.tmp"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1904
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2540
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1244

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Active Setup

      1
      T1547.014

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Active Setup

      1
      T1547.014

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Defense Evasion

      Modify Registry

      4
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      3
      T1552

      Credentials In Files

      3
      T1552.001

      Discovery

      Query Registry

      2
      T1012

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Collection

      Data from Local System

      2
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\0D4DA\A7DC.D4D
        Filesize

        996B

        MD5

        367e1e3e19e1d9c7db5bb971066c705e

        SHA1

        12197a112da9c2e1c556f0bd233af9e471a76fbd

        SHA256

        e5296f9edd851eda7776ddf91f863721786fe1476f28a2c7026954c52d31c8b0

        SHA512

        4b1af6ba461d8a25a0c530d664bb95c580a4afc0be86f865c27fdca565ca76da05e51c1352a5bf8362300e8b4bfff602a472873376d107d60526623ae3e5c394

        Download Submit

      • C:\Users\Admin\AppData\Roaming\0D4DA\A7DC.D4D
        Filesize

        600B

        MD5

        f5a2edaad3f4b2f3a75949d519b71091

        SHA1

        1ef485839ee5d0dac9be85e66243b5b3d3239ef5

        SHA256

        79b1c05f1c8e2633c1faa77374225cab480805d8103c1a82e983f501a44b7459

        SHA512

        559276e1bbe0a9484f16fb9978b0d94f1b3b341254b6d4f44e1bf421184a616da8446e8881cff622ceab0c0fb830cdb247852787cf0b8ffcf6bdf97c67db901c

        Download Submit

      • C:\Users\Admin\AppData\Roaming\0D4DA\A7DC.D4D
        Filesize

        1KB

        MD5

        473657c174c94368a67650e8af3c9916

        SHA1

        4a9c98fb6ab30508eab242bddc67144db386de83

        SHA256

        a407c0a680636687b5e506bfb70cabcd1f95b70df5e5da0d8381950e7b0f35d1

        SHA512

        09ba8160c026943d13be2e51a6efda97a1d31e7200396a2326abc98e750b355af7fd8d2df39139c8fd1d936c55eab7790ba2a119a23da71e09d8ec94698792b6

        Download Submit

      • \Program Files (x86)\LP\2310\3BC8.tmp
        Filesize

        97KB

        MD5

        b5ea3a02245a0dcead8fab5351d1cf81

        SHA1

        cf63d395d4e9f658ea3e73e0d9407dd4dd3aedf9

        SHA256

        9a9a5d6cbd12bfca01c9f5bf0fb16b750815c54ed99c81f387578e05efe2dd88

        SHA512

        59e0c251aade2dae3fa228aa0fc31c1ce3a29a17d8c7267db8fb77dfbaad75da8d1766c514088726d3c9df8e7ff7679151d099cb0123deeb2cc585a0b84a46fc

        Download Submit

      • memory/900-133-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/900-132-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/1804-130-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/1804-0-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/1804-15-0x0000000000400000-0x0000000000467000-memory.dmp

        Filesize

        412KB

        Download

      • memory/1804-13-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/1804-3-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/1804-2-0x0000000000400000-0x0000000000467000-memory.dmp

        Filesize

        412KB

        Download

      • memory/1804-304-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/1804-308-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/1904-305-0x0000000000400000-0x000000000041C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2920-17-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2920-16-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download