Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    31/01/2025, 12:10

General

  • Target

    JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe

  • Size

    277KB

  • MD5

    6a0efaa787d3b403622b508331f2f9fe

  • SHA1

    477ba873e56f7d5adfe2075973e8b5d26b5e2019

  • SHA256

    d1d8a6ef0f375d70020d67e679c5fd825b11124062f0b392d38b031a59a01be5

  • SHA512

    ea025631b0d85084a5cdecb818f1e68258fdb2509a64c6249826874fa8c28ca4233a1915eee916814e4c4c883d14d3635a9b54e4be6afc7558810c4888f08afe

  • SSDEEP

    6144:bubGlQoudUDM7rFMNCOt2QighaWWjBsbeEMpxeRaVS3ne6RiGR:6bqQoRtE1KyBnEMpsuyn5T

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 6 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies security service 2 TTPs 1 IoCs
  • Pony family
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Disables taskbar notifications via registry modification
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 19 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2520
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe startC:\Users\Admin\AppData\Roaming\151CF\3CD43.exe%C:\Users\Admin\AppData\Roaming\151CF
      2⤵
      • System Location Discovery: System Language Discovery
      PID:840
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a0efaa787d3b403622b508331f2f9fe.exe startC:\Program Files (x86)\CF316\lvvm.exe%C:\Program Files (x86)\CF316
      2⤵
      • System Location Discovery: System Language Discovery
      PID:656
    • C:\Program Files (x86)\LP\43C1\21F2.tmp
      "C:\Program Files (x86)\LP\43C1\21F2.tmp"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:564
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2688
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1240

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\151CF\F316.51C

    Filesize

    996B

    MD5

    aecd8dc2c1d8de5e83683e9e73cb7357

    SHA1

    7e6278672c28f844506c9f945836ae1445cbec7a

    SHA256

    5d768986b8ecd2c3f71a077d92854627a13e19f6b5b70db3284af3de02daf784

    SHA512

    de4e884be42e120916f01ccbf23a874672780e1f37c34070f5ae00e5b2bf6de8d0948a3e24146c637fa8cca18e769ef7e510aaafef8039a275ec90e65cb2fc71

  • C:\Users\Admin\AppData\Roaming\151CF\F316.51C

    Filesize

    600B

    MD5

    5c3526b8524160ca6cb058177a28d328

    SHA1

    a01ee65d677867dc4ba59cf3c6d2bd113c9b6929

    SHA256

    873e7f8cab37400d0541d1ecc6415ce83e01fcc6b660d07572992d8cb0ab053e

    SHA512

    d79f0c934ee757b50c15bf986e6dcda545e903bdab96e851f85250d4fee6e6cd2d2cbef378033b67045d7b52642cb981d7037cfd2c4a4052fe96e7bb923ac288

  • C:\Users\Admin\AppData\Roaming\151CF\F316.51C

    Filesize

    1KB

    MD5

    2674b65b9917383d47b5faf11813c517

    SHA1

    a39a1e8a204da31f80d4a2db9a3767d002795485

    SHA256

    cbc01ca451ffc3b71907a4cd9c14e82b58ba3336f35ed6b4670e8be1fbf35864

    SHA512

    41ad3ccafdadca1c48fd415e1bea07168f0ea9721a934092a04afedf195b97e2d2bb758866a547bf5139e99b0d3cb53b96e87a10ae4851dd8ebd33242bdb7a0d

  • \Program Files (x86)\LP\43C1\21F2.tmp

    Filesize

    97KB

    MD5

    dd599d77a7eb284a9a73a7eaf08acd63

    SHA1

    ca3f9298d279361f73909f564d28e58c86456a61

    SHA256

    76bfc108e1d1146dee49cf23866c6293d298e988ae0006ce3c9644b31a96697a

    SHA512

    ac076022ba245c271dac5e0c5ae452046a58d27a15da21f6f042f964b3a9d05828c958534bde0d331c9d698021249276b9baa8e1afaeda1e4a7a7045b32baa2b

  • memory/564-316-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/656-132-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/840-13-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2520-0-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2520-11-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2520-130-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2520-315-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2520-319-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB