Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/12/2024, 15:17

General

  • Target

    c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe

  • Size

    193KB

  • MD5

    c8509dbdf5cc70ffdc451efbe6f1328c

  • SHA1

    8da22f9403e5fa6c1db34d60785b6850259f1958

  • SHA256

    c9e8a9c1d15153168c3e22f04cae35cb2f57bc3a1c7b28416f68f146a6997c46

  • SHA512

    4c11358d749a1289d59dc13b401e0310fc1d724309ce20fcf26b68648a851fe3a4d8010da16e9173297ab8e5e0c2bb4457e16a7c10db3c1310dfb3b50ceb6d16

  • SSDEEP

    6144:kQGlhY0BAc0AIO24Dg2z22jJRK1PWJZ8GQ:9EhYU0ANDg2z22jJRuSmGQ

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 5 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2680
    • C:\Users\Admin\AppData\Local\Temp\c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2808
    • C:\Users\Admin\AppData\Local\Temp\c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
      2⤵
      • System Location Discovery: System Language Discovery
      PID:568

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\86D5.022

    Filesize

    600B

    MD5

    f5f1444b82c3b9f3d133cb5571132b29

    SHA1

    bd0a1fa8cafe5086cbaecd547f18aab6d53d5426

    SHA256

    afbc700a1347775f671ddf962d420cc6ccdfb53f9aee5a03ba26d840d8dcb425

    SHA512

    46ea91b48835812f0febfa907c4d7ba60209a2609745a4d2f0c338db396a4dfad831c92b89f04241988b5ae68cea62cc611cc1abbd2096a6f010c4fb81ac6784

  • C:\Users\Admin\AppData\Roaming\86D5.022

    Filesize

    1KB

    MD5

    b93bf8d52543956ca79a674163815537

    SHA1

    ae721090ba60240b002291fe7db5ccea92ad67ff

    SHA256

    29c3cb081a6bdbdb4195dee1f89a6b077032ce630261bcfb49fc210e72655433

    SHA512

    be35f9567aa1723927ce38b13a2332ec7f67fd497f6edb0c45993c8d5262cbfa31246a7e244a154b7927f48aac8c4f0ebd810ef55a8302698ff195c657e75127

  • C:\Users\Admin\AppData\Roaming\86D5.022

    Filesize

    996B

    MD5

    d530dcc899be4329f1c1cd15d082de5e

    SHA1

    902a087446b034a1ad86169504cab6e81033165c

    SHA256

    47eb577739d3eb61bf95858a74a511312cf8a8e2c4e38c4475aaf85c6162ad33

    SHA512

    059323848e26f03bf852b3891fce471431f809a9378c33e43f66cc22b07d78bb11bca6c0fc474b6215984c06a82f89f2a85d0a77e2d581e6309c59a66d9f3f6e

  • memory/568-85-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/568-83-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/2680-16-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/2680-1-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/2680-86-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/2680-2-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/2680-188-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/2808-7-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/2808-8-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/2808-5-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB