Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/12/2024, 01:20
Static task
static1
Behavioral task
behavioral1
Sample
e932be6aa11209a76563ad07a5dc11c8_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e932be6aa11209a76563ad07a5dc11c8_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
e932be6aa11209a76563ad07a5dc11c8_JaffaCakes118.exe
-
Size
189KB
-
MD5
e932be6aa11209a76563ad07a5dc11c8
-
SHA1
964f8d8c8006c77329e055fa6abcd3ac9b94204c
-
SHA256
15362254b74485feaea4f677c38a1bae3de253aea1f379863a1698b5066dc17b
-
SHA512
966f741c235d1ff0a08cc57f7f1911f364a193d825225b4d9b0dc46e6481e70be4536fafe9b46696389f847a139f2bd863382c9c2818fe90a84685f6107b9063
-
SSDEEP
3072:q3OHwM/fvyKUb5anu+LPl8qYRHIsia238vnDEUPGApzgdjM23a0LYBRGZRhiQ8tQ:COD/Hy79suCC7J238vnDb9u5e08oZRdr
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 4 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2052-8-0x0000000000400000-0x0000000000469000-memory.dmp family_cycbot behavioral1/memory/1964-17-0x0000000000400000-0x0000000000469000-memory.dmp family_cycbot behavioral1/memory/2300-79-0x0000000000400000-0x0000000000469000-memory.dmp family_cycbot behavioral1/memory/1964-178-0x0000000000400000-0x0000000000469000-memory.dmp family_cycbot -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/1964-2-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2052-6-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2052-8-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1964-17-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2300-78-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2300-79-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1964-178-0x0000000000400000-0x0000000000469000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e932be6aa11209a76563ad07a5dc11c8_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e932be6aa11209a76563ad07a5dc11c8_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e932be6aa11209a76563ad07a5dc11c8_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1964 wrote to memory of 2052 1964 e932be6aa11209a76563ad07a5dc11c8_JaffaCakes118.exe 30 PID 1964 wrote to memory of 2052 1964 e932be6aa11209a76563ad07a5dc11c8_JaffaCakes118.exe 30 PID 1964 wrote to memory of 2052 1964 e932be6aa11209a76563ad07a5dc11c8_JaffaCakes118.exe 30 PID 1964 wrote to memory of 2052 1964 e932be6aa11209a76563ad07a5dc11c8_JaffaCakes118.exe 30 PID 1964 wrote to memory of 2300 1964 e932be6aa11209a76563ad07a5dc11c8_JaffaCakes118.exe 32 PID 1964 wrote to memory of 2300 1964 e932be6aa11209a76563ad07a5dc11c8_JaffaCakes118.exe 32 PID 1964 wrote to memory of 2300 1964 e932be6aa11209a76563ad07a5dc11c8_JaffaCakes118.exe 32 PID 1964 wrote to memory of 2300 1964 e932be6aa11209a76563ad07a5dc11c8_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\e932be6aa11209a76563ad07a5dc11c8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e932be6aa11209a76563ad07a5dc11c8_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\e932be6aa11209a76563ad07a5dc11c8_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e932be6aa11209a76563ad07a5dc11c8_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft2⤵
- System Location Discovery: System Language Discovery
PID:2052
-
-
C:\Users\Admin\AppData\Local\Temp\e932be6aa11209a76563ad07a5dc11c8_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e932be6aa11209a76563ad07a5dc11c8_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵
- System Location Discovery: System Language Discovery
PID:2300
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a71c2d989b186eae2815b0be72b2ac54
SHA1aca822f0d657b4d418670b23f8a9b60a65794bf5
SHA256de37666e0e212439b772f6ef56a84bd1bd0a6910ea269292330194bb48a2cfdb
SHA512516b1cb291166953c01a23f895a0ee4d23197f6650472008524120700144dd56d3bb3716890133bd2dbffa30b287b78a7705e751aee3189b6ae89c781a0d4809
-
Filesize
600B
MD5d38f455125e6fbcaca7f60649f8b1c9d
SHA14ce692afa5a4f01f62824ba0f3202e1e3c4c53f4
SHA2561107540a37e3d92eb82f8c5c979ee9a611a9bbf95a6abf4a0d86d6e0ef0d70f5
SHA512596007a1a16dfb8a4517c72e5d21ee9f4b1a7fe6fef7ee65c96c46efe6d16c2dd9a8d65bc65b859637ef662eec4f4d124ff482e60d3107ea0904cdf1acc9bc56
-
Filesize
996B
MD5baf97ef121464d8077c1d7df0017ed1f
SHA1b1c2d5078a657c2ad95f8b26a2efb42ea2c376be
SHA2561fd5711f4bba3f0c867a8bc10013b194f439221055b5458552c2ac376a6579d2
SHA51247bce1079bb423e769a1a5f6f3db40dd9a14af7cd2baa8fdddfe18454e0c1a8180eb1b1a6727b08ff2a5d83cbcc7616e9b45b701c9632233a4c91ce8708c7fae