Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/12/2024, 10:55

General

  • Target

    cc9dc086fb0bfa15c1bbc2a67185f44f_JaffaCakes118.exe

  • Size

    174KB

  • MD5

    cc9dc086fb0bfa15c1bbc2a67185f44f

  • SHA1

    fb6b4470c644bb434ef675ac8c6152fe6bad9e08

  • SHA256

    b60c47f55209e39d9f2ef9fe6a8b20324cb5cbe2d7d696fc76cbcd319919608e

  • SHA512

    441547a3168505deed5a3a58b0fd81b221d83af67f1e117ac4a6d43a2fea4db8d32df19d3543d58534315698ef493e2dcc995c4d2bab99c9a125012f5b772d72

  • SSDEEP

    3072:hgWY2StOg2IXQ7X2CEA5ZR48xGSLYi9h/FA3WygYaYN5W5E1xV9pquB:+TV/KXpFJPki9d633/aWosnouB

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 5 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cc9dc086fb0bfa15c1bbc2a67185f44f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\cc9dc086fb0bfa15c1bbc2a67185f44f_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1832
    • C:\Users\Admin\AppData\Local\Temp\cc9dc086fb0bfa15c1bbc2a67185f44f_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\cc9dc086fb0bfa15c1bbc2a67185f44f_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2324
    • C:\Users\Admin\AppData\Local\Temp\cc9dc086fb0bfa15c1bbc2a67185f44f_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\cc9dc086fb0bfa15c1bbc2a67185f44f_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2228

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\56C7.B5E

    Filesize

    1KB

    MD5

    86ee1b8203ccbdc062cb7af351ebe0c1

    SHA1

    2fd2354c6cc55e6858dd6b5331e1539ac581b9b0

    SHA256

    993695f387410402456c2587ce870eb5427bb104b6ed89c77ba9c5b2ca0ca3c1

    SHA512

    587fbd1e5d61813d91b2016589559aebbb358ca38ad65d9f124834b06fe899712d4224beadd2e4359a3e2ed67ec2abdda12163797cf54d8c37314ae07868dc00

  • C:\Users\Admin\AppData\Roaming\56C7.B5E

    Filesize

    600B

    MD5

    a251bf1c14b1062aefbe36cd19035c70

    SHA1

    b329d60e0c186797db7ff6ecfda5c491471a47e7

    SHA256

    8b69d0a64b0ebf179a5aa27af602f83b65c478af7d8de7ec502e524e41c5f176

    SHA512

    61c24d92983c76d107daaad379654545f357822f7ff5dc9974d8c16c0d197e49b52987f748369de22417e93ddad6234580770dbc0c407caa5572bcf47e9c273f

  • C:\Users\Admin\AppData\Roaming\56C7.B5E

    Filesize

    996B

    MD5

    cc2b8c6ecea3b1e50f3d567d67487319

    SHA1

    b7eebca26da1c9c9f119c7b86f8c6ac022bc2f95

    SHA256

    1670833b3bdc5c1d1aba3e0658d21d2d76d2d7890dee87ef5195495d5be2bba5

    SHA512

    8699be78fbb7c1c7b9ace132cf51c85f8d5e3771155e5cec7b710f315eb5a11a4d384952100ae8bf0475373c7cbeb919e3ca394ed321b00751234a9d60aedc66

  • memory/1832-2-0x0000000000400000-0x000000000048D000-memory.dmp

    Filesize

    564KB

  • memory/1832-1-0x0000000000400000-0x000000000048D000-memory.dmp

    Filesize

    564KB

  • memory/1832-16-0x0000000000400000-0x000000000048D000-memory.dmp

    Filesize

    564KB

  • memory/1832-84-0x0000000000400000-0x000000000048D000-memory.dmp

    Filesize

    564KB

  • memory/1832-189-0x0000000000400000-0x000000000048D000-memory.dmp

    Filesize

    564KB

  • memory/2228-81-0x0000000000400000-0x000000000048D000-memory.dmp

    Filesize

    564KB

  • memory/2228-83-0x0000000000400000-0x000000000048D000-memory.dmp

    Filesize

    564KB

  • memory/2324-8-0x0000000000400000-0x000000000048D000-memory.dmp

    Filesize

    564KB

  • memory/2324-5-0x0000000000400000-0x000000000048D000-memory.dmp

    Filesize

    564KB

  • memory/2324-7-0x0000000000400000-0x000000000048D000-memory.dmp

    Filesize

    564KB