Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
06/12/2024, 06:43
Static task
static1
Behavioral task
behavioral1
Sample
cb92ffc0d0d0905eb7b1274de57b5af9_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
cb92ffc0d0d0905eb7b1274de57b5af9_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
cb92ffc0d0d0905eb7b1274de57b5af9_JaffaCakes118.exe
-
Size
186KB
-
MD5
cb92ffc0d0d0905eb7b1274de57b5af9
-
SHA1
4d7df5f17646b628655b2f3f0df37a6c8ee0bdb3
-
SHA256
c99bc18be5b58e344808109b19374ca2d4691109e210900a63ca021bb602f86f
-
SHA512
0191164b011d93e63ba22d6f03a02556f0b8a3a1f0e3df329a0f3bd0b36a6bb4458026c1a85a9b34640c61a94a51ff3d17fcb5e19b7abf01fc89e7c314fc477c
-
SSDEEP
3072:WxymEZpYy5vXTz2eQhBQWAsEa27XKGMK1UUVAyAMt41f8sqgPAICw/:WxymEvD5m1hlrl2DKq1jAIOfVzvC
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2384-7-0x0000000000400000-0x0000000000445000-memory.dmp family_cycbot behavioral1/memory/2848-15-0x0000000000400000-0x0000000000445000-memory.dmp family_cycbot behavioral1/memory/2848-78-0x0000000000400000-0x0000000000445000-memory.dmp family_cycbot behavioral1/memory/1220-80-0x0000000000400000-0x0000000000445000-memory.dmp family_cycbot behavioral1/memory/2848-182-0x0000000000400000-0x0000000000445000-memory.dmp family_cycbot -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe" cb92ffc0d0d0905eb7b1274de57b5af9_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2848-2-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/2384-6-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/2384-7-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/2848-15-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/2848-78-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/1220-80-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/2848-182-0x0000000000400000-0x0000000000445000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cb92ffc0d0d0905eb7b1274de57b5af9_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cb92ffc0d0d0905eb7b1274de57b5af9_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cb92ffc0d0d0905eb7b1274de57b5af9_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2848 wrote to memory of 2384 2848 cb92ffc0d0d0905eb7b1274de57b5af9_JaffaCakes118.exe 31 PID 2848 wrote to memory of 2384 2848 cb92ffc0d0d0905eb7b1274de57b5af9_JaffaCakes118.exe 31 PID 2848 wrote to memory of 2384 2848 cb92ffc0d0d0905eb7b1274de57b5af9_JaffaCakes118.exe 31 PID 2848 wrote to memory of 2384 2848 cb92ffc0d0d0905eb7b1274de57b5af9_JaffaCakes118.exe 31 PID 2848 wrote to memory of 1220 2848 cb92ffc0d0d0905eb7b1274de57b5af9_JaffaCakes118.exe 33 PID 2848 wrote to memory of 1220 2848 cb92ffc0d0d0905eb7b1274de57b5af9_JaffaCakes118.exe 33 PID 2848 wrote to memory of 1220 2848 cb92ffc0d0d0905eb7b1274de57b5af9_JaffaCakes118.exe 33 PID 2848 wrote to memory of 1220 2848 cb92ffc0d0d0905eb7b1274de57b5af9_JaffaCakes118.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb92ffc0d0d0905eb7b1274de57b5af9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\cb92ffc0d0d0905eb7b1274de57b5af9_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Local\Temp\cb92ffc0d0d0905eb7b1274de57b5af9_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\cb92ffc0d0d0905eb7b1274de57b5af9_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵
- System Location Discovery: System Language Discovery
PID:2384
-
-
C:\Users\Admin\AppData\Local\Temp\cb92ffc0d0d0905eb7b1274de57b5af9_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\cb92ffc0d0d0905eb7b1274de57b5af9_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵
- System Location Discovery: System Language Discovery
PID:1220
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54dad2664f4572712643509975f179ecd
SHA104dcf28fa8b594b2e712b9debe1ec529f9284c27
SHA256b75434b68e33b8183c047c6e4a817c59607bdd2417112f24a3d8cf8c3745fd49
SHA512dd75ad415cb68f4f08903fffc37df3a3922b2d2015e5dd3a3c7a4ce6b15a48d1bf8fa7834a8ac32015ee2278e812991591621155b358e64541e870ccac690ff7
-
Filesize
1KB
MD5791765e35e8cdb5f094fc6171a571571
SHA1c0c911b40f0393d4281f2157ec8f9c0cdf5cbb0a
SHA256bf3f3ff06674756172a4a1841957466fafa235712b1bfc3589ae139befa24e1b
SHA51265a7f62e0d3efa203596b0a7cd0478387cf780071c659a0afc3ce6ee88de2f11e81d50db896675e8746375ab1795ca91c092c486f36f0a8e90b4f227b121a917
-
Filesize
600B
MD54cb7476e7bebf49a25a5bf09c9482165
SHA1909489927bf9e55f0757663ca0bf80b9c5b5ff8e
SHA25629532ab7594402a7fe55b9c1b2747bccb0b7a3bbe1bb8b337d762a1c66e73afa
SHA512993674883b67ebcc985f9b7154e1dd6c4438bdf76b1c6d6ee494b2aec10174fb64414dec36f70ec927381d896229858670bb0a8d583a906f0d7c9c1b6428754c
-
Filesize
996B
MD5c6497b3f8a10785dde5dadf78d1b6f4d
SHA15d52aeb23026991e747d1fa717fa3f6a2accb81b
SHA2567fc382f6c68219f8c54727adccc077fbce80b986e3391a0be354bf983157b5d1
SHA512b216098de648d8d05976b57dd86c8e0bda39e51dd8ce96f507fb084a5766bb7eadd640457ededc4941ce1c41e1d5e19e3b941d3eae9b772de8a0b789c78e385c