Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/12/2024, 01:04
Static task
static1
Behavioral task
behavioral1
Sample
f19347ed79cb7aa5ef62fc86e258ce4a_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
f19347ed79cb7aa5ef62fc86e258ce4a_JaffaCakes118.exe
-
Size
184KB
-
MD5
f19347ed79cb7aa5ef62fc86e258ce4a
-
SHA1
60d1044da8df4b8f5207eaad7a9a0f2aa7c6bed3
-
SHA256
d35a9255de0cf04833f12fec3d709792f49bb9f18229a8b42183e035b9d80896
-
SHA512
7117a22f11baa63ba0311e70402b7cbba4b9814f99840f62f4dfeb38d7ebda41278f0ceffafba1dcdfa3d46f6f99780ba37cb1a3fd5fa8a069d17f6922e9b223
-
SSDEEP
3072:6b8GZwHMnOJsrDLsvsWqmno1PHA1qu7fqyB6PID/p5UkgvmODt:6bTKsng8XsDo1PHAgu7fKQp53gvv
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 6 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2692-9-0x0000000000400000-0x000000000048E000-memory.dmp family_cycbot behavioral1/memory/2692-11-0x0000000000400000-0x000000000048E000-memory.dmp family_cycbot behavioral1/memory/3024-16-0x0000000000400000-0x000000000048E000-memory.dmp family_cycbot behavioral1/memory/3024-87-0x0000000000400000-0x000000000048E000-memory.dmp family_cycbot behavioral1/memory/1400-90-0x0000000000400000-0x000000000048E000-memory.dmp family_cycbot behavioral1/memory/3024-205-0x0000000000400000-0x000000000048E000-memory.dmp family_cycbot -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe" f19347ed79cb7aa5ef62fc86e258ce4a_JaffaCakes118.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/3024-2-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral1/memory/2692-9-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral1/memory/2692-11-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral1/memory/3024-16-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral1/memory/3024-87-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral1/memory/1400-89-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral1/memory/1400-90-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral1/memory/3024-205-0x0000000000400000-0x000000000048E000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f19347ed79cb7aa5ef62fc86e258ce4a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f19347ed79cb7aa5ef62fc86e258ce4a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f19347ed79cb7aa5ef62fc86e258ce4a_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3024 wrote to memory of 2692 3024 f19347ed79cb7aa5ef62fc86e258ce4a_JaffaCakes118.exe 31 PID 3024 wrote to memory of 2692 3024 f19347ed79cb7aa5ef62fc86e258ce4a_JaffaCakes118.exe 31 PID 3024 wrote to memory of 2692 3024 f19347ed79cb7aa5ef62fc86e258ce4a_JaffaCakes118.exe 31 PID 3024 wrote to memory of 2692 3024 f19347ed79cb7aa5ef62fc86e258ce4a_JaffaCakes118.exe 31 PID 3024 wrote to memory of 1400 3024 f19347ed79cb7aa5ef62fc86e258ce4a_JaffaCakes118.exe 33 PID 3024 wrote to memory of 1400 3024 f19347ed79cb7aa5ef62fc86e258ce4a_JaffaCakes118.exe 33 PID 3024 wrote to memory of 1400 3024 f19347ed79cb7aa5ef62fc86e258ce4a_JaffaCakes118.exe 33 PID 3024 wrote to memory of 1400 3024 f19347ed79cb7aa5ef62fc86e258ce4a_JaffaCakes118.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\f19347ed79cb7aa5ef62fc86e258ce4a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f19347ed79cb7aa5ef62fc86e258ce4a_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Users\Admin\AppData\Local\Temp\f19347ed79cb7aa5ef62fc86e258ce4a_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\f19347ed79cb7aa5ef62fc86e258ce4a_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft2⤵
- System Location Discovery: System Language Discovery
PID:2692
-
-
C:\Users\Admin\AppData\Local\Temp\f19347ed79cb7aa5ef62fc86e258ce4a_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\f19347ed79cb7aa5ef62fc86e258ce4a_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵
- System Location Discovery: System Language Discovery
PID:1400
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
300B
MD551356741dbd59bf6331b5eef1f2121b5
SHA1d833a32203b45be6abb3cc61d5a0093f1f0a455c
SHA256b54c298e113c09156597119e9df3ac9c4de1dd68f989c1166c32481a55723bd8
SHA5120088367a780d2379457046de90c36d61fc84a93226f94423acf7c6591340af9f68916152a47a3c59fd7d143b7fa166c4105a20d1c0d6a8f7b5e837f8d0dd8b27
-
Filesize
1KB
MD555384ea4797097f070b1163cc70720ed
SHA1c79d3d132d10a4ba48717306f699726a53657aa5
SHA2567f7051d637901f3bfa67bbea7d88d436cf29e9eed4996a33a691d94aab90f541
SHA512645f784d69c1978428cbf01cdac10156b3d7a46fe3e2124d422e76cea59b9027e7f24bbe28090ba9067380344fae475e4c40743c64202b3a7864dc85913838ac
-
Filesize
600B
MD547109caba2eb0cadd253fb577be2ba82
SHA1575651aaa63cfeb068ed2402ee3e05f65217eba0
SHA25615fb6679134e1af4228a47f8ed6275a834373b8ac486c2c831c1b0ca236d4cf5
SHA5123efd078cdca7462b61fe014ec6f3753b6ee164bec60ad44808c6c701e41693b1a7a4fde3059f39684bde3a7befa33ec70c8bdaa0fdcaa3199e68f31bee1b5f91
-
Filesize
996B
MD5e52f0fd5ea69d96f0c57988e4ed50b2c
SHA1a1b1731e62ada970f8e499e57934c6e46e4bbe5b
SHA256ff7ad8ca495f9d7b07a7dc3478a04dbb8176cc1749005fa856de6bac50b90b0c
SHA512319b2f2c7307d1bdd93b77f6a1f93c08ed320c1265afcc2df231f766c01772a333b3f63b324517da39e23bfcaf923fa365ee2e6a3d7d5afee87dab0f6d378904