Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23/01/2025, 15:05
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe
-
Size
280KB
-
MD5
1869d6cbccd41ba010a2ce06e850502a
-
SHA1
2e2298535d02752a39f5117deb9aa1f2bb5b66d9
-
SHA256
89e0f2d55c98c3e4cf57b9c0b74de97165118d896d9ef43ac41651f7f6aacb6b
-
SHA512
7eca6268c3979fcc9dd36aeb1a64d7974b8278f0dabb7df3601999dbd4612ffa240ede8644e231eeb7c7156ce67b7883fe9f23d6a1e8e413a7e352aaef5a96f0
-
SSDEEP
6144:q8RX+921/Z3sr7xDP3KDdslpn7xqQ0Wt60vlOU0V/hF:/kwZZ8rRP3AEp7xqjWPlH0pr
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 8 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2700-14-0x0000000000400000-0x000000000046C000-memory.dmp family_cycbot behavioral1/memory/2700-15-0x0000000000400000-0x000000000046C000-memory.dmp family_cycbot behavioral1/memory/1100-16-0x0000000000400000-0x0000000000469000-memory.dmp family_cycbot behavioral1/memory/1100-17-0x0000000000400000-0x000000000046C000-memory.dmp family_cycbot behavioral1/memory/3052-88-0x0000000000400000-0x000000000046C000-memory.dmp family_cycbot behavioral1/memory/1100-90-0x0000000000400000-0x000000000046C000-memory.dmp family_cycbot behavioral1/memory/1100-165-0x0000000000400000-0x000000000046C000-memory.dmp family_cycbot behavioral1/memory/1100-199-0x0000000000400000-0x000000000046C000-memory.dmp family_cycbot -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe -
Pony family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 2052 ABA.tmp -
Loads dropped DLL 2 IoCs
pid Process 1100 JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe 1100 JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\174.exe = "C:\\Program Files (x86)\\LP\\4347\\174.exe" JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
resource yara_rule behavioral1/memory/1100-2-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2700-14-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2700-15-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1100-16-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1100-17-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2700-86-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/3052-89-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/3052-88-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1100-90-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1100-165-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1100-199-0x0000000000400000-0x000000000046C000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\LP\4347\174.exe JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe File created C:\Program Files (x86)\LP\4347\174.exe JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe File opened for modification C:\Program Files (x86)\LP\4347\ABA.tmp JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ABA.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1100 JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe 1100 JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe 1100 JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe 1100 JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe 1100 JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe 1100 JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe 1100 JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe 1100 JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe 1100 JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe 1100 JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe 1100 JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe 1100 JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe 1100 JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe 1100 JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1876 explorer.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeRestorePrivilege 2232 msiexec.exe Token: SeTakeOwnershipPrivilege 2232 msiexec.exe Token: SeSecurityPrivilege 2232 msiexec.exe Token: SeShutdownPrivilege 1876 explorer.exe Token: SeShutdownPrivilege 1876 explorer.exe Token: SeShutdownPrivilege 1876 explorer.exe Token: SeShutdownPrivilege 1876 explorer.exe Token: SeShutdownPrivilege 1876 explorer.exe Token: SeShutdownPrivilege 1876 explorer.exe Token: SeShutdownPrivilege 1876 explorer.exe Token: SeShutdownPrivilege 1876 explorer.exe Token: SeShutdownPrivilege 1876 explorer.exe Token: SeShutdownPrivilege 1876 explorer.exe Token: SeShutdownPrivilege 1876 explorer.exe Token: SeShutdownPrivilege 1876 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1100 wrote to memory of 2700 1100 JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe 30 PID 1100 wrote to memory of 2700 1100 JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe 30 PID 1100 wrote to memory of 2700 1100 JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe 30 PID 1100 wrote to memory of 2700 1100 JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe 30 PID 1100 wrote to memory of 3052 1100 JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe 32 PID 1100 wrote to memory of 3052 1100 JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe 32 PID 1100 wrote to memory of 3052 1100 JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe 32 PID 1100 wrote to memory of 3052 1100 JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe 32 PID 1100 wrote to memory of 2052 1100 JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe 35 PID 1100 wrote to memory of 2052 1100 JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe 35 PID 1100 wrote to memory of 2052 1100 JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe 35 PID 1100 wrote to memory of 2052 1100 JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe 35 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1100 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe startC:\Users\Admin\AppData\Roaming\74FA2\36143.exe%C:\Users\Admin\AppData\Roaming\74FA22⤵
- System Location Discovery: System Language Discovery
PID:2700
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1869d6cbccd41ba010a2ce06e850502a.exe startC:\Program Files (x86)\A2B24\lvvm.exe%C:\Program Files (x86)\A2B242⤵
- System Location Discovery: System Language Discovery
PID:3052
-
-
C:\Program Files (x86)\LP\4347\ABA.tmp"C:\Program Files (x86)\LP\4347\ABA.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2052
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1876
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51ec01496b4b21a200737e3c1286d8f7d
SHA13058bffc123b13dc34f44d769fbe1034cc179dc1
SHA25660d976424c30459452e6cc0b293eab459419febdb07f08a9d0bd05e629e6482b
SHA512fbb7104af521c7214c6ac1ba7e622f3e0c62e8ee2ed6f4c476ea7ed06e7eea5c73676256482dbbabd12f73f13fb7976962203204e16e8c5bdac1754876fa82b8
-
Filesize
1KB
MD54205d68e539509613b70769fa13cd00d
SHA12625a9bddfedc43988dfee723f0fb850250e375c
SHA2561105f93a01050db2ab9daf94471c3fc1379193beca839c7047a8b105680bf4fc
SHA5126896773593b4d23775709cae258de0d36e17cc6d970510893b94fa10e287cf089d96abf364ca5a6769428b4fb2b84b621b2c4af921070c3edf45a5768c8ca78e
-
Filesize
600B
MD53608e54995aa9e4b1b368b30e397a43e
SHA1b3ee52ba59468bc9705f108d15665bfff6d8f056
SHA256ec22834745d1106b0e26eb16bd5ab792820eb0d0821b97ac24b90b6075334b47
SHA5127c25496108351d39072fbb4940934aa99efca81993f57f82ffdfbe72a1b3520c965ec06b446ebecd9606eb25e26d0d6963d34ad8b08b1289d71b3d2ff465de9c
-
Filesize
996B
MD56cde7dd8abc20fcb8438c6a11862cd89
SHA185461196396237331986f8d6167ec3f1fe600f14
SHA2568706e3f42555c3abd38fc7ec78dd5e127b41df06dfcef39f5f188ab050ae94b1
SHA5128a2eb91aa40f26e473949cb2e60e4960e30c985bbefac31ddf1d24275eec11dc65111629aa053a16d27a4a2e2b6741071967663e5c4f7c69ee80767d5a27941e
-
Filesize
100KB
MD5a8ac6f40514636d32248ca72f6e9759d
SHA10ab176e9f97677bb8a1cf11670b4a71f01153d23
SHA2568e82206a435ba38cb94e659b4fb8a178431e429594c6b0774f148ef0581840b4
SHA5120784399be810d181d35c4063b0d533f1390351a4c759f58b2c86d4bfdc7cca62b1d8ad17f90edf1b89cb4a77f70d235bb25144aa325afbc8c789a9f34c1dc685