Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10/12/2024, 20:57

General

  • Target

    de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe

  • Size

    201KB

  • MD5

    de74448b4a398e9df200dcfdc2c6f7e5

  • SHA1

    1065fe6f58880976cfeab0e57d9f35de587a54e4

  • SHA256

    b8417527766e5b64a490cafb0105e6df80dcea8a9c2dca88ce2fcc79a703724a

  • SHA512

    0591178849d17f12227eea866cff806a91fae6ec8cca45fcd45aa51d89aed6adf2c9c3bf8f0b61d92156ef66b0ecf41b5d88c19cb75548bb770826ad46254517

  • SSDEEP

    3072:ptZBDetdPfnhv7o4CbWnHcU3zbjgUznaBVrEOKQz6Mq3TlMg2agNFGvynNE1HJSg:ptZBDebfnhjJfDgUzSEetg2agKveUQF

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 4 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2504
    • C:\Users\Admin\AppData\Local\Temp\de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1740
    • C:\Users\Admin\AppData\Local\Temp\de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2192

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\1FD6.EB2

    Filesize

    1KB

    MD5

    d88490002a91235ca412d4a15d136e3a

    SHA1

    adb79c01f03740278d72d2298e2164d5098dbf0c

    SHA256

    95f385d1cfa6dbae6f0bd38d48374537cf4f19ccbcc2b148a0138099906e5c57

    SHA512

    262ae8babc77e8c9a6137a057cd5b40d9c729922cfcea6b2a5be8350ae10bf7d646bf5c6ba491fa5021bce33d07c0c99f7cb9bd98bea308875ad198ef3f1db02

  • C:\Users\Admin\AppData\Roaming\1FD6.EB2

    Filesize

    600B

    MD5

    e49874dadf21c071163b0d0aa7c0170c

    SHA1

    7346aba8dc5b2f2f53b3cdfa6c52dea984f8a3b3

    SHA256

    21e86468d221d534b35b2bc982b979c9267ed750e4a95d508bfcc00c61ec8489

    SHA512

    efdb4407b5c0ea6daaea3da93bad3092e9241ba286d57f1c8495f44e5cdf02cbab579d05ae8dc4c36423cc2609998d5c627472d818d622558461d1f95561bd8e

  • C:\Users\Admin\AppData\Roaming\1FD6.EB2

    Filesize

    996B

    MD5

    cc831d3dd9f663401acae75e5796ffe1

    SHA1

    8ab02aedbffef667dc64d01d15003c7cd203e4e8

    SHA256

    a04832cb0288a05edf98d134ff79679bcf72eb93932dda5fd388c68e0f293b64

    SHA512

    852d4ccbd91d5d9996efc783e7733875fe74b0cadbf1db8c05e41b3c59f2c71dbf83f5429dfb143b1b1c70cafa8c61e010287b7251a1744f549f0925831705f2

  • memory/1740-5-0x0000000000400000-0x000000000044D000-memory.dmp

    Filesize

    308KB

  • memory/2192-78-0x0000000000400000-0x000000000044D000-memory.dmp

    Filesize

    308KB

  • memory/2504-2-0x0000000000400000-0x000000000044D000-memory.dmp

    Filesize

    308KB

  • memory/2504-1-0x0000000000400000-0x000000000044D000-memory.dmp

    Filesize

    308KB

  • memory/2504-12-0x0000000000400000-0x000000000044D000-memory.dmp

    Filesize

    308KB

  • memory/2504-168-0x0000000000400000-0x000000000044D000-memory.dmp

    Filesize

    308KB