Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/01/2025, 04:21
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe
-
Size
185KB
-
MD5
20cbec00156786bbb8f3505ec451c712
-
SHA1
13a4677960eb7011c4549b1747375658047e94e6
-
SHA256
647a18f570d05bf304a2f752aa3e46bac57a3b1aa05605976a630ec542b6680d
-
SHA512
24a4262aec82fd45736c62944d30097ea8a65cafb47155053a4606afadf6d9578a487811a5735e2d6ae7df81a39a2156f0984cb4f2907d9212f3a265da16a92c
-
SSDEEP
3072:PiWikRz6onQKh4NvWwqNoFrjpb3gh1gbuPBbi7sQVyugC9lZvRiSNy15cg+3g2LX:PXJ6iQ6KWsx2SuPBbi7lOC9fZiSq5m3f
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2544-14-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot behavioral1/memory/2112-15-0x0000000000400000-0x0000000000452000-memory.dmp family_cycbot behavioral1/memory/2112-16-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot behavioral1/memory/832-85-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot behavioral1/memory/2112-184-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2112-2-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2544-13-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2544-14-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2112-15-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral1/memory/2112-16-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/832-85-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2112-184-0x0000000000400000-0x0000000000455000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2112 wrote to memory of 2544 2112 JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe 30 PID 2112 wrote to memory of 2544 2112 JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe 30 PID 2112 wrote to memory of 2544 2112 JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe 30 PID 2112 wrote to memory of 2544 2112 JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe 30 PID 2112 wrote to memory of 832 2112 JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe 33 PID 2112 wrote to memory of 832 2112 JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe 33 PID 2112 wrote to memory of 832 2112 JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe 33 PID 2112 wrote to memory of 832 2112 JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe startC:\Program Files (x86)\LP\EA39\CDF.exe%C:\Program Files (x86)\LP\EA392⤵
- System Location Discovery: System Language Discovery
PID:2544
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe startC:\Users\Admin\AppData\Roaming\97B3D\D243D.exe%C:\Users\Admin\AppData\Roaming\97B3D2⤵
- System Location Discovery: System Language Discovery
PID:832
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f1d8b68a50404f164b2ae1ccac48c05e
SHA14a9fde964b37fc19835024b7daea2b02ce6ef0d7
SHA256f30b0f61f61446792189da973b69b6a3d1c719ca924cfd240b8ae45796e97a2f
SHA5122b455f616e99cbfe107b29dde53230aa9e4c2d95f3027bcce2c8e492f7597092cef6504b14bd81ee3f0187214778cc5bc4a72725ea6d9160a2073115d0026ad3
-
Filesize
600B
MD586f4031f161e7386f90511b4eb7af336
SHA11031e4ae24c83a0e0392a97c571576ce55b91566
SHA256fb25ab81f781ebec6acbc178e1de5273d79a95583ec5a9b1ab02bfd0bc1924bf
SHA5121a36f427f205fc4f6bee2a3d5756635911ba0e95f860988edb73c3639e76242de0fedc874e8bf41e4ffd9c84f8e038f3ab5d7df6fbea9d6ef99391985b9df506
-
Filesize
996B
MD5c05500d732e1c29786bf0be805095ff2
SHA167a855f38be21983920eb0f81807a675af3f6c17
SHA25687eee6502d03474739c1f5bfce495c1543ebb36973c7e86edf55dc9850d2b53f
SHA512757511c25651685b2cc071346fd6400484cff52ecec39d5dc09230eb9662d12116c5858ee6b47a639dd3389d6d14212172f58d8ad9eb3a82417612a5ff1aca24