Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    14/12/2024, 17:40

General

  • Target

    efef3aa799d18128f6198c33a503ef27_JaffaCakes118.exe

  • Size

    195KB

  • MD5

    efef3aa799d18128f6198c33a503ef27

  • SHA1

    b8ccbbb683a03d5013c1e9081a4e49960ddfe706

  • SHA256

    85b47ed30e3e470af594380e5b80867d5f02ab88883f60f42c372f283443515c

  • SHA512

    7fe3038c3877546ce47c2f800e0fc44944a6b47b9ab3b08b69a309f2d309c7c12fbf16bf67b9bc6418228a387abdd9b974ebc79a5d3ded4563ad5430f570dc02

  • SSDEEP

    3072:Mn47PND/60tW2D2oFPPHBUOfaZzsHH9CAjJBdpOfUmBtRdQQ4kOFJXTY9SMI:WkPp6P2D2GXHzDnIoVpHmBtPR8ZpM

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 5 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\efef3aa799d18128f6198c33a503ef27_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\efef3aa799d18128f6198c33a503ef27_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2660
    • C:\Users\Admin\AppData\Local\Temp\efef3aa799d18128f6198c33a503ef27_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\efef3aa799d18128f6198c33a503ef27_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
      2⤵
        PID:2976
      • C:\Users\Admin\AppData\Local\Temp\efef3aa799d18128f6198c33a503ef27_JaffaCakes118.exe
        C:\Users\Admin\AppData\Local\Temp\efef3aa799d18128f6198c33a503ef27_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
        2⤵
          PID:1752

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\01E7.941

        Filesize

        1KB

        MD5

        8ac96be4b43fd49c76ef05ed5c9b81a9

        SHA1

        7d004ab99baa8266700b9ee0a5ce2521adaf1092

        SHA256

        5fdaee95cfd78b2dd38f94af52c62b2506922fd3a67e41d11564cb9759175deb

        SHA512

        aa1fa0919c9aa3bcdd1472250ead65d2ac42fb760c6bb5a2aa846d39228d0b5e7988ccada28708e406a9d3f56733935e8054faa2d312a5b0485b6314c79eac0e

      • C:\Users\Admin\AppData\Roaming\01E7.941

        Filesize

        600B

        MD5

        74eae087866119408d9ec7848cbc38e9

        SHA1

        00ba3a5f512ca5b90fb3926da1d8a2d30d744ac0

        SHA256

        cf35825343bd3d8b4ac1e7c740ed62a722e553098e0d68676be97a970513728a

        SHA512

        d1a1b9c3c05b0353e43e4efe41d65b64e94b3be63bc867983e42e738a88d7fb0eeffae17d0b74086efb0c395e3e8d3bf6ed74a1c9149ee3cf04880f102b7d26b

      • C:\Users\Admin\AppData\Roaming\01E7.941

        Filesize

        996B

        MD5

        bbd4666631a835a893b33c2a77c10831

        SHA1

        6f45442cfc7e877cbc351c3de413aad8d0dff192

        SHA256

        177469d409ad680cf2e318a21855a6c4244b9db71fbf2b2a0e7fcc9ee0b844f5

        SHA512

        c040d2634acb5056c18f315edaaadc2033b7ae962704a4ca462a7201e8b3da4aa934a26ff8cc8b5a3e4f946d3fa558e49b9fad84ea6eac561aacc010a748f68b

      • memory/1752-81-0x0000000000400000-0x000000000048B000-memory.dmp

        Filesize

        556KB

      • memory/1752-80-0x0000000000400000-0x000000000048B000-memory.dmp

        Filesize

        556KB

      • memory/2660-15-0x0000000000400000-0x000000000048B000-memory.dmp

        Filesize

        556KB

      • memory/2660-78-0x0000000000400000-0x000000000048B000-memory.dmp

        Filesize

        556KB

      • memory/2660-1-0x0000000000400000-0x000000000048B000-memory.dmp

        Filesize

        556KB

      • memory/2660-2-0x0000000000400000-0x000000000048B000-memory.dmp

        Filesize

        556KB

      • memory/2660-171-0x0000000000400000-0x000000000048B000-memory.dmp

        Filesize

        556KB

      • memory/2976-14-0x0000000000400000-0x000000000048B000-memory.dmp

        Filesize

        556KB

      • memory/2976-12-0x0000000000400000-0x000000000048B000-memory.dmp

        Filesize

        556KB

      • memory/2976-13-0x0000000000400000-0x000000000048B000-memory.dmp

        Filesize

        556KB