Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
14/12/2024, 17:40
Static task
static1
Behavioral task
behavioral1
Sample
efef3aa799d18128f6198c33a503ef27_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
efef3aa799d18128f6198c33a503ef27_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
efef3aa799d18128f6198c33a503ef27_JaffaCakes118.exe
-
Size
195KB
-
MD5
efef3aa799d18128f6198c33a503ef27
-
SHA1
b8ccbbb683a03d5013c1e9081a4e49960ddfe706
-
SHA256
85b47ed30e3e470af594380e5b80867d5f02ab88883f60f42c372f283443515c
-
SHA512
7fe3038c3877546ce47c2f800e0fc44944a6b47b9ab3b08b69a309f2d309c7c12fbf16bf67b9bc6418228a387abdd9b974ebc79a5d3ded4563ad5430f570dc02
-
SSDEEP
3072:Mn47PND/60tW2D2oFPPHBUOfaZzsHH9CAjJBdpOfUmBtRdQQ4kOFJXTY9SMI:WkPp6P2D2GXHzDnIoVpHmBtPR8ZpM
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2976-14-0x0000000000400000-0x000000000048B000-memory.dmp family_cycbot behavioral1/memory/2660-15-0x0000000000400000-0x000000000048B000-memory.dmp family_cycbot behavioral1/memory/2660-78-0x0000000000400000-0x000000000048B000-memory.dmp family_cycbot behavioral1/memory/1752-81-0x0000000000400000-0x000000000048B000-memory.dmp family_cycbot behavioral1/memory/2660-171-0x0000000000400000-0x000000000048B000-memory.dmp family_cycbot -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe" efef3aa799d18128f6198c33a503ef27_JaffaCakes118.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2660-2-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2976-13-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2976-12-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2976-14-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2660-15-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2660-78-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/1752-81-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2660-171-0x0000000000400000-0x000000000048B000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language efef3aa799d18128f6198c33a503ef27_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2660 wrote to memory of 2976 2660 efef3aa799d18128f6198c33a503ef27_JaffaCakes118.exe 30 PID 2660 wrote to memory of 2976 2660 efef3aa799d18128f6198c33a503ef27_JaffaCakes118.exe 30 PID 2660 wrote to memory of 2976 2660 efef3aa799d18128f6198c33a503ef27_JaffaCakes118.exe 30 PID 2660 wrote to memory of 2976 2660 efef3aa799d18128f6198c33a503ef27_JaffaCakes118.exe 30 PID 2660 wrote to memory of 1752 2660 efef3aa799d18128f6198c33a503ef27_JaffaCakes118.exe 32 PID 2660 wrote to memory of 1752 2660 efef3aa799d18128f6198c33a503ef27_JaffaCakes118.exe 32 PID 2660 wrote to memory of 1752 2660 efef3aa799d18128f6198c33a503ef27_JaffaCakes118.exe 32 PID 2660 wrote to memory of 1752 2660 efef3aa799d18128f6198c33a503ef27_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\efef3aa799d18128f6198c33a503ef27_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\efef3aa799d18128f6198c33a503ef27_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Users\Admin\AppData\Local\Temp\efef3aa799d18128f6198c33a503ef27_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\efef3aa799d18128f6198c33a503ef27_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft2⤵PID:2976
-
-
C:\Users\Admin\AppData\Local\Temp\efef3aa799d18128f6198c33a503ef27_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\efef3aa799d18128f6198c33a503ef27_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵PID:1752
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58ac96be4b43fd49c76ef05ed5c9b81a9
SHA17d004ab99baa8266700b9ee0a5ce2521adaf1092
SHA2565fdaee95cfd78b2dd38f94af52c62b2506922fd3a67e41d11564cb9759175deb
SHA512aa1fa0919c9aa3bcdd1472250ead65d2ac42fb760c6bb5a2aa846d39228d0b5e7988ccada28708e406a9d3f56733935e8054faa2d312a5b0485b6314c79eac0e
-
Filesize
600B
MD574eae087866119408d9ec7848cbc38e9
SHA100ba3a5f512ca5b90fb3926da1d8a2d30d744ac0
SHA256cf35825343bd3d8b4ac1e7c740ed62a722e553098e0d68676be97a970513728a
SHA512d1a1b9c3c05b0353e43e4efe41d65b64e94b3be63bc867983e42e738a88d7fb0eeffae17d0b74086efb0c395e3e8d3bf6ed74a1c9149ee3cf04880f102b7d26b
-
Filesize
996B
MD5bbd4666631a835a893b33c2a77c10831
SHA16f45442cfc7e877cbc351c3de413aad8d0dff192
SHA256177469d409ad680cf2e318a21855a6c4244b9db71fbf2b2a0e7fcc9ee0b844f5
SHA512c040d2634acb5056c18f315edaaadc2033b7ae962704a4ca462a7201e8b3da4aa934a26ff8cc8b5a3e4f946d3fa558e49b9fad84ea6eac561aacc010a748f68b