Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/12/2024, 16:47
Static task
static1
Behavioral task
behavioral1
Sample
e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe
-
Size
185KB
-
MD5
e755860f7cecd6e6d29b4d05a9d57850
-
SHA1
1c763d478a8e15dde9b14df33b572c1e8e73c6c3
-
SHA256
a7d2335f5ae0c8d56b61a575f63d67adf75531b612f79159fe1ab188f6c95305
-
SHA512
bc129288c4f80da85ca4617789717c713e761ed106e40d90420d88bb5f5a58d48221373e916bffd5dd8f50c26ce093cc21c20e036512066b9584a9e1aec30766
-
SSDEEP
3072:pLNmKrY2wW7KultckLEael5a00ciGS6725W8ZRfCdzvFVK6/U8WRG5OXc:x1rN37KYtc1Nl5aYMi20SCNvn/iRAO
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 7 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2544-15-0x0000000000400000-0x000000000046C000-memory.dmp family_cycbot behavioral1/memory/2544-14-0x0000000000400000-0x000000000046C000-memory.dmp family_cycbot behavioral1/memory/2536-20-0x0000000000400000-0x000000000046C000-memory.dmp family_cycbot behavioral1/memory/2544-21-0x0000000000400000-0x000000000046C000-memory.dmp family_cycbot behavioral1/memory/2536-86-0x0000000000400000-0x000000000046C000-memory.dmp family_cycbot behavioral1/memory/980-90-0x0000000000400000-0x000000000046C000-memory.dmp family_cycbot behavioral1/memory/2536-204-0x0000000000400000-0x000000000046C000-memory.dmp family_cycbot -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe" e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2536-2-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2544-15-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2544-14-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2536-20-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2544-21-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2536-86-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/980-88-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/980-90-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2536-204-0x0000000000400000-0x000000000046C000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2536 wrote to memory of 2544 2536 e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe 30 PID 2536 wrote to memory of 2544 2536 e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe 30 PID 2536 wrote to memory of 2544 2536 e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe 30 PID 2536 wrote to memory of 2544 2536 e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe 30 PID 2536 wrote to memory of 980 2536 e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe 32 PID 2536 wrote to memory of 980 2536 e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe 32 PID 2536 wrote to memory of 980 2536 e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe 32 PID 2536 wrote to memory of 980 2536 e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Users\Admin\AppData\Local\Temp\e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft2⤵
- System Location Discovery: System Language Discovery
PID:2544
-
-
C:\Users\Admin\AppData\Local\Temp\e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵
- System Location Discovery: System Language Discovery
PID:980
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
597B
MD54e081d0820b3aa56ba2f13da89c9b62e
SHA1944ffb9d0d2e1bbe2eecfe7877d01f8836445ea1
SHA256a92542ca90c854db2269f7405fa2a6259acfb66411fbd3019a3cf94b8c3d5315
SHA512fb6d010dcdc9f597fb36d04fd1923a8a83dd823675f28435c222a5099317a9e46408d49048f71170e989b06e8e647faf20ec53bb016dd3500def02a3f67ecc6b
-
Filesize
1KB
MD523728069a5eb563602ef987cbfa4131a
SHA1ecf9e26edf82d2e41e8a1ab421ca0372c22db60e
SHA2565bce2b18cc7c15e566fdb3e87c84a042088bc968a31236e8cc86d59fb635032e
SHA5121efbb4591fa79fec1706c65c1888b5a7474eab8e2e077b0485ee49b382a8e38311e5a405b6c091a9c8d2c7db69c19b98f56a68e6ccdca82d24ea6bb8f5f8711c
-
Filesize
897B
MD5f2da458d2f54d0da3269e197321cd160
SHA12a35ea05330f1522774e185afba2dbeb59ea6fd9
SHA25615a40fd367da0f817f306fb1521842505ddb7b6072a5a57f90ebe395b7949958
SHA5126c9e7bfc9fb0188817a74ad641a48f0b29694b5bb860eb1a47eba3d42e30f508596f463b7541ff73c0514b18cc6d1837255f7e52523f4ffbacaba010510c3b3a
-
Filesize
1KB
MD55b19f1d7fca019f08f9335fabf51b174
SHA1d13bd5b31e16e3feaceeab12c8e7050218b7cab6
SHA256fc337e35340b41df0364552d0bbac56f1ed63af41b5df770f3bb6c2cc0f12be2
SHA5127bad84e69e552f5b2cf3eff90900666467601078e1590e2bcb1f3a9d2afe7046fb9d993096a01afb1823755ae74b7d823e31f48b1ba15449eb4f2df63b1067ff