Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
13/01/2025, 12:57
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_2993456efff01af48d20da0076f013c3.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
JaffaCakes118_2993456efff01af48d20da0076f013c3.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_2993456efff01af48d20da0076f013c3.exe
-
Size
182KB
-
MD5
2993456efff01af48d20da0076f013c3
-
SHA1
68cf90a7eb6e6778e7e974e5cea7672fda030728
-
SHA256
7cb61c25d3612d8d999349c01407aa7404c76e5d98c43716d56b56c9a00e53aa
-
SHA512
3727eeb86bbda029349b53c115a93b2a2f3f07d5c398fa9358acadef125def428450f2897335b2c9069fb09db67cce1f676b3a4d83d79198ef15a9f95953727e
-
SSDEEP
3072:biIHuobNqC1st43rOeKcNOFiTJTcZ+zQWgYwo02pVR+90dCw3EbxnzOsWb82psuh:biIlbNqC1gwjKxiTJTjz/qWVRJCw0psX
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2764-8-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2928-18-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2240-79-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2928-80-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2928-178-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe" JaffaCakes118_2993456efff01af48d20da0076f013c3.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2928-2-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2764-6-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2764-8-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2928-18-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2240-78-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2240-79-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2928-80-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2928-178-0x0000000000400000-0x000000000046A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_2993456efff01af48d20da0076f013c3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_2993456efff01af48d20da0076f013c3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_2993456efff01af48d20da0076f013c3.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2928 wrote to memory of 2764 2928 JaffaCakes118_2993456efff01af48d20da0076f013c3.exe 30 PID 2928 wrote to memory of 2764 2928 JaffaCakes118_2993456efff01af48d20da0076f013c3.exe 30 PID 2928 wrote to memory of 2764 2928 JaffaCakes118_2993456efff01af48d20da0076f013c3.exe 30 PID 2928 wrote to memory of 2764 2928 JaffaCakes118_2993456efff01af48d20da0076f013c3.exe 30 PID 2928 wrote to memory of 2240 2928 JaffaCakes118_2993456efff01af48d20da0076f013c3.exe 32 PID 2928 wrote to memory of 2240 2928 JaffaCakes118_2993456efff01af48d20da0076f013c3.exe 32 PID 2928 wrote to memory of 2240 2928 JaffaCakes118_2993456efff01af48d20da0076f013c3.exe 32 PID 2928 wrote to memory of 2240 2928 JaffaCakes118_2993456efff01af48d20da0076f013c3.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2993456efff01af48d20da0076f013c3.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2993456efff01af48d20da0076f013c3.exe"1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2993456efff01af48d20da0076f013c3.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2993456efff01af48d20da0076f013c3.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft2⤵
- System Location Discovery: System Language Discovery
PID:2764
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2993456efff01af48d20da0076f013c3.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2993456efff01af48d20da0076f013c3.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵
- System Location Discovery: System Language Discovery
PID:2240
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5258d95cc73945cf59e41cfe3a26e2976
SHA15d501be89d10fbfdbf31ae9b5d57d3ccd9f66199
SHA256a77e9ff0947ac289d004aaed6234834b6bf670f80ebbdf0064b5187c4a4fa272
SHA5128b72adc6c8822f0a1ca9a06fd939ba15b0ff812d58e7e3abd5b57f9012e72108e69516f48e51ae909ed117ee260774d09f92bb4fff828501ddfe50073df15369
-
Filesize
897B
MD5ff41353e2bd76689588660fe531412bc
SHA1ae1df22da90958ae766a7a233fc27c8f51ff7dd8
SHA2564790b0d5d5167d6cc4490aab9ef1c37c3a0367ddd697c4534e98d04fbbcc4f92
SHA512b3f194a9433eb9ced3dfc2221450c108a4c692bf77d598408a7a9c161a5cd2fa37ab96e2c10fbcb4885c925a5b2ffe3ea5e2096238b6ae7e6b99de7ecdf5b457
-
Filesize
1KB
MD5c33b75df16dc3b32b71dd52131f30dd3
SHA18af89017596ee8fbf2b2e0e0aaf2a75b5b5c69a0
SHA2565e4d30d297047b3627f9acbe8eae41fa4763107811c622687a955c6f133b76e2
SHA512db999b07012e7abfcb01b5cbba5c41f15e05d5c3c627417661e71a2eb83118889b48fbce52b8699b60f5ad256d27074f252ba7839b58fb2b150d8d5c342888da