Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    100s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22/01/2025, 16:05

General

  • Target

    JaffaCakes118_0f3f2efc061b947417b5091581387037.exe

  • Size

    608KB

  • MD5

    0f3f2efc061b947417b5091581387037

  • SHA1

    83bc2c190a06cf743e20a1b9e78fcc3b4ef0dac4

  • SHA256

    9e3b6bfecefbae3e35de79a8b6ca392f5342e21b1057c6500a5dadba50bf21c6

  • SHA512

    cace34a948aeb8193819a112ceb8187f9786763948cb48b6e5541cf9cdbe9f8937f09e5d6878433003737833cc79185d587f1d7d60c92f602b04cba1297d66a1

  • SSDEEP

    12288:0BYDZJr1E+3JcdrXxE3Vq4Vcim38bJ6vKDn5gcPUbjC:0qF6+ydroLrJ6vKVgkUb

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 3 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies security service 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Pony family
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Disables taskbar notifications via registry modification
  • Deletes itself 1 IoCs
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 10 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Adds Run key to start application 2 TTPs 53 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • UPX packed file 22 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of FindShellTrayWindow 29 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0f3f2efc061b947417b5091581387037.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0f3f2efc061b947417b5091581387037.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2448
    • C:\Users\Admin\aUY5E15SY8.exe
      C:\Users\Admin\aUY5E15SY8.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1480
      • C:\Users\Admin\dooex.exe
        "C:\Users\Admin\dooex.exe"
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:2856
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del aUY5E15SY8.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2884
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2748
    • C:\Users\Admin\2nua.exe
      C:\Users\Admin\2nua.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3040
      • C:\Users\Admin\2nua.exe
        "C:\Users\Admin\2nua.exe"
        3⤵
        • Executes dropped EXE
        PID:2744
      • C:\Users\Admin\2nua.exe
        "C:\Users\Admin\2nua.exe"
        3⤵
        • Executes dropped EXE
        • Maps connected drives based on registry
        • Suspicious behavior: EnumeratesProcesses
        PID:2800
      • C:\Users\Admin\2nua.exe
        "C:\Users\Admin\2nua.exe"
        3⤵
        • Executes dropped EXE
        • Maps connected drives based on registry
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1744
      • C:\Users\Admin\2nua.exe
        "C:\Users\Admin\2nua.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:592
      • C:\Users\Admin\2nua.exe
        "C:\Users\Admin\2nua.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2012
    • C:\Users\Admin\3nua.exe
      C:\Users\Admin\3nua.exe
      2⤵
      • Modifies security service
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • System policy modification
      PID:1968
      • C:\Users\Admin\3nua.exe
        C:\Users\Admin\3nua.exe startC:\Users\Admin\AppData\Roaming\9D2AC\AA988.exe%C:\Users\Admin\AppData\Roaming\9D2AC
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:664
      • C:\Program Files (x86)\LP\88B9\8537.tmp
        "C:\Program Files (x86)\LP\88B9\8537.tmp"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2524
      • C:\Users\Admin\3nua.exe
        C:\Users\Admin\3nua.exe startC:\Program Files (x86)\AC91E\lvvm.exe%C:\Program Files (x86)\AC91E
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1152
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del JaffaCakes118_0f3f2efc061b947417b5091581387037.exe
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1204
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2300
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2264
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1700
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x494
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2728

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\9D2AC\C91E.D2A

    Filesize

    300B

    MD5

    4f52db45bb822a084a42e607bee61727

    SHA1

    76f3a423191d0858491e2b831d67dca10f0dedc8

    SHA256

    eedb718fc65b26a1d1be776d85c871ed4d9af44bc665478587dc2f9c61a61321

    SHA512

    b3738308cf5d6c35c0628c5af30fc130316653234c03cea09034d5c32bd9a7cabf06b732d0f9e613cd1b30c956e1ee15476aab523514b92c73d9a8815498374c

  • C:\Users\Admin\AppData\Roaming\9D2AC\C91E.D2A

    Filesize

    600B

    MD5

    2cae1ba16a59d2c0fcba70647a5f8c49

    SHA1

    59cf2736122f58af8ebfc962dacd03999bbfe50d

    SHA256

    977e9765658930392d0846d18b759726d4bcbe75210ef213ff4a6ae658fbadf7

    SHA512

    a7f935084921bd5754134474cb378596692528143b9f11e1ae70ec5f5b5887f0a6f5ca7941e66e0c88f93aa6164a238f1ccc5128d258aad3d0a645837c6c3360

  • C:\Users\Admin\AppData\Roaming\9D2AC\C91E.D2A

    Filesize

    897B

    MD5

    c03ce0dad5bf40e1d44376ae1942f70f

    SHA1

    3316544ba14211a66036d2365ff145a50b286cf7

    SHA256

    b906b825a842287e2abb9f7bcbc7f49cab8eb8418e92ab6a458e0ecf0338bb52

    SHA512

    405cdebcb4e6004597bf2ad27963464e7efdb7dd77b33eda74e1a77b95230736f8a84d0716f61065c82f87eb6620ff39d2afa02ebeb024548a89936a9861af09

  • C:\Users\Admin\AppData\Roaming\9D2AC\C91E.D2A

    Filesize

    1KB

    MD5

    e696048017a756b5376846099cd362b8

    SHA1

    a9021227b034459f9fc204087ed2d8eda443c245

    SHA256

    af8bd37e5f5eaee3b2ba5e96dcb0f7e01e5fdaa005ad6952d7e01c93f6a756f5

    SHA512

    9f30fd8449d121763be32ad7d580b242d88bb2307aa830485bda48dacc2933c5d673fbda2ed394e5a8149d06dd8125cb2626db2a4afd30c4a7689ce9720b7478

  • \Program Files (x86)\LP\88B9\8537.tmp

    Filesize

    97KB

    MD5

    29c0a1942c5efa556fcf06cdb27e6b43

    SHA1

    1f4897b7091c159f7402237f093dd66419ef801b

    SHA256

    4f5a26e02022c8e480e3bba16fdbe3c9e19f95ccfded922fdb911403ef1ae0c4

    SHA512

    54389f2ec50d6447f89b15268f4daa3b9a6a0f7c0609648754eaeb6bd6e159c800f1f29f759bd56f42ab6249b246a95081d1e0e9fdd43e56ff2104a7ce458168

  • \Users\Admin\2nua.exe

    Filesize

    224KB

    MD5

    b64185be04a7c3882871c07358450544

    SHA1

    6dd00c5f29490e210639ac155e732f7c33e746af

    SHA256

    c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d

    SHA512

    604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21

  • \Users\Admin\3nua.exe

    Filesize

    273KB

    MD5

    0fcecac14065f03c4f83bf5ae6ac415b

    SHA1

    f71aa4708e16a2a3bf15e2a99cc0ce609b08769b

    SHA256

    79f4527215b4a213f69cf618440202131afa6eb61d2bc6046b718dd4b4ddb787

    SHA512

    49195c9f00c434228dd76151042dc03f7f87b77438734861face0f4ec40391649ed784aaf82b756113a55d55126c9b18c27e44d0c47ca75564ea079eed161003

  • \Users\Admin\aUY5E15SY8.exe

    Filesize

    208KB

    MD5

    380575fdf47f22e24cc214c89f098f9d

    SHA1

    5d5584fab3dc5267ffacfd4c331555f4f7703fb6

    SHA256

    04fc572ba5e2e941d3510ed1504cc04490c7f5ff3ec651e6c8ffd6645ef2e0c9

    SHA512

    70ce73ac9a14224c608e1ab60e21dd8bbd5ebcc8c75bb670c0861c8fc4a478965d39a450d32907ff90baa3a8a2fc9e50a9cc8d7385a330b373d3c9854cc8e7e2

  • \Users\Admin\dooex.exe

    Filesize

    208KB

    MD5

    94d4412154fc28de4202aa9824348c2b

    SHA1

    14a016ddc5096702f9e55a6d4b65e71b8d903073

    SHA256

    21c3dad4a1b0e37c207ec62cf49203dd20ab6128d6ae2c9cdbe653f7be622af7

    SHA512

    67ccea5a0445a19f9e52ef7ddf716b554bc4ecfc44256aebb0e00cc752a0e614c29571fa4b02ad8ea5acf65c9a5235e478df98c7dcbc4658932b321ba0ad5fb9

  • memory/592-91-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

  • memory/592-71-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

  • memory/592-69-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

  • memory/592-68-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

  • memory/592-74-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

  • memory/592-76-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

  • memory/592-77-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

  • memory/664-172-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/1480-27-0x0000000003550000-0x000000000400A000-memory.dmp

    Filesize

    10.7MB

  • memory/1744-53-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

  • memory/1744-64-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

  • memory/1744-55-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

  • memory/1744-57-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

  • memory/1744-110-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

  • memory/1744-62-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

  • memory/1744-59-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

  • memory/1744-66-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

  • memory/1968-173-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/1968-106-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/1968-112-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2012-92-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

  • memory/2012-89-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

  • memory/2012-80-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

  • memory/2012-82-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

  • memory/2012-87-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

  • memory/2012-97-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

  • memory/2012-78-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

  • memory/2744-39-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2800-108-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2800-45-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2800-48-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2800-50-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2800-51-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2800-52-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2800-43-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2800-41-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB