Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
11/12/2024, 14:34
Static task
static1
Behavioral task
behavioral1
Sample
e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exe
-
Size
162KB
-
MD5
e1e6cf942e867ee65c66c913751ad5e4
-
SHA1
092bdcb476d572875a1097c7c2e9d373cda81e56
-
SHA256
cd9dd49d3c6c31b71fb3d635498f65065d18adb2da2164bfadfdfa7fb3d7030c
-
SHA512
4a7d623538f71e8bd5521309acfcc12a7a962c51b6d724973af59215b1452e857fd0289b2fcd0a916ea4868b5417f3a8c2e5ffa19edfae801ec6b99e4f5a5b7c
-
SSDEEP
3072:wqmPFc2RTgZZ1uhpT5SX6wO3YqxdTcs33nLvKNDNSirly:xmPFc2RTWs/BSqfTcsLv2Si8
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2804-7-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot behavioral1/memory/2884-15-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot behavioral1/memory/2884-80-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot behavioral1/memory/1988-83-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot behavioral1/memory/2884-188-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe" e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2884-2-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2804-5-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2804-7-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2884-15-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2884-80-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/1988-83-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2884-188-0x0000000000400000-0x0000000000442000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2884 wrote to memory of 2804 2884 e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exe 30 PID 2884 wrote to memory of 2804 2884 e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exe 30 PID 2884 wrote to memory of 2804 2884 e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exe 30 PID 2884 wrote to memory of 2804 2884 e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exe 30 PID 2884 wrote to memory of 1988 2884 e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exe 32 PID 2884 wrote to memory of 1988 2884 e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exe 32 PID 2884 wrote to memory of 1988 2884 e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exe 32 PID 2884 wrote to memory of 1988 2884 e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵
- System Location Discovery: System Language Discovery
PID:2804
-
-
C:\Users\Admin\AppData\Local\Temp\e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵
- System Location Discovery: System Language Discovery
PID:1988
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d6967f503f6f7fc0a9e2fdd705b47894
SHA1a8952cdb2962d3e2b00a787929e52ca562271c96
SHA256753a23571452683f14ecce83a50e5d99c02d85e0199fbb4c6f90d2ce9e252ce0
SHA51272a5e412c7be1a983df786c052c57bb190b883fff9acc2276e8c4a9765ccb9d56a2be904071f8271fcd849c2e2aca404d83caf3be7f7a719aa5f2198651295d4
-
Filesize
600B
MD5fdaa7c672302974ed6b34960be8e9b2c
SHA142ba89d4558454eb0c5f7e78ef5453bc179f3329
SHA256667da9caa47019b2a4c7ae359c5b36c0dca97a26657e5c789c432d6b6256db06
SHA5120d605689dc9b9fb018870327073712aef0d98b59750d863d2df2a609d3394ff6aa7e23eeb08f270a6e27eb19097865aca289c08ba6278f66ccbc12ff1f9e42f3
-
Filesize
996B
MD52869fbc19a73671dbb9a2a1884c088a6
SHA194a42d1ac11e8a4772cdafa2d281e2ce7442b9da
SHA2566a4b999747dce61d928d2b2471868a04b73f6d4a003b202da16a61f795f66ed9
SHA512bb69fdd7c3ddddbecd37a33922f8247b5250f300398938760e0da81655a983f8ba3978c0253a3cdabee3631ec04a7f492042217a17c4e66c76a644bf652ee952