Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/12/2024, 15:17
Static task
static1
Behavioral task
behavioral1
Sample
c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe
-
Size
193KB
-
MD5
c8509dbdf5cc70ffdc451efbe6f1328c
-
SHA1
8da22f9403e5fa6c1db34d60785b6850259f1958
-
SHA256
c9e8a9c1d15153168c3e22f04cae35cb2f57bc3a1c7b28416f68f146a6997c46
-
SHA512
4c11358d749a1289d59dc13b401e0310fc1d724309ce20fcf26b68648a851fe3a4d8010da16e9173297ab8e5e0c2bb4457e16a7c10db3c1310dfb3b50ceb6d16
-
SSDEEP
6144:kQGlhY0BAc0AIO24Dg2z22jJRK1PWJZ8GQ:9EhYU0ANDg2z22jJRuSmGQ
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2808-8-0x0000000000400000-0x000000000048B000-memory.dmp family_cycbot behavioral1/memory/2680-16-0x0000000000400000-0x000000000048B000-memory.dmp family_cycbot behavioral1/memory/568-85-0x0000000000400000-0x000000000048B000-memory.dmp family_cycbot behavioral1/memory/2680-86-0x0000000000400000-0x000000000048B000-memory.dmp family_cycbot behavioral1/memory/2680-188-0x0000000000400000-0x000000000048B000-memory.dmp family_cycbot -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe" c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2680-2-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2808-5-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2808-8-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2808-7-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2680-16-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/568-83-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/568-85-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2680-86-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2680-188-0x0000000000400000-0x000000000048B000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2680 wrote to memory of 2808 2680 c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe 30 PID 2680 wrote to memory of 2808 2680 c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe 30 PID 2680 wrote to memory of 2808 2680 c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe 30 PID 2680 wrote to memory of 2808 2680 c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe 30 PID 2680 wrote to memory of 568 2680 c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe 32 PID 2680 wrote to memory of 568 2680 c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe 32 PID 2680 wrote to memory of 568 2680 c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe 32 PID 2680 wrote to memory of 568 2680 c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft2⤵
- System Location Discovery: System Language Discovery
PID:2808
-
-
C:\Users\Admin\AppData\Local\Temp\c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵
- System Location Discovery: System Language Discovery
PID:568
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
600B
MD5f5f1444b82c3b9f3d133cb5571132b29
SHA1bd0a1fa8cafe5086cbaecd547f18aab6d53d5426
SHA256afbc700a1347775f671ddf962d420cc6ccdfb53f9aee5a03ba26d840d8dcb425
SHA51246ea91b48835812f0febfa907c4d7ba60209a2609745a4d2f0c338db396a4dfad831c92b89f04241988b5ae68cea62cc611cc1abbd2096a6f010c4fb81ac6784
-
Filesize
1KB
MD5b93bf8d52543956ca79a674163815537
SHA1ae721090ba60240b002291fe7db5ccea92ad67ff
SHA25629c3cb081a6bdbdb4195dee1f89a6b077032ce630261bcfb49fc210e72655433
SHA512be35f9567aa1723927ce38b13a2332ec7f67fd497f6edb0c45993c8d5262cbfa31246a7e244a154b7927f48aac8c4f0ebd810ef55a8302698ff195c657e75127
-
Filesize
996B
MD5d530dcc899be4329f1c1cd15d082de5e
SHA1902a087446b034a1ad86169504cab6e81033165c
SHA25647eb577739d3eb61bf95858a74a511312cf8a8e2c4e38c4475aaf85c6162ad33
SHA512059323848e26f03bf852b3891fce471431f809a9378c33e43f66cc22b07d78bb11bca6c0fc474b6215984c06a82f89f2a85d0a77e2d581e6309c59a66d9f3f6e