Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/12/2024, 23:33
Static task
static1
Behavioral task
behavioral1
Sample
c9eac63f583edaca596e4102c3900771_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c9eac63f583edaca596e4102c3900771_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
c9eac63f583edaca596e4102c3900771_JaffaCakes118.exe
-
Size
156KB
-
MD5
c9eac63f583edaca596e4102c3900771
-
SHA1
2c35aa8aeb1a5d898f05d5f1af8fe732bf4bdd24
-
SHA256
b841c253a2fc6b627b2a278cd6d1fea9cf88fde99d28ef11a2644d0ed22f6480
-
SHA512
0186f89a4a059416705c60b3d4dbd3337b8bc8bff8804e49dd66aa8d5de296a3a71c91c324c3b2374117d639a57f613408d0af54d441fc124683f59c78a83ac5
-
SSDEEP
3072:UfWtcjNULF5L1PBzQCZys7BDipPSfazCwrbjGuWQGOxv:QtjqLF5L1fZys7BDwPCcGu0Ot
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2084-7-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot behavioral1/memory/1832-15-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot behavioral1/memory/1832-79-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot behavioral1/memory/832-83-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot behavioral1/memory/1832-188-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe" c9eac63f583edaca596e4102c3900771_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/1832-2-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2084-7-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2084-6-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/1832-15-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/1832-79-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/832-81-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/832-83-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/1832-188-0x0000000000400000-0x0000000000442000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c9eac63f583edaca596e4102c3900771_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c9eac63f583edaca596e4102c3900771_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c9eac63f583edaca596e4102c3900771_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1832 wrote to memory of 2084 1832 c9eac63f583edaca596e4102c3900771_JaffaCakes118.exe 30 PID 1832 wrote to memory of 2084 1832 c9eac63f583edaca596e4102c3900771_JaffaCakes118.exe 30 PID 1832 wrote to memory of 2084 1832 c9eac63f583edaca596e4102c3900771_JaffaCakes118.exe 30 PID 1832 wrote to memory of 2084 1832 c9eac63f583edaca596e4102c3900771_JaffaCakes118.exe 30 PID 1832 wrote to memory of 832 1832 c9eac63f583edaca596e4102c3900771_JaffaCakes118.exe 33 PID 1832 wrote to memory of 832 1832 c9eac63f583edaca596e4102c3900771_JaffaCakes118.exe 33 PID 1832 wrote to memory of 832 1832 c9eac63f583edaca596e4102c3900771_JaffaCakes118.exe 33 PID 1832 wrote to memory of 832 1832 c9eac63f583edaca596e4102c3900771_JaffaCakes118.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9eac63f583edaca596e4102c3900771_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c9eac63f583edaca596e4102c3900771_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Users\Admin\AppData\Local\Temp\c9eac63f583edaca596e4102c3900771_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\c9eac63f583edaca596e4102c3900771_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵
- System Location Discovery: System Language Discovery
PID:2084
-
-
C:\Users\Admin\AppData\Local\Temp\c9eac63f583edaca596e4102c3900771_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\c9eac63f583edaca596e4102c3900771_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵
- System Location Discovery: System Language Discovery
PID:832
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD556cb838122b8f3659161c0427c9ea9eb
SHA14578be94385eadc60ce7f54a28f64d975686cdf4
SHA256e4bd9be936d3f0b19ae6fb2bb38214b6f9c5c6bb5fa4ff65508475441d2a1b8b
SHA512d1a3e97ba3733acab0e220eea24c2f9f2d5b38f4786404f0add91c58cd16610d0288872e7fbb83a1f42de765c22dfbbc86845d1233effa325bb61fb712297deb
-
Filesize
600B
MD53f953b184792bfc0e9786564913b18fd
SHA12fec42799370c6afaad3132d368b60baa5038135
SHA256c886bf3bb397b2c34b8d044a5cd482295ed062c5e8a100894932371e7c5cf710
SHA5128d70f7d490ec0d7e72520efdaee6d1734215e054d98376133a3842e0482f5652bc9baba3ab189bed37c21bfa49a19838cfcd7b1d6c0ee1bbe6b1075875142750
-
Filesize
996B
MD5962d7be1957443a7dc65d74b595b56bb
SHA11e9a0bb4c892ee29fb6e4b709180454afad3e1b0
SHA2562fa2bc6baff2c25eaa3b229a5cbb9f6fae20cad6ff4e48a4a21756c814d200c3
SHA51201500842b565031126477b2b795a4a854ab7e722d69b5bb33bfc40f0025060bf1a3037aa63fb204a16fed1212fd6e597a3249900a495d662c6c1a3b4fdb8e835