Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 22:43
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe
-
Size
285KB
-
MD5
445935e8d4c5f152a7b8ca19d7834a24
-
SHA1
4b6aa2b403769bfa48ac2852ed9df8c5a56baf04
-
SHA256
6ad56abd94ebaf4c32e2d3c3558c375e5ed0d5c96b4195817695defd8052ea0a
-
SHA512
1292afcb09be678cba33e8465bc47b244c84c1a82ce61d0f81b9c5223457596dc27c07e6899788df33b2d970f1fa478f899027216ba2578815ef1d89f34358af
-
SSDEEP
6144:k2m8z+xMfMCTWxjjRN0ueonKyMohMh0AvzVnVQrSH15i:Y8z+xMfMCixhSchMh3vpnOO
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 7 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2248-11-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/2248-14-0x0000000000400000-0x0000000000468000-memory.dmp family_cycbot behavioral1/memory/2360-17-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/2248-133-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/2952-137-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/2248-308-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/2248-312-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe -
Pony family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 2152 6384.tmp -
Loads dropped DLL 2 IoCs
pid Process 2248 JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe 2248 JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BDB.exe = "C:\\Program Files (x86)\\LP\\DCB2\\BDB.exe" JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
resource yara_rule behavioral1/memory/2248-2-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2248-11-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2248-14-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral1/memory/2360-15-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2360-17-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2248-133-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2952-136-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2952-137-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2248-308-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2248-312-0x0000000000400000-0x000000000046B000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\LP\DCB2\6384.tmp JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe File created C:\Program Files (x86)\LP\DCB2\BDB.exe JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe File opened for modification C:\Program Files (x86)\LP\DCB2\BDB.exe JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6384.tmp -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2248 JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe 2248 JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe 2248 JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe 2248 JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe 2248 JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe 2248 JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe 2248 JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe 2248 JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe 2248 JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe 2248 JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe 2248 JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe 2248 JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe 2248 JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe 2248 JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1368 explorer.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeRestorePrivilege 1060 msiexec.exe Token: SeTakeOwnershipPrivilege 1060 msiexec.exe Token: SeSecurityPrivilege 1060 msiexec.exe Token: SeShutdownPrivilege 1368 explorer.exe Token: SeShutdownPrivilege 1368 explorer.exe Token: SeShutdownPrivilege 1368 explorer.exe Token: SeShutdownPrivilege 1368 explorer.exe Token: SeShutdownPrivilege 1368 explorer.exe Token: SeShutdownPrivilege 1368 explorer.exe Token: SeShutdownPrivilege 1368 explorer.exe Token: SeShutdownPrivilege 1368 explorer.exe Token: SeShutdownPrivilege 1368 explorer.exe Token: SeShutdownPrivilege 1368 explorer.exe Token: SeShutdownPrivilege 1368 explorer.exe Token: SeShutdownPrivilege 1368 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe -
Suspicious use of SendNotifyMessage 22 IoCs
pid Process 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2248 wrote to memory of 2360 2248 JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe 32 PID 2248 wrote to memory of 2360 2248 JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe 32 PID 2248 wrote to memory of 2360 2248 JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe 32 PID 2248 wrote to memory of 2360 2248 JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe 32 PID 2248 wrote to memory of 2952 2248 JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe 34 PID 2248 wrote to memory of 2952 2248 JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe 34 PID 2248 wrote to memory of 2952 2248 JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe 34 PID 2248 wrote to memory of 2952 2248 JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe 34 PID 2248 wrote to memory of 2152 2248 JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe 37 PID 2248 wrote to memory of 2152 2248 JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe 37 PID 2248 wrote to memory of 2152 2248 JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe 37 PID 2248 wrote to memory of 2152 2248 JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe 37 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe startC:\Users\Admin\AppData\Roaming\2B29A\1F0DC.exe%C:\Users\Admin\AppData\Roaming\2B29A2⤵
- System Location Discovery: System Language Discovery
PID:2360
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_445935e8d4c5f152a7b8ca19d7834a24.exe startC:\Program Files (x86)\9A50D\lvvm.exe%C:\Program Files (x86)\9A50D2⤵
- System Location Discovery: System Language Discovery
PID:2952
-
-
C:\Program Files (x86)\LP\DCB2\6384.tmp"C:\Program Files (x86)\LP\DCB2\6384.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2152
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1060
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1368
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD549caf09ac17dcd9b8050c1f911a23976
SHA1d624e3dce8868610470c5869367bf969d1bf82c5
SHA2562d279a7f26d024adf94e15e2c70484e4317755aaf146e15c3b9f992f8d2e3e9c
SHA512f246e7864bf363aa9e4d8e303f595b4d04fff0113650af4e6f260c83bd2982ade49bd6962dee1e4b13927a888a558d2cd6bafc0cf472ad666fd8cf4bb5dd8033
-
Filesize
600B
MD550a31b389910a42abefa11a1c5ffcf41
SHA16b2f21bf2eeef5f3c02577f2cd15f27b3b9f1098
SHA2564d1c821d952c395f30ba78243fddacc0d93f257e61f90f0daedd7125d6921429
SHA5123a369c3b9b2b1f3eafe08a3bcda37bc321b8cd68333feede906d20cc4b62884faf1cdada427e823235d4c3f51fa9a400ce047e25137870d8d6640a8b597a1a07
-
Filesize
1KB
MD5d9c6c179b14ee44334636976ded729b9
SHA107d382236f6f4efb553eabee964ce830bdfdd983
SHA2564c726ced286daa6aa9ef1193dbee62aa87f5421e94049f1574b4b42a7424f1b2
SHA512fa20e5f3576e7576fda66fb56c3bdd9b2bef1f895a0d93f031823e2c116acb2ba705fa830654224daef66cc48eb885a60f10db51b0fd9d53fb37fe6f3592b73a
-
Filesize
300B
MD5d7fc3a5cd8cf23de82f1954a14c878c3
SHA17fa8b7f748d5a407d2e4893816f345638e58c6df
SHA256bbc11446232e0d7a57d8828c447e2ad2089fefb26ca72b9e1ec326bae721725c
SHA512b4a8cbf18103f8aee14d50a42091b2ec3dd251f13b3b826ee62ba22b11e9f7294a28db3a6a322403e3ccd9c71e17d938af492da8ea62351656e4c253f818f6d2
-
Filesize
99KB
MD5e30776fd4c002156aa05dcbe4157fc63
SHA177dc074bfc544251555ded2ad9ec741e7b88babe
SHA256e115c9b0524257ca624e0123ebb7cbe77cf09edb33bfed015038e95b94a8e1c8
SHA512cecac46a434ef0ddafe78252ee0b38607cd0c10f83f658f4b3259d5cf8c3779fc5cf8facbf9cfb0e218f7c67dc8baff27c4f5349bacda8bf21e212a3c47e4dbf