Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/12/2024, 10:55
Static task
static1
Behavioral task
behavioral1
Sample
cc9dc086fb0bfa15c1bbc2a67185f44f_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
cc9dc086fb0bfa15c1bbc2a67185f44f_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
cc9dc086fb0bfa15c1bbc2a67185f44f_JaffaCakes118.exe
-
Size
174KB
-
MD5
cc9dc086fb0bfa15c1bbc2a67185f44f
-
SHA1
fb6b4470c644bb434ef675ac8c6152fe6bad9e08
-
SHA256
b60c47f55209e39d9f2ef9fe6a8b20324cb5cbe2d7d696fc76cbcd319919608e
-
SHA512
441547a3168505deed5a3a58b0fd81b221d83af67f1e117ac4a6d43a2fea4db8d32df19d3543d58534315698ef493e2dcc995c4d2bab99c9a125012f5b772d72
-
SSDEEP
3072:hgWY2StOg2IXQ7X2CEA5ZR48xGSLYi9h/FA3WygYaYN5W5E1xV9pquB:+TV/KXpFJPki9d633/aWosnouB
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2324-8-0x0000000000400000-0x000000000048D000-memory.dmp family_cycbot behavioral1/memory/1832-16-0x0000000000400000-0x000000000048D000-memory.dmp family_cycbot behavioral1/memory/2228-83-0x0000000000400000-0x000000000048D000-memory.dmp family_cycbot behavioral1/memory/1832-84-0x0000000000400000-0x000000000048D000-memory.dmp family_cycbot behavioral1/memory/1832-189-0x0000000000400000-0x000000000048D000-memory.dmp family_cycbot -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe" cc9dc086fb0bfa15c1bbc2a67185f44f_JaffaCakes118.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2324-8-0x0000000000400000-0x000000000048D000-memory.dmp upx behavioral1/memory/2324-7-0x0000000000400000-0x000000000048D000-memory.dmp upx behavioral1/memory/2324-5-0x0000000000400000-0x000000000048D000-memory.dmp upx behavioral1/memory/1832-2-0x0000000000400000-0x000000000048D000-memory.dmp upx behavioral1/memory/1832-16-0x0000000000400000-0x000000000048D000-memory.dmp upx behavioral1/memory/2228-81-0x0000000000400000-0x000000000048D000-memory.dmp upx behavioral1/memory/2228-83-0x0000000000400000-0x000000000048D000-memory.dmp upx behavioral1/memory/1832-84-0x0000000000400000-0x000000000048D000-memory.dmp upx behavioral1/memory/1832-189-0x0000000000400000-0x000000000048D000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cc9dc086fb0bfa15c1bbc2a67185f44f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cc9dc086fb0bfa15c1bbc2a67185f44f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cc9dc086fb0bfa15c1bbc2a67185f44f_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1832 wrote to memory of 2324 1832 cc9dc086fb0bfa15c1bbc2a67185f44f_JaffaCakes118.exe 30 PID 1832 wrote to memory of 2324 1832 cc9dc086fb0bfa15c1bbc2a67185f44f_JaffaCakes118.exe 30 PID 1832 wrote to memory of 2324 1832 cc9dc086fb0bfa15c1bbc2a67185f44f_JaffaCakes118.exe 30 PID 1832 wrote to memory of 2324 1832 cc9dc086fb0bfa15c1bbc2a67185f44f_JaffaCakes118.exe 30 PID 1832 wrote to memory of 2228 1832 cc9dc086fb0bfa15c1bbc2a67185f44f_JaffaCakes118.exe 33 PID 1832 wrote to memory of 2228 1832 cc9dc086fb0bfa15c1bbc2a67185f44f_JaffaCakes118.exe 33 PID 1832 wrote to memory of 2228 1832 cc9dc086fb0bfa15c1bbc2a67185f44f_JaffaCakes118.exe 33 PID 1832 wrote to memory of 2228 1832 cc9dc086fb0bfa15c1bbc2a67185f44f_JaffaCakes118.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc9dc086fb0bfa15c1bbc2a67185f44f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\cc9dc086fb0bfa15c1bbc2a67185f44f_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Users\Admin\AppData\Local\Temp\cc9dc086fb0bfa15c1bbc2a67185f44f_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\cc9dc086fb0bfa15c1bbc2a67185f44f_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft2⤵
- System Location Discovery: System Language Discovery
PID:2324
-
-
C:\Users\Admin\AppData\Local\Temp\cc9dc086fb0bfa15c1bbc2a67185f44f_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\cc9dc086fb0bfa15c1bbc2a67185f44f_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵
- System Location Discovery: System Language Discovery
PID:2228
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD586ee1b8203ccbdc062cb7af351ebe0c1
SHA12fd2354c6cc55e6858dd6b5331e1539ac581b9b0
SHA256993695f387410402456c2587ce870eb5427bb104b6ed89c77ba9c5b2ca0ca3c1
SHA512587fbd1e5d61813d91b2016589559aebbb358ca38ad65d9f124834b06fe899712d4224beadd2e4359a3e2ed67ec2abdda12163797cf54d8c37314ae07868dc00
-
Filesize
600B
MD5a251bf1c14b1062aefbe36cd19035c70
SHA1b329d60e0c186797db7ff6ecfda5c491471a47e7
SHA2568b69d0a64b0ebf179a5aa27af602f83b65c478af7d8de7ec502e524e41c5f176
SHA51261c24d92983c76d107daaad379654545f357822f7ff5dc9974d8c16c0d197e49b52987f748369de22417e93ddad6234580770dbc0c407caa5572bcf47e9c273f
-
Filesize
996B
MD5cc2b8c6ecea3b1e50f3d567d67487319
SHA1b7eebca26da1c9c9f119c7b86f8c6ac022bc2f95
SHA2561670833b3bdc5c1d1aba3e0658d21d2d76d2d7890dee87ef5195495d5be2bba5
SHA5128699be78fbb7c1c7b9ace132cf51c85f8d5e3771155e5cec7b710f315eb5a11a4d384952100ae8bf0475373c7cbeb919e3ca394ed321b00751234a9d60aedc66