Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/01/2025, 06:05
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe
-
Size
176KB
-
MD5
22c9a3b3e6f8e0ea86ab8857b55f7382
-
SHA1
1f33b0fbc825ab0a8d24e5de3d0c1dc9f88e2a98
-
SHA256
9dfc1bf1d3663eac731a17fe8d156a26ba17e2aec1f52511caa0ff1d4fcea9d2
-
SHA512
60f95592800c943a0ba7adce12f46fd88cd9eaa3f20e9fc04b7b3a69cb0eb72adfc961f5886b9bb6bc2e0d246ce586583ad960ad99ad4d254b0d2289a3753306
-
SSDEEP
3072:MyQ0ye7pnGvSkMzzC2WKHPN1mPR82UZSOvCb2oc/VHOgW594b9Qf:BQ0yipGvMnChESy2UZSOKIVpWTCGf
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 4 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2764-7-0x0000000000400000-0x000000000046F000-memory.dmp family_cycbot behavioral1/memory/2280-13-0x0000000000400000-0x000000000046F000-memory.dmp family_cycbot behavioral1/memory/3012-75-0x0000000000400000-0x000000000046F000-memory.dmp family_cycbot behavioral1/memory/2280-178-0x0000000000400000-0x000000000046F000-memory.dmp family_cycbot -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2280-2-0x0000000000400000-0x000000000046F000-memory.dmp upx behavioral1/memory/2764-8-0x0000000000400000-0x000000000046F000-memory.dmp upx behavioral1/memory/2764-7-0x0000000000400000-0x000000000046F000-memory.dmp upx behavioral1/memory/2280-13-0x0000000000400000-0x000000000046F000-memory.dmp upx behavioral1/memory/3012-74-0x0000000000400000-0x000000000046F000-memory.dmp upx behavioral1/memory/3012-75-0x0000000000400000-0x000000000046F000-memory.dmp upx behavioral1/memory/2280-178-0x0000000000400000-0x000000000046F000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2280 wrote to memory of 2764 2280 JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe 30 PID 2280 wrote to memory of 2764 2280 JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe 30 PID 2280 wrote to memory of 2764 2280 JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe 30 PID 2280 wrote to memory of 2764 2280 JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe 30 PID 2280 wrote to memory of 3012 2280 JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe 32 PID 2280 wrote to memory of 3012 2280 JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe 32 PID 2280 wrote to memory of 3012 2280 JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe 32 PID 2280 wrote to memory of 3012 2280 JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe startC:\Program Files (x86)\Internet Explorer\D3AF\C04.exe%C:\Program Files (x86)\Internet Explorer\D3AF2⤵
- System Location Discovery: System Language Discovery
PID:2764
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe startC:\Users\Admin\AppData\Roaming\FF68A\BAED3.exe%C:\Users\Admin\AppData\Roaming\FF68A2⤵
- System Location Discovery: System Language Discovery
PID:3012
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c33ac16ab6bd17d0cad2f084a243480f
SHA170ad36a0c9c943cb42ce03d3b1d89b3a72783dd0
SHA2566351e30109fe1a30507034c8aa75032bed2de5c8c7a5a7d75616b3e99bc5824f
SHA51268833280a6d5e1e1239a8b2f8375e0ca82399232a7efd203967cf157eecaf431644a740ffff044ced2fc4a992c754d5cb7fa8248bb97fea182aceebde0d98d4b
-
Filesize
600B
MD52c260b98edce84d6af81f86f3b8b2248
SHA1d19c74f542450abf650ee3a122b53a38dc9659cd
SHA256e5bcb7e48efd367b6ea37c44fc57c660ced8a164a16bd1322960d7efcc5dc26f
SHA5123b1cfed5b9eac8e52a32df730897ae1ce9b9324cc2a9c39f33997ca3b039f9b8e21ca7f4c0ae5bb09177b20e0269a7d5d8891fc95e6a54ad7f2f8c7db32b7857
-
Filesize
996B
MD5d3adf4dc583b5ca454322b9f3887fbda
SHA1b399168668487371082857c8e552e28ef30c55ff
SHA256c719d3f6d7c09a63c25418f26f508a01092850541780fa401b04fb8cb2642e97
SHA5125baeb4768193ad3b2da07f3384608708fc4c6fdf527bfde07e4a4c52e46d2b0a0fce6f8c446d4617306d176d3b372fae521f9b3178eafcb6b8cd7bc46dedc493