Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
31/01/2025, 12:10
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe
Resource
win10v2004-20250129-en
General
-
Target
JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe
-
Size
277KB
-
MD5
6a0efaa787d3b403622b508331f2f9fe
-
SHA1
477ba873e56f7d5adfe2075973e8b5d26b5e2019
-
SHA256
d1d8a6ef0f375d70020d67e679c5fd825b11124062f0b392d38b031a59a01be5
-
SHA512
ea025631b0d85084a5cdecb818f1e68258fdb2509a64c6249826874fa8c28ca4233a1915eee916814e4c4c883d14d3635a9b54e4be6afc7558810c4888f08afe
-
SSDEEP
6144:bubGlQoudUDM7rFMNCOt2QighaWWjBsbeEMpxeRaVS3ne6RiGR:6bqQoRtE1KyBnEMpsuyn5T
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 6 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2520-11-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/840-13-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2520-130-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/656-132-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2520-315-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2520-319-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe -
Pony family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 564 21F2.tmp -
Loads dropped DLL 2 IoCs
pid Process 2520 JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe 2520 JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BF8.exe = "C:\\Program Files (x86)\\LP\\43C1\\BF8.exe" JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
resource yara_rule behavioral1/memory/2520-11-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/840-13-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2520-130-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/656-132-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2520-315-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2520-319-0x0000000000400000-0x000000000046A000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\43C1\BF8.exe JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe File opened for modification C:\Program Files (x86)\LP\43C1\BF8.exe JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe File opened for modification C:\Program Files (x86)\LP\43C1\21F2.tmp JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 21F2.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2520 JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe 2520 JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe 2520 JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe 2520 JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe 2520 JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe 2520 JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe 2520 JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe 2520 JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe 2520 JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe 2520 JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe 2520 JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe 2520 JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe 2520 JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe 2520 JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1240 explorer.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeRestorePrivilege 2688 msiexec.exe Token: SeTakeOwnershipPrivilege 2688 msiexec.exe Token: SeSecurityPrivilege 2688 msiexec.exe Token: SeShutdownPrivilege 1240 explorer.exe Token: SeShutdownPrivilege 1240 explorer.exe Token: SeShutdownPrivilege 1240 explorer.exe Token: SeShutdownPrivilege 1240 explorer.exe Token: SeShutdownPrivilege 1240 explorer.exe Token: SeShutdownPrivilege 1240 explorer.exe Token: SeShutdownPrivilege 1240 explorer.exe Token: SeShutdownPrivilege 1240 explorer.exe Token: SeShutdownPrivilege 1240 explorer.exe Token: SeShutdownPrivilege 1240 explorer.exe Token: SeShutdownPrivilege 1240 explorer.exe Token: SeShutdownPrivilege 1240 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe -
Suspicious use of SendNotifyMessage 19 IoCs
pid Process 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe 1240 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2520 wrote to memory of 840 2520 JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe 31 PID 2520 wrote to memory of 840 2520 JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe 31 PID 2520 wrote to memory of 840 2520 JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe 31 PID 2520 wrote to memory of 840 2520 JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe 31 PID 2520 wrote to memory of 656 2520 JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe 34 PID 2520 wrote to memory of 656 2520 JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe 34 PID 2520 wrote to memory of 656 2520 JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe 34 PID 2520 wrote to memory of 656 2520 JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe 34 PID 2520 wrote to memory of 564 2520 JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe 37 PID 2520 wrote to memory of 564 2520 JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe 37 PID 2520 wrote to memory of 564 2520 JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe 37 PID 2520 wrote to memory of 564 2520 JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe 37 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe startC:\Users\Admin\AppData\Roaming\151CF\3CD43.exe%C:\Users\Admin\AppData\Roaming\151CF2⤵
- System Location Discovery: System Language Discovery
PID:840
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe startC:\Program Files (x86)\CF316\lvvm.exe%C:\Program Files (x86)\CF3162⤵
- System Location Discovery: System Language Discovery
PID:656
-
-
C:\Program Files (x86)\LP\43C1\21F2.tmp"C:\Program Files (x86)\LP\43C1\21F2.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:564
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1240
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD5aecd8dc2c1d8de5e83683e9e73cb7357
SHA17e6278672c28f844506c9f945836ae1445cbec7a
SHA2565d768986b8ecd2c3f71a077d92854627a13e19f6b5b70db3284af3de02daf784
SHA512de4e884be42e120916f01ccbf23a874672780e1f37c34070f5ae00e5b2bf6de8d0948a3e24146c637fa8cca18e769ef7e510aaafef8039a275ec90e65cb2fc71
-
Filesize
600B
MD55c3526b8524160ca6cb058177a28d328
SHA1a01ee65d677867dc4ba59cf3c6d2bd113c9b6929
SHA256873e7f8cab37400d0541d1ecc6415ce83e01fcc6b660d07572992d8cb0ab053e
SHA512d79f0c934ee757b50c15bf986e6dcda545e903bdab96e851f85250d4fee6e6cd2d2cbef378033b67045d7b52642cb981d7037cfd2c4a4052fe96e7bb923ac288
-
Filesize
1KB
MD52674b65b9917383d47b5faf11813c517
SHA1a39a1e8a204da31f80d4a2db9a3767d002795485
SHA256cbc01ca451ffc3b71907a4cd9c14e82b58ba3336f35ed6b4670e8be1fbf35864
SHA51241ad3ccafdadca1c48fd415e1bea07168f0ea9721a934092a04afedf195b97e2d2bb758866a547bf5139e99b0d3cb53b96e87a10ae4851dd8ebd33242bdb7a0d
-
Filesize
97KB
MD5dd599d77a7eb284a9a73a7eaf08acd63
SHA1ca3f9298d279361f73909f564d28e58c86456a61
SHA25676bfc108e1d1146dee49cf23866c6293d298e988ae0006ce3c9644b31a96697a
SHA512ac076022ba245c271dac5e0c5ae452046a58d27a15da21f6f042f964b3a9d05828c958534bde0d331c9d698021249276b9baa8e1afaeda1e4a7a7045b32baa2b