Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/12/2024, 03:18
Static task
static1
Behavioral task
behavioral1
Sample
dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe
-
Size
158KB
-
MD5
dfaff61cc52fd8046155a25223c445d7
-
SHA1
c21d9d718a42e3f1714da040967996a29dbc2fff
-
SHA256
fde118339d2df0a5ce48cd13eb7d352241530ab209d98527175e62549b2149b2
-
SHA512
58a8ca7dadb7c6fee9de8be91fa0d97740d6ff49caba96dd4d5580602ff46a48d5885ba6d5db1d5a6b0f4290f184c95cc227039a4aaf0b83e23eaafb3cfa8015
-
SSDEEP
3072:qc9iaVVscs9CVQ/6OPSINZLSGu9XoEKfUeRv1QqSOXCaj2L9rKZVaHUZK2TeuLt4:N9igscs9nNVuMceDQ9GsK3yUeOW
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2408-6-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot behavioral1/memory/2308-14-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot behavioral1/memory/2308-72-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot behavioral1/memory/1292-75-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot behavioral1/memory/2308-180-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe" dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2308-2-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2408-5-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2408-6-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2308-14-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2308-72-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/1292-75-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2308-180-0x0000000000400000-0x0000000000442000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2308 wrote to memory of 2408 2308 dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe 30 PID 2308 wrote to memory of 2408 2308 dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe 30 PID 2308 wrote to memory of 2408 2308 dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe 30 PID 2308 wrote to memory of 2408 2308 dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe 30 PID 2308 wrote to memory of 1292 2308 dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe 33 PID 2308 wrote to memory of 1292 2308 dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe 33 PID 2308 wrote to memory of 1292 2308 dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe 33 PID 2308 wrote to memory of 1292 2308 dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Users\Admin\AppData\Local\Temp\dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵
- System Location Discovery: System Language Discovery
PID:2408
-
-
C:\Users\Admin\AppData\Local\Temp\dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\dfaff61cc52fd8046155a25223c445d7_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵
- System Location Discovery: System Language Discovery
PID:1292
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54f85045902fc1e4d898a8864cc6c38d3
SHA1e3b54b6a8838cb2e78972859c330b0ff9f2889ad
SHA256ef31805553070d85e91ba748a557204767648bc2154c9c3f9f72c427d1780059
SHA512792d91f0b161dec31edcc538e98ab8171cd7bda09ee1052e96fade543c1c13c8746e3af55b7180293101c4407b9e3a64e938cc14e925cde9dfa647d408fee024
-
Filesize
600B
MD594e96cc4183ddb53e7c7369e2dc4ab17
SHA1b96fd40febbd4ad79570ec755b93992d896fe51b
SHA256df9e66eb3fcf2ab376506ff78042bb9599613922b1b1cdb068a0fe82b1c2e8ea
SHA512413740bf628e5ce91a2e917a27d69b01686bb63d9a381038bd6f984ac97f82cac01b84a910b42d56b5806251c8a2397c1a25d70698c33d9c6d4ee10c3519a164
-
Filesize
996B
MD5b029aadffc8a096c9f4a02c28ef47259
SHA15439b6f258002a50470f285981f6cc303de4dde5
SHA256318131d40883d297c29c84065a19abac59c9e033082240828a741bb62eaae567
SHA51235b28a4f0d440f3ebd7f94689db8bb0183310cefbf9bd44d93188f2cd894dcf25192cba815117ef58bc44ea4fd282b97c3dcf66734224a3a8f28f3a2bdd823c4