Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
13/01/2025, 11:28
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_28a4ff439567acdcb7edf44dfce76b64.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
JaffaCakes118_28a4ff439567acdcb7edf44dfce76b64.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_28a4ff439567acdcb7edf44dfce76b64.exe
-
Size
167KB
-
MD5
28a4ff439567acdcb7edf44dfce76b64
-
SHA1
69efb46b74cee2a413e430040b04381d5dc08596
-
SHA256
69d353e51b6670af251cd9ae4f63a1562ea1d15c93d87cfb68ec2dc74465ceff
-
SHA512
1f9dad360f79f47bd638e90f9577e225de081e8dba8479e939636e41cb159c5e630b33057c554c2c0be5edefafcc3d82d4e38c70f7fc5c2c49a3a4a572077cab
-
SSDEEP
3072:3LMfUkXbpteqoAM8I72E3Pbl5a161RbzbzLvcxXnrOvoz1BALtABzAW6Bl/OZ:7WX1tLIS+Du6zbvchrOvaoiMtBlW
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/740-7-0x0000000000400000-0x000000000043E000-memory.dmp family_cycbot behavioral1/memory/1440-17-0x0000000000400000-0x000000000043E000-memory.dmp family_cycbot behavioral1/memory/1476-90-0x0000000000400000-0x000000000043E000-memory.dmp family_cycbot behavioral1/memory/1440-91-0x0000000000400000-0x000000000043E000-memory.dmp family_cycbot behavioral1/memory/1440-184-0x0000000000400000-0x000000000043E000-memory.dmp family_cycbot -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe" JaffaCakes118_28a4ff439567acdcb7edf44dfce76b64.exe -
resource yara_rule behavioral1/memory/1440-2-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/740-6-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/740-7-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/1440-17-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/1476-89-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/1476-90-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/1440-91-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/1440-184-0x0000000000400000-0x000000000043E000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_28a4ff439567acdcb7edf44dfce76b64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_28a4ff439567acdcb7edf44dfce76b64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_28a4ff439567acdcb7edf44dfce76b64.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1440 wrote to memory of 740 1440 JaffaCakes118_28a4ff439567acdcb7edf44dfce76b64.exe 30 PID 1440 wrote to memory of 740 1440 JaffaCakes118_28a4ff439567acdcb7edf44dfce76b64.exe 30 PID 1440 wrote to memory of 740 1440 JaffaCakes118_28a4ff439567acdcb7edf44dfce76b64.exe 30 PID 1440 wrote to memory of 740 1440 JaffaCakes118_28a4ff439567acdcb7edf44dfce76b64.exe 30 PID 1440 wrote to memory of 1476 1440 JaffaCakes118_28a4ff439567acdcb7edf44dfce76b64.exe 33 PID 1440 wrote to memory of 1476 1440 JaffaCakes118_28a4ff439567acdcb7edf44dfce76b64.exe 33 PID 1440 wrote to memory of 1476 1440 JaffaCakes118_28a4ff439567acdcb7edf44dfce76b64.exe 33 PID 1440 wrote to memory of 1476 1440 JaffaCakes118_28a4ff439567acdcb7edf44dfce76b64.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_28a4ff439567acdcb7edf44dfce76b64.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_28a4ff439567acdcb7edf44dfce76b64.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_28a4ff439567acdcb7edf44dfce76b64.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_28a4ff439567acdcb7edf44dfce76b64.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵
- System Location Discovery: System Language Discovery
PID:740
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_28a4ff439567acdcb7edf44dfce76b64.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_28a4ff439567acdcb7edf44dfce76b64.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵
- System Location Discovery: System Language Discovery
PID:1476
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
597B
MD546a87d90fb7095d718577f01b5f09abc
SHA117d42158186f96e39f650f3fffd844569d34126f
SHA256f5b7a720bfbdbc3eae4cd1c7761af3b1600d4e707f24d6641f1752d6c8550ab9
SHA5125505a40fa2990b2fd6c25629c08e0434d843882a00eb1b03617744f750c96fc602fe51d5ec5d9790a86d54dd7ffb7c81badb7489a120397da3609f6c504ff0aa
-
Filesize
1KB
MD5e64494e92c0a2aeb12062948cc7b85e8
SHA1e95955fb50ddc89a6a5a224f4492ece73bf228dc
SHA2562a6bff2cfd6c0eb27bab1e031d2837e7408ee4e9e32ff89f5ffe1757699cc5ad
SHA5122e4ec1c2624f3ac8e5e76a3d0f51dbe94621cde6f5913c9a356de51d7b092ead478e1064764a757a07dd3fc04886b47f0a1b88293f87c919416f5e1bf6794cff
-
Filesize
897B
MD510055bf9fe4478b272087968a23c2f8e
SHA169a69a74123d4e0767df8fa8ce280ff3819f2d60
SHA2563f58f1b02dbd6a322fc83512d0940df798f5eb21f3df03ffc817c38cb0138d5e
SHA512ac50c1350b8e32c4a2c71137cb4f4313145a2e714bd5a34a14bc027c7af4c350d61b5b06e3dd3468c6c12dc7e579f6e476ad2b6aaedb3d9ec8efa07903e712db
-
Filesize
1KB
MD5341ce98623f841e618cbda0096f66e51
SHA19b14189320583ac4c72c7820457fd468b2ff2eb5
SHA25601553c5e0d6c3b172a9d2097a52e0b13f87fd2a3140ef5b2db6898b4a6f2e417
SHA5123818a7555b18fa885972232a0c2e317af8cb82ad28a9b9fee00bce02fef826e2675fd8842ac1745747cbe0e98a0c96f91da17f20e77dd4143e37569fdde255a4