Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/12/2024, 16:47

General

  • Target

    e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe

  • Size

    185KB

  • MD5

    e755860f7cecd6e6d29b4d05a9d57850

  • SHA1

    1c763d478a8e15dde9b14df33b572c1e8e73c6c3

  • SHA256

    a7d2335f5ae0c8d56b61a575f63d67adf75531b612f79159fe1ab188f6c95305

  • SHA512

    bc129288c4f80da85ca4617789717c713e761ed106e40d90420d88bb5f5a58d48221373e916bffd5dd8f50c26ce093cc21c20e036512066b9584a9e1aec30766

  • SSDEEP

    3072:pLNmKrY2wW7KultckLEael5a00ciGS6725W8ZRfCdzvFVK6/U8WRG5OXc:x1rN37KYtc1Nl5aYMi20SCNvn/iRAO

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 7 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Users\Admin\AppData\Local\Temp\e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2544
    • C:\Users\Admin\AppData\Local\Temp\e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
      2⤵
      • System Location Discovery: System Language Discovery
      PID:980

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\AF99.5FC

    Filesize

    597B

    MD5

    4e081d0820b3aa56ba2f13da89c9b62e

    SHA1

    944ffb9d0d2e1bbe2eecfe7877d01f8836445ea1

    SHA256

    a92542ca90c854db2269f7405fa2a6259acfb66411fbd3019a3cf94b8c3d5315

    SHA512

    fb6d010dcdc9f597fb36d04fd1923a8a83dd823675f28435c222a5099317a9e46408d49048f71170e989b06e8e647faf20ec53bb016dd3500def02a3f67ecc6b

  • C:\Users\Admin\AppData\Roaming\AF99.5FC

    Filesize

    1KB

    MD5

    23728069a5eb563602ef987cbfa4131a

    SHA1

    ecf9e26edf82d2e41e8a1ab421ca0372c22db60e

    SHA256

    5bce2b18cc7c15e566fdb3e87c84a042088bc968a31236e8cc86d59fb635032e

    SHA512

    1efbb4591fa79fec1706c65c1888b5a7474eab8e2e077b0485ee49b382a8e38311e5a405b6c091a9c8d2c7db69c19b98f56a68e6ccdca82d24ea6bb8f5f8711c

  • C:\Users\Admin\AppData\Roaming\AF99.5FC

    Filesize

    897B

    MD5

    f2da458d2f54d0da3269e197321cd160

    SHA1

    2a35ea05330f1522774e185afba2dbeb59ea6fd9

    SHA256

    15a40fd367da0f817f306fb1521842505ddb7b6072a5a57f90ebe395b7949958

    SHA512

    6c9e7bfc9fb0188817a74ad641a48f0b29694b5bb860eb1a47eba3d42e30f508596f463b7541ff73c0514b18cc6d1837255f7e52523f4ffbacaba010510c3b3a

  • C:\Users\Admin\AppData\Roaming\AF99.5FC

    Filesize

    1KB

    MD5

    5b19f1d7fca019f08f9335fabf51b174

    SHA1

    d13bd5b31e16e3feaceeab12c8e7050218b7cab6

    SHA256

    fc337e35340b41df0364552d0bbac56f1ed63af41b5df770f3bb6c2cc0f12be2

    SHA512

    7bad84e69e552f5b2cf3eff90900666467601078e1590e2bcb1f3a9d2afe7046fb9d993096a01afb1823755ae74b7d823e31f48b1ba15449eb4f2df63b1067ff

  • memory/980-88-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

  • memory/980-90-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

  • memory/2536-2-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

  • memory/2536-1-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

  • memory/2536-204-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

  • memory/2536-20-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

  • memory/2536-86-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

  • memory/2544-15-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

  • memory/2544-21-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

  • memory/2544-14-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB