Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/12/2024, 15:09
Static task
static1
Behavioral task
behavioral1
Sample
c848dc1cb164829d89c5360b58247d83_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c848dc1cb164829d89c5360b58247d83_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
c848dc1cb164829d89c5360b58247d83_JaffaCakes118.exe
-
Size
208KB
-
MD5
c848dc1cb164829d89c5360b58247d83
-
SHA1
3d2eaeb1984048e1fccbf7746256845dff0fef6c
-
SHA256
69983d88f5532d380cb8df45f87c4a5b40d88cd830705e0533413b2ab34d98e4
-
SHA512
816bd532fdb93cc65d23946b81b4cfffacdc0baa821f5f8454353457e5a9697cbdbf917bf8de3a83cca8bde0d7ce8764380fe1732dbf286fadf8fbf5a5aa377c
-
SSDEEP
3072:TBQAhE6nENUpw7mf1wbHBtlN+SJHdITasSaQrASLasjaPV7o2yJw5/uRLuJu2TCV:TBbhs+1AHblVRmXerVJWFyJpKJ7PBT
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 4 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2052-6-0x0000000000400000-0x000000000044D000-memory.dmp family_cycbot behavioral1/memory/1640-15-0x0000000000400000-0x000000000044D000-memory.dmp family_cycbot behavioral1/memory/804-84-0x0000000000400000-0x000000000044D000-memory.dmp family_cycbot behavioral1/memory/1640-189-0x0000000000400000-0x000000000044D000-memory.dmp family_cycbot -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/1640-2-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/memory/2052-5-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/memory/2052-6-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/memory/1640-15-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/memory/804-84-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/memory/1640-189-0x0000000000400000-0x000000000044D000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c848dc1cb164829d89c5360b58247d83_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c848dc1cb164829d89c5360b58247d83_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c848dc1cb164829d89c5360b58247d83_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1640 wrote to memory of 2052 1640 c848dc1cb164829d89c5360b58247d83_JaffaCakes118.exe 30 PID 1640 wrote to memory of 2052 1640 c848dc1cb164829d89c5360b58247d83_JaffaCakes118.exe 30 PID 1640 wrote to memory of 2052 1640 c848dc1cb164829d89c5360b58247d83_JaffaCakes118.exe 30 PID 1640 wrote to memory of 2052 1640 c848dc1cb164829d89c5360b58247d83_JaffaCakes118.exe 30 PID 1640 wrote to memory of 804 1640 c848dc1cb164829d89c5360b58247d83_JaffaCakes118.exe 32 PID 1640 wrote to memory of 804 1640 c848dc1cb164829d89c5360b58247d83_JaffaCakes118.exe 32 PID 1640 wrote to memory of 804 1640 c848dc1cb164829d89c5360b58247d83_JaffaCakes118.exe 32 PID 1640 wrote to memory of 804 1640 c848dc1cb164829d89c5360b58247d83_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\c848dc1cb164829d89c5360b58247d83_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c848dc1cb164829d89c5360b58247d83_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\c848dc1cb164829d89c5360b58247d83_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\c848dc1cb164829d89c5360b58247d83_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft2⤵
- System Location Discovery: System Language Discovery
PID:2052
-
-
C:\Users\Admin\AppData\Local\Temp\c848dc1cb164829d89c5360b58247d83_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\c848dc1cb164829d89c5360b58247d83_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵
- System Location Discovery: System Language Discovery
PID:804
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ed60828d425840e1e3b34b5bf7b8d86b
SHA1ca591b908fd4705efbafa42884be5b8d0b805d7b
SHA256c0c170aeea80a059fefccfe6de7fd43561568026762e50462f880aabb1117523
SHA51229c77f78ccbef5d67837a4d5ecd12f6d7e362c248607b8bf6fed783ae6c3b9ab86269a526ad3a5a045e8f4844a2b6c04440d678934850293f28f2151b7328bcb
-
Filesize
600B
MD5eaf57d6edc5d65fffda41e3aa7c10058
SHA13ab0819481f69d5d4621c22b71c42c439e8323b8
SHA256495d22357cbf47676204098c34f903800b83c6185b3d2309a41a9a0d6a7cb584
SHA512a32278961502165d772cbef59a979a4dc6de771a9fbdbc906075dd901340e5e76002daafaa3a294231078fbb49a42db88fe20cd2a2c3417f404d5c14b05aab2f
-
Filesize
996B
MD50875c17d0900e229acfda160f22c0fe2
SHA1b3f8ee14974e3e9133a5303e21e93935d1cc41a2
SHA2568eda56af2395cf95836500a4ee433f9c8fa8dd31a30766d7f2a572a33c9abfda
SHA512997957f03f94dfe807f77f0dedf10a22f50401e40b881f9c88daed536a3bb28da2eadc4e9514efaa96478f36d543c3c9598b40ec13531f7a2205010911daa7b0