Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
69s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13/01/2025, 06:13
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exe
-
Size
185KB
-
MD5
22f1858717583dbd59c18d6dbb5b049b
-
SHA1
887be3af12e0430df89eddb47eeefb8f1ce59ea7
-
SHA256
291018d22b3afb4ed1fe56900d2cb38ed480ef13e7d55eea371480d121ca0361
-
SHA512
8b5fa6b1d3553d508b8ff2233b1e6c3ebb8440e7ac46440e347ec7ff15c799fb58acb086912a49bc9714d57b937423e86dccb6a4b58fea8ab500f262ffba31d9
-
SSDEEP
3072:xFP6GrH8SAPPrcfqoaC4uNQq8Zgz5batZoZR9qui3YhrAsAAifNcI5bP:xl6IH8SmgfzNQq8Zgz52ty9quUYxzAR1
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 6 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/1736-8-0x0000000000400000-0x000000000046C000-memory.dmp family_cycbot behavioral1/memory/2328-14-0x0000000000400000-0x000000000046C000-memory.dmp family_cycbot behavioral1/memory/960-83-0x0000000000400000-0x000000000046C000-memory.dmp family_cycbot behavioral1/memory/960-81-0x0000000000400000-0x000000000046C000-memory.dmp family_cycbot behavioral1/memory/2328-84-0x0000000000400000-0x000000000046C000-memory.dmp family_cycbot behavioral1/memory/2328-194-0x0000000000400000-0x000000000046C000-memory.dmp family_cycbot -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe" JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2328-1-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1736-7-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1736-8-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2328-14-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/960-83-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/960-81-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2328-84-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2328-194-0x0000000000400000-0x000000000046C000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2328 wrote to memory of 1736 2328 JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exe 30 PID 2328 wrote to memory of 1736 2328 JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exe 30 PID 2328 wrote to memory of 1736 2328 JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exe 30 PID 2328 wrote to memory of 1736 2328 JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exe 30 PID 2328 wrote to memory of 960 2328 JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exe 32 PID 2328 wrote to memory of 960 2328 JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exe 32 PID 2328 wrote to memory of 960 2328 JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exe 32 PID 2328 wrote to memory of 960 2328 JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exe"1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft2⤵
- System Location Discovery: System Language Discovery
PID:1736
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵
- System Location Discovery: System Language Discovery
PID:960
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52a5ff04a5f8271135b382df6a5e74cbc
SHA1245613020e30323045c2730e1f77ec0e69e7bc22
SHA256ecf08b28f2e3b896ea48f6e70b518cd4e6cf844de6d2d612d0b55116c7348574
SHA5126e27a653dcd8d438f7ba466fdd6a17d1ae3d7d3f409c1bac86ab8fde94fd780316bcbc3f922722ce8ede3391bab5d6f86c66191759ab92290c91ec2ba86cb451
-
Filesize
600B
MD56e71b9467080436ddd5b45ac6721b789
SHA15f159111f4493f3dc7b5d464a8f13aa1ccd75db1
SHA256fa571c2540265ccc57e78bf4e92035bfbc33435710e1dca787f547d51cb381ba
SHA512fecc81a20cedaeefaed5a72e47b1a09005a69c63e5e947ee8cb4072fac7dbcba74b08af6b8d0157d84eca63c4867dac4b4524b6960ed022e7500dfac0b5feb7c
-
Filesize
996B
MD56c6028c9be0820a0325cdfe45dcbc250
SHA1a7e645d35c6bdbd2cab040bd14a1d9447034c9db
SHA256a8258f10c2eade25c4f6908af77f253e0603eb190935f5867d4d2ffff648f178
SHA5128318a830dcaf8d81fc58cf18c23135a605890d32dc75d6658cc01a336d064966a20b7ae566b334d321c6958dfc4a8e42b240fa4d3fb9d9a97efa652cbf4ae939