Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10/12/2024, 20:57
Static task
static1
Behavioral task
behavioral1
Sample
de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe
-
Size
201KB
-
MD5
de74448b4a398e9df200dcfdc2c6f7e5
-
SHA1
1065fe6f58880976cfeab0e57d9f35de587a54e4
-
SHA256
b8417527766e5b64a490cafb0105e6df80dcea8a9c2dca88ce2fcc79a703724a
-
SHA512
0591178849d17f12227eea866cff806a91fae6ec8cca45fcd45aa51d89aed6adf2c9c3bf8f0b61d92156ef66b0ecf41b5d88c19cb75548bb770826ad46254517
-
SSDEEP
3072:ptZBDetdPfnhv7o4CbWnHcU3zbjgUznaBVrEOKQz6Mq3TlMg2agNFGvynNE1HJSg:ptZBDebfnhjJfDgUzSEetg2agKveUQF
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 4 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/1740-5-0x0000000000400000-0x000000000044D000-memory.dmp family_cycbot behavioral1/memory/2504-12-0x0000000000400000-0x000000000044D000-memory.dmp family_cycbot behavioral1/memory/2192-78-0x0000000000400000-0x000000000044D000-memory.dmp family_cycbot behavioral1/memory/2504-168-0x0000000000400000-0x000000000044D000-memory.dmp family_cycbot -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2504-2-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/memory/1740-5-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/memory/2504-12-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/memory/2192-78-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/memory/2504-168-0x0000000000400000-0x000000000044D000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2504 wrote to memory of 1740 2504 de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe 31 PID 2504 wrote to memory of 1740 2504 de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe 31 PID 2504 wrote to memory of 1740 2504 de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe 31 PID 2504 wrote to memory of 1740 2504 de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe 31 PID 2504 wrote to memory of 2192 2504 de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe 33 PID 2504 wrote to memory of 2192 2504 de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe 33 PID 2504 wrote to memory of 2192 2504 de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe 33 PID 2504 wrote to memory of 2192 2504 de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Users\Admin\AppData\Local\Temp\de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft2⤵
- System Location Discovery: System Language Discovery
PID:1740
-
-
C:\Users\Admin\AppData\Local\Temp\de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\de74448b4a398e9df200dcfdc2c6f7e5_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵
- System Location Discovery: System Language Discovery
PID:2192
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d88490002a91235ca412d4a15d136e3a
SHA1adb79c01f03740278d72d2298e2164d5098dbf0c
SHA25695f385d1cfa6dbae6f0bd38d48374537cf4f19ccbcc2b148a0138099906e5c57
SHA512262ae8babc77e8c9a6137a057cd5b40d9c729922cfcea6b2a5be8350ae10bf7d646bf5c6ba491fa5021bce33d07c0c99f7cb9bd98bea308875ad198ef3f1db02
-
Filesize
600B
MD5e49874dadf21c071163b0d0aa7c0170c
SHA17346aba8dc5b2f2f53b3cdfa6c52dea984f8a3b3
SHA25621e86468d221d534b35b2bc982b979c9267ed750e4a95d508bfcc00c61ec8489
SHA512efdb4407b5c0ea6daaea3da93bad3092e9241ba286d57f1c8495f44e5cdf02cbab579d05ae8dc4c36423cc2609998d5c627472d818d622558461d1f95561bd8e
-
Filesize
996B
MD5cc831d3dd9f663401acae75e5796ffe1
SHA18ab02aedbffef667dc64d01d15003c7cd203e4e8
SHA256a04832cb0288a05edf98d134ff79679bcf72eb93932dda5fd388c68e0f293b64
SHA512852d4ccbd91d5d9996efc783e7733875fe74b0cadbf1db8c05e41b3c59f2c71dbf83f5429dfb143b1b1c70cafa8c61e010287b7251a1744f549f0925831705f2