Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    13/01/2025, 12:57

General

  • Target

    JaffaCakes118_2993456efff01af48d20da0076f013c3.exe

  • Size

    182KB

  • MD5

    2993456efff01af48d20da0076f013c3

  • SHA1

    68cf90a7eb6e6778e7e974e5cea7672fda030728

  • SHA256

    7cb61c25d3612d8d999349c01407aa7404c76e5d98c43716d56b56c9a00e53aa

  • SHA512

    3727eeb86bbda029349b53c115a93b2a2f3f07d5c398fa9358acadef125def428450f2897335b2c9069fb09db67cce1f676b3a4d83d79198ef15a9f95953727e

  • SSDEEP

    3072:biIHuobNqC1st43rOeKcNOFiTJTcZ+zQWgYwo02pVR+90dCw3EbxnzOsWb82psuh:biIlbNqC1gwjKxiTJTjz/qWVRJCw0psX

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 5 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2993456efff01af48d20da0076f013c3.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2993456efff01af48d20da0076f013c3.exe"
    1⤵
    • Modifies WinLogon for persistence
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2928
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2993456efff01af48d20da0076f013c3.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2993456efff01af48d20da0076f013c3.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2764
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2993456efff01af48d20da0076f013c3.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2993456efff01af48d20da0076f013c3.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2240

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\A0DD.5AE

    Filesize

    1KB

    MD5

    258d95cc73945cf59e41cfe3a26e2976

    SHA1

    5d501be89d10fbfdbf31ae9b5d57d3ccd9f66199

    SHA256

    a77e9ff0947ac289d004aaed6234834b6bf670f80ebbdf0064b5187c4a4fa272

    SHA512

    8b72adc6c8822f0a1ca9a06fd939ba15b0ff812d58e7e3abd5b57f9012e72108e69516f48e51ae909ed117ee260774d09f92bb4fff828501ddfe50073df15369

  • C:\Users\Admin\AppData\Roaming\A0DD.5AE

    Filesize

    897B

    MD5

    ff41353e2bd76689588660fe531412bc

    SHA1

    ae1df22da90958ae766a7a233fc27c8f51ff7dd8

    SHA256

    4790b0d5d5167d6cc4490aab9ef1c37c3a0367ddd697c4534e98d04fbbcc4f92

    SHA512

    b3f194a9433eb9ced3dfc2221450c108a4c692bf77d598408a7a9c161a5cd2fa37ab96e2c10fbcb4885c925a5b2ffe3ea5e2096238b6ae7e6b99de7ecdf5b457

  • C:\Users\Admin\AppData\Roaming\A0DD.5AE

    Filesize

    1KB

    MD5

    c33b75df16dc3b32b71dd52131f30dd3

    SHA1

    8af89017596ee8fbf2b2e0e0aaf2a75b5b5c69a0

    SHA256

    5e4d30d297047b3627f9acbe8eae41fa4763107811c622687a955c6f133b76e2

    SHA512

    db999b07012e7abfcb01b5cbba5c41f15e05d5c3c627417661e71a2eb83118889b48fbce52b8699b60f5ad256d27074f252ba7839b58fb2b150d8d5c342888da

  • memory/2240-78-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2240-79-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2764-6-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2764-8-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2928-1-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2928-2-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2928-18-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2928-80-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2928-178-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB