Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22/01/2025, 23:39
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
-
Size
314KB
-
MD5
11fa3d2a79204be85855d65b269533bf
-
SHA1
4b0d0e9f31cab8d907dd9f0f88e6d5235badbef4
-
SHA256
77d59c32ed5adbfdc7ced9dd6438bd787af7ad69ac6e6ba53726893d7cdf0a80
-
SHA512
6e1d3cd65857bb31528b2d8961320b86479e6b02eb633c23ac2ef86add295aa780dbd7cbd5d8ec9375d6d797f3a280f7b012d1a4d97f714a1d2915c2ca8cd90f
-
SSDEEP
6144:z/L3iwgsfDSMj41UKL6dkONAAFPocl1m0wn83OFLOwLOu:z/ngsrSMkJLtSNFgcl1m0w8+x
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 8 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/1624-4-0x0000000000400000-0x000000000046C000-memory.dmp family_cycbot behavioral1/memory/1624-5-0x0000000000400000-0x0000000000469000-memory.dmp family_cycbot behavioral1/memory/864-18-0x0000000000400000-0x000000000046C000-memory.dmp family_cycbot behavioral1/memory/1624-19-0x0000000000400000-0x000000000046C000-memory.dmp family_cycbot behavioral1/memory/2612-181-0x0000000000400000-0x000000000046C000-memory.dmp family_cycbot behavioral1/memory/1624-183-0x0000000000400000-0x000000000046C000-memory.dmp family_cycbot behavioral1/memory/1624-292-0x0000000000400000-0x000000000046C000-memory.dmp family_cycbot behavioral1/memory/1624-294-0x0000000000400000-0x000000000046C000-memory.dmp family_cycbot -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe -
Pony family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 1924 361E.tmp -
Loads dropped DLL 2 IoCs
pid Process 1624 JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe 1624 JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\826.exe = "C:\\Program Files (x86)\\LP\\B669\\826.exe" JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
resource yara_rule behavioral1/memory/1624-3-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1624-4-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1624-5-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/864-18-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1624-19-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2612-181-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1624-183-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1624-292-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1624-294-0x0000000000400000-0x000000000046C000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\LP\B669\826.exe JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe File opened for modification C:\Program Files (x86)\LP\B669\361E.tmp JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe File created C:\Program Files (x86)\LP\B669\826.exe JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 361E.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1624 JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe 1624 JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe 1624 JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe 1624 JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe 1624 JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe 1624 JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe 1624 JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe 1624 JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe 1624 JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe 1624 JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe 1624 JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe 1624 JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe 1624 JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe 1624 JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2988 explorer.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeRestorePrivilege 684 msiexec.exe Token: SeTakeOwnershipPrivilege 684 msiexec.exe Token: SeSecurityPrivilege 684 msiexec.exe Token: SeShutdownPrivilege 2988 explorer.exe Token: SeShutdownPrivilege 2988 explorer.exe Token: SeShutdownPrivilege 2988 explorer.exe Token: SeShutdownPrivilege 2988 explorer.exe Token: SeShutdownPrivilege 2988 explorer.exe Token: SeShutdownPrivilege 2988 explorer.exe Token: SeShutdownPrivilege 2988 explorer.exe Token: SeShutdownPrivilege 2988 explorer.exe Token: SeShutdownPrivilege 2988 explorer.exe Token: SeShutdownPrivilege 2988 explorer.exe Token: SeShutdownPrivilege 2988 explorer.exe Token: SeShutdownPrivilege 2988 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1624 wrote to memory of 864 1624 JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe 33 PID 1624 wrote to memory of 864 1624 JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe 33 PID 1624 wrote to memory of 864 1624 JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe 33 PID 1624 wrote to memory of 864 1624 JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe 33 PID 1624 wrote to memory of 1924 1624 JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe 36 PID 1624 wrote to memory of 1924 1624 JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe 36 PID 1624 wrote to memory of 1924 1624 JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe 36 PID 1624 wrote to memory of 1924 1624 JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe 36 PID 1624 wrote to memory of 2612 1624 JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe 37 PID 1624 wrote to memory of 2612 1624 JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe 37 PID 1624 wrote to memory of 2612 1624 JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe 37 PID 1624 wrote to memory of 2612 1624 JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe 37 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe startC:\Users\Admin\AppData\Roaming\923A1\FBEB6.exe%C:\Users\Admin\AppData\Roaming\923A12⤵
- System Location Discovery: System Language Discovery
PID:864
-
-
C:\Program Files (x86)\LP\B669\361E.tmp"C:\Program Files (x86)\LP\B669\361E.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1924
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe startC:\Program Files (x86)\A1E2F\lvvm.exe%C:\Program Files (x86)\A1E2F2⤵
- System Location Discovery: System Language Discovery
PID:2612
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:684
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2988
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50cabe0edff7028ef1ef6ec2769a7fa4f
SHA1e381f7bda44a3274eeffc363b1a18ef54f8b5f2b
SHA256f13d1390b04e05b926f6790f47974fe8e360c3e2ff1008f2509e52f49f141554
SHA5121e350b4c4f4571640c93052ed6ddbecd5cb8024015c4477bcc124b7e9dda3d151b47dec43e0ee749d30fedc6999ac14ef74aead947115c69049f3689522a1869
-
Filesize
600B
MD549643fc97c84f88bffe0ad040f953fd9
SHA1ecc019987b13b5b87dc433d34bb91d2babff1a95
SHA256ee0aa3c9b7baff907c9d3336366e04f0e4b7f63bc4bd0025472005e46d2fdf8c
SHA5124d12d026d682cbedf81180770e211090d71d40a56491922273b0da307687cae9d18befbfee811da357407fdfc9562a92e1a26ed65d452349303677d92dd6fee0
-
Filesize
1KB
MD575a67549735b9d85f07e36a74e20eee4
SHA10d68f11c98ecdf3b1e058eed28970b84751410e7
SHA25642c43f43c2ab756449aaced2dceb470f26d80af7ce1c023f7ab37e4bf3a52270
SHA512d36132f02f95e7955128f91e23f60ed130054b728f31a432a94653cfa7890d39e5a645d99339d49da9de7d07f1a26c4a33cf5f28a7b7c577b4a56d14b10cc95d
-
Filesize
897B
MD51b93e829ad58df01247545d3bbcba237
SHA120199f3afa00e4521de5d7cabde4d5474379e2be
SHA256417726a2a2ade76749bccbebf5a1f1544a2566c4c61ed19a7af376638204c55b
SHA512c8a23c9bda734d5714e1d3a8f3c62d1835859bb46e2e5b48b23a46dcffa4f00cb43b03b205e12a63ad5d318554c6f14850c80c82d7598b021cd26b2cdf4096eb
-
Filesize
107KB
MD5ebec172b21c1a8032a34cbaee1517f52
SHA1a34b5c4cded0d80e9ced4fb9b33ecb142060de55
SHA2564972245901de570e2f6db848ac371d3aa85676596698611f2349758cd9765353
SHA512e8517f20a836d95815e4d4fe7100cc9ae8cc13e8ab23f7b3f44525742b9552aff5a24948c05ff95cf232c854bd05756271211685583a9e01451d12e256951ff9