Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15/12/2024, 01:04

General

  • Target

    f19347ed79cb7aa5ef62fc86e258ce4a_JaffaCakes118.exe

  • Size

    184KB

  • MD5

    f19347ed79cb7aa5ef62fc86e258ce4a

  • SHA1

    60d1044da8df4b8f5207eaad7a9a0f2aa7c6bed3

  • SHA256

    d35a9255de0cf04833f12fec3d709792f49bb9f18229a8b42183e035b9d80896

  • SHA512

    7117a22f11baa63ba0311e70402b7cbba4b9814f99840f62f4dfeb38d7ebda41278f0ceffafba1dcdfa3d46f6f99780ba37cb1a3fd5fa8a069d17f6922e9b223

  • SSDEEP

    3072:6b8GZwHMnOJsrDLsvsWqmno1PHA1qu7fqyB6PID/p5UkgvmODt:6bTKsng8XsDo1PHAgu7fKQp53gvv

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 6 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f19347ed79cb7aa5ef62fc86e258ce4a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f19347ed79cb7aa5ef62fc86e258ce4a_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Users\Admin\AppData\Local\Temp\f19347ed79cb7aa5ef62fc86e258ce4a_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\f19347ed79cb7aa5ef62fc86e258ce4a_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2692
    • C:\Users\Admin\AppData\Local\Temp\f19347ed79cb7aa5ef62fc86e258ce4a_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\f19347ed79cb7aa5ef62fc86e258ce4a_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1400

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\EABB.FA8

    Filesize

    300B

    MD5

    51356741dbd59bf6331b5eef1f2121b5

    SHA1

    d833a32203b45be6abb3cc61d5a0093f1f0a455c

    SHA256

    b54c298e113c09156597119e9df3ac9c4de1dd68f989c1166c32481a55723bd8

    SHA512

    0088367a780d2379457046de90c36d61fc84a93226f94423acf7c6591340af9f68916152a47a3c59fd7d143b7fa166c4105a20d1c0d6a8f7b5e837f8d0dd8b27

  • C:\Users\Admin\AppData\Roaming\EABB.FA8

    Filesize

    1KB

    MD5

    55384ea4797097f070b1163cc70720ed

    SHA1

    c79d3d132d10a4ba48717306f699726a53657aa5

    SHA256

    7f7051d637901f3bfa67bbea7d88d436cf29e9eed4996a33a691d94aab90f541

    SHA512

    645f784d69c1978428cbf01cdac10156b3d7a46fe3e2124d422e76cea59b9027e7f24bbe28090ba9067380344fae475e4c40743c64202b3a7864dc85913838ac

  • C:\Users\Admin\AppData\Roaming\EABB.FA8

    Filesize

    600B

    MD5

    47109caba2eb0cadd253fb577be2ba82

    SHA1

    575651aaa63cfeb068ed2402ee3e05f65217eba0

    SHA256

    15fb6679134e1af4228a47f8ed6275a834373b8ac486c2c831c1b0ca236d4cf5

    SHA512

    3efd078cdca7462b61fe014ec6f3753b6ee164bec60ad44808c6c701e41693b1a7a4fde3059f39684bde3a7befa33ec70c8bdaa0fdcaa3199e68f31bee1b5f91

  • C:\Users\Admin\AppData\Roaming\EABB.FA8

    Filesize

    996B

    MD5

    e52f0fd5ea69d96f0c57988e4ed50b2c

    SHA1

    a1b1731e62ada970f8e499e57934c6e46e4bbe5b

    SHA256

    ff7ad8ca495f9d7b07a7dc3478a04dbb8176cc1749005fa856de6bac50b90b0c

    SHA512

    319b2f2c7307d1bdd93b77f6a1f93c08ed320c1265afcc2df231f766c01772a333b3f63b324517da39e23bfcaf923fa365ee2e6a3d7d5afee87dab0f6d378904

  • memory/1400-89-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

  • memory/1400-90-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

  • memory/2692-11-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

  • memory/2692-9-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

  • memory/3024-16-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

  • memory/3024-87-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

  • memory/3024-1-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

  • memory/3024-2-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

  • memory/3024-205-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB