Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...d5.exe

windows7-x64

10

JaffaCakes...d5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21/01/2025, 23:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_084dc5d64c729ed673a9cd5bf7cd8ad5.exe

  • Size

    608KB

  • MD5

    084dc5d64c729ed673a9cd5bf7cd8ad5

  • SHA1

    4f529f9624faf190b646c4db0f1f50031ff8b2fc

  • SHA256

    2ec6e368fc0d001c20d0e64a24bac26dfdfea0a96d15b417d06f726c969aa034

  • SHA512

    e7ea902f13d3c9108dbf96c7dc29c0ad67c8fdca96abcec4ff5557b4206fb2a83bd6ad8557ed0f24dbfb60345693452e29e7634486e4eb113abb51286118c26a

  • SSDEEP

    12288:+BYDZJr1E+3JcdrXxE3Vq4Vcim38bJ6vKDn5gcPUbjC:+qF6+ydroLrJ6vKVgkUb

Score
10/10
cycbotponybackdoorcredential_accessdefense_evasiondiscoverypersistenceratspywarestealerupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 4 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies security service 2 TTPs 1 IoCs
    defense_evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    defense_evasion
  • Pony family
    pony
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    defense_evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 10 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 53 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of SetThreadContext 5 IoCs
  • UPX packed file 23 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_084dc5d64c729ed673a9cd5bf7cd8ad5.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_084dc5d64c729ed673a9cd5bf7cd8ad5.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:604
    • C:\Users\Admin\aUY5E15SY8.exe
      C:\Users\Admin\aUY5E15SY8.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2360
      • C:\Users\Admin\voexee.exe
        "C:\Users\Admin\voexee.exe"
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:484
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del aUY5E15SY8.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2260
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2948
    • C:\Users\Admin\2nua.exe
      C:\Users\Admin\2nua.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2808
      • C:\Users\Admin\2nua.exe
        "C:\Users\Admin\2nua.exe"
        3⤵
        • Executes dropped EXE
        PID:2836
      • C:\Users\Admin\2nua.exe
        "C:\Users\Admin\2nua.exe"
        3⤵
        • Executes dropped EXE
        • Maps connected drives based on registry
        • Suspicious behavior: EnumeratesProcesses
        PID:2768
      • C:\Users\Admin\2nua.exe
        "C:\Users\Admin\2nua.exe"
        3⤵
        • Executes dropped EXE
        • Maps connected drives based on registry
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2684
      • C:\Users\Admin\2nua.exe
        "C:\Users\Admin\2nua.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1572
      • C:\Users\Admin\2nua.exe
        "C:\Users\Admin\2nua.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1484
    • C:\Users\Admin\3nua.exe
      C:\Users\Admin\3nua.exe
      2⤵
      • Modifies security service
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • System policy modification
      PID:2540
      • C:\Users\Admin\3nua.exe
        C:\Users\Admin\3nua.exe startC:\Users\Admin\AppData\Roaming\92871\8D33C.exe%C:\Users\Admin\AppData\Roaming\92871
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:908
      • C:\Users\Admin\3nua.exe
        C:\Users\Admin\3nua.exe startC:\Program Files (x86)\71B64\lvvm.exe%C:\Program Files (x86)\71B64
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3048
      • C:\Program Files (x86)\LP\3CD9\7B38.tmp
        "C:\Program Files (x86)\LP\3CD9\7B38.tmp"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1820
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del JaffaCakes118_084dc5d64c729ed673a9cd5bf7cd8ad5.exe
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1940
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1316
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3012
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Modify Registry

5
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Query Registry

3
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\92871\1B64.287
    Filesize

    600B

    MD5

    2a93a26667ac1999cc33256ee6f2f945

    SHA1

    2b10bd2f22e7f49f24f9eb102c36b3a3a3afb21b

    SHA256

    9f8b9127d8e9dbb35f418645b736ce1a87a413b26824bb8964d2f750db68eb7b

    SHA512

    19e8419dffa7f805862973a09eb1dada71da21f52bb492e627b0f08dc7821ef5094e9042ff23c71b540a3297e3929f1f2da384328587db3158c7080a817e1d85

    Download Submit

  • C:\Users\Admin\AppData\Roaming\92871\1B64.287
    Filesize

    996B

    MD5

    e1520f48cf5e1d4106043e54fb1f5b4e

    SHA1

    9cf7f4fe8b6be10d649958f2eff386355aadf247

    SHA256

    3153ab1eca1b6c02291c3087453e91b1018f5b2150cddd65e805cfd2c272abfb

    SHA512

    28df2272836c00730f20f55e041c68352998702ebdd4b668996dfd40b048572737357fdba3ec8bd3e0154993fe51e1e371a37d654058ac56649275fb700b17c0

    Download Submit

  • \Program Files (x86)\LP\3CD9\7B38.tmp
    Filesize

    97KB

    MD5

    29c0a1942c5efa556fcf06cdb27e6b43

    SHA1

    1f4897b7091c159f7402237f093dd66419ef801b

    SHA256

    4f5a26e02022c8e480e3bba16fdbe3c9e19f95ccfded922fdb911403ef1ae0c4

    SHA512

    54389f2ec50d6447f89b15268f4daa3b9a6a0f7c0609648754eaeb6bd6e159c800f1f29f759bd56f42ab6249b246a95081d1e0e9fdd43e56ff2104a7ce458168

    Download Submit

  • \Users\Admin\2nua.exe
    Filesize

    224KB

    MD5

    b64185be04a7c3882871c07358450544

    SHA1

    6dd00c5f29490e210639ac155e732f7c33e746af

    SHA256

    c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d

    SHA512

    604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21

    Download Submit

  • \Users\Admin\3nua.exe
    Filesize

    273KB

    MD5

    0fcecac14065f03c4f83bf5ae6ac415b

    SHA1

    f71aa4708e16a2a3bf15e2a99cc0ce609b08769b

    SHA256

    79f4527215b4a213f69cf618440202131afa6eb61d2bc6046b718dd4b4ddb787

    SHA512

    49195c9f00c434228dd76151042dc03f7f87b77438734861face0f4ec40391649ed784aaf82b756113a55d55126c9b18c27e44d0c47ca75564ea079eed161003

    Download Submit

  • \Users\Admin\aUY5E15SY8.exe
    Filesize

    208KB

    MD5

    380575fdf47f22e24cc214c89f098f9d

    SHA1

    5d5584fab3dc5267ffacfd4c331555f4f7703fb6

    SHA256

    04fc572ba5e2e941d3510ed1504cc04490c7f5ff3ec651e6c8ffd6645ef2e0c9

    SHA512

    70ce73ac9a14224c608e1ab60e21dd8bbd5ebcc8c75bb670c0861c8fc4a478965d39a450d32907ff90baa3a8a2fc9e50a9cc8d7385a330b373d3c9854cc8e7e2

    Download Submit

  • \Users\Admin\voexee.exe
    Filesize

    208KB

    MD5

    c3080015f7d8b274a92b70f405ac2721

    SHA1

    ccbb1d1aae982836994041d1d6bd2d9738474f94

    SHA256

    394433a11ce359a56c74c3b833fe430d0f82b32f6c23fa752895d9597e0cd18b

    SHA512

    cf85aa2c2131f10f42a0354916452ae53e6d22a95903223ebc9add927460145d8fe0ff69de16590469c23bf6e616330ade77faa6a325c4c3163b255b118b2f3c

    Download Submit

  • memory/604-107-0x0000000002B70000-0x000000000362A000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/908-126-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1484-91-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1484-77-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1484-90-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1484-87-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1484-75-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1484-73-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1484-96-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1572-69-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1572-65-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1572-83-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1572-81-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1572-67-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1572-72-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1572-120-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2540-105-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2540-124-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2540-239-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2684-52-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/2684-80-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/2684-63-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/2684-59-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/2684-60-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/2684-54-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/2684-56-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/2684-122-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/2768-42-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2768-108-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2768-40-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2768-44-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2768-47-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2768-49-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2768-50-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2768-51-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2836-38-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3048-241-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download