Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    06/12/2024, 06:43

General

  • Target

    cb92ffc0d0d0905eb7b1274de57b5af9_JaffaCakes118.exe

  • Size

    186KB

  • MD5

    cb92ffc0d0d0905eb7b1274de57b5af9

  • SHA1

    4d7df5f17646b628655b2f3f0df37a6c8ee0bdb3

  • SHA256

    c99bc18be5b58e344808109b19374ca2d4691109e210900a63ca021bb602f86f

  • SHA512

    0191164b011d93e63ba22d6f03a02556f0b8a3a1f0e3df329a0f3bd0b36a6bb4458026c1a85a9b34640c61a94a51ff3d17fcb5e19b7abf01fc89e7c314fc477c

  • SSDEEP

    3072:WxymEZpYy5vXTz2eQhBQWAsEa27XKGMK1UUVAyAMt41f8sqgPAICw/:WxymEvD5m1hlrl2DKq1jAIOfVzvC

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 5 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cb92ffc0d0d0905eb7b1274de57b5af9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\cb92ffc0d0d0905eb7b1274de57b5af9_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Users\Admin\AppData\Local\Temp\cb92ffc0d0d0905eb7b1274de57b5af9_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\cb92ffc0d0d0905eb7b1274de57b5af9_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2384
    • C:\Users\Admin\AppData\Local\Temp\cb92ffc0d0d0905eb7b1274de57b5af9_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\cb92ffc0d0d0905eb7b1274de57b5af9_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1220

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\20AF.B32

    Filesize

    1KB

    MD5

    4dad2664f4572712643509975f179ecd

    SHA1

    04dcf28fa8b594b2e712b9debe1ec529f9284c27

    SHA256

    b75434b68e33b8183c047c6e4a817c59607bdd2417112f24a3d8cf8c3745fd49

    SHA512

    dd75ad415cb68f4f08903fffc37df3a3922b2d2015e5dd3a3c7a4ce6b15a48d1bf8fa7834a8ac32015ee2278e812991591621155b358e64541e870ccac690ff7

  • C:\Users\Admin\AppData\Roaming\20AF.B32

    Filesize

    1KB

    MD5

    791765e35e8cdb5f094fc6171a571571

    SHA1

    c0c911b40f0393d4281f2157ec8f9c0cdf5cbb0a

    SHA256

    bf3f3ff06674756172a4a1841957466fafa235712b1bfc3589ae139befa24e1b

    SHA512

    65a7f62e0d3efa203596b0a7cd0478387cf780071c659a0afc3ce6ee88de2f11e81d50db896675e8746375ab1795ca91c092c486f36f0a8e90b4f227b121a917

  • C:\Users\Admin\AppData\Roaming\20AF.B32

    Filesize

    600B

    MD5

    4cb7476e7bebf49a25a5bf09c9482165

    SHA1

    909489927bf9e55f0757663ca0bf80b9c5b5ff8e

    SHA256

    29532ab7594402a7fe55b9c1b2747bccb0b7a3bbe1bb8b337d762a1c66e73afa

    SHA512

    993674883b67ebcc985f9b7154e1dd6c4438bdf76b1c6d6ee494b2aec10174fb64414dec36f70ec927381d896229858670bb0a8d583a906f0d7c9c1b6428754c

  • C:\Users\Admin\AppData\Roaming\20AF.B32

    Filesize

    996B

    MD5

    c6497b3f8a10785dde5dadf78d1b6f4d

    SHA1

    5d52aeb23026991e747d1fa717fa3f6a2accb81b

    SHA256

    7fc382f6c68219f8c54727adccc077fbce80b986e3391a0be354bf983157b5d1

    SHA512

    b216098de648d8d05976b57dd86c8e0bda39e51dd8ce96f507fb084a5766bb7eadd640457ededc4941ce1c41e1d5e19e3b941d3eae9b772de8a0b789c78e385c

  • memory/1220-80-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

  • memory/2384-7-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

  • memory/2384-5-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

  • memory/2384-6-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

  • memory/2848-15-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

  • memory/2848-78-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

  • memory/2848-1-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

  • memory/2848-2-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

  • memory/2848-182-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB