Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15/01/2025, 00:31

General

  • Target

    JaffaCakes118_48c5af8114a5aed07fa3a400877132d5.exe

  • Size

    179KB

  • MD5

    48c5af8114a5aed07fa3a400877132d5

  • SHA1

    f564562c0a363069fd5684857876d68e19555841

  • SHA256

    4f9d4b811f5c7f7d2ed411dc11d1d8d8f7ddd6a38f678cbda7c08d2b81c85cc0

  • SHA512

    dd7a02cc60ae37e15fa40e88a549dbb7bcd3a08e28708be023a4280484c149c15ae91e3e0344dd582b98cc1b14e44805c2b1850099cd845e98dc3a0b794ff603

  • SSDEEP

    3072:qXj5OufhDwkH8m0Df4v9coDzldEM4Q/GxO/aUm76/CdD0lZnJJDwY:Wj5bfhDp8mQfovPEML0O/C7FKPk

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 5 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48c5af8114a5aed07fa3a400877132d5.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48c5af8114a5aed07fa3a400877132d5.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3060
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48c5af8114a5aed07fa3a400877132d5.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48c5af8114a5aed07fa3a400877132d5.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1544
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48c5af8114a5aed07fa3a400877132d5.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48c5af8114a5aed07fa3a400877132d5.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2088

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\0279.E09

    Filesize

    1KB

    MD5

    875f37ceaa32444b1385a4ab6f6d96a4

    SHA1

    39b0cf89f65ffcde45348fa83076d5e99845bb5b

    SHA256

    628be44cc95c4ff67773e49435a4781fea07c11930942aedac2c777ef7e76bd2

    SHA512

    24cb4bd0860dd67a0324207c4eb9596b1b0966eca4e77853a44b921aa830a940433a39a9bf1afd83d6c9c34ad48833da38ad090cbcc81d37527383add1c3e1d8

  • C:\Users\Admin\AppData\Roaming\0279.E09

    Filesize

    600B

    MD5

    fad1d86e184a2042f41a5431831cd81d

    SHA1

    fed8168ed68f2021db20ee0fdb2709d26cbdca32

    SHA256

    6840d21d53cff8581e7718661b630c7fa84dd4ff808e702dfcb13c49039c9f23

    SHA512

    d9ea433f86347deb0700acf9cad30bfa498a5063fee294c93818c0c8fe037f68659f74b56542f132ada6d4fbd3978692211c750436564438bf562e330407cda3

  • C:\Users\Admin\AppData\Roaming\0279.E09

    Filesize

    996B

    MD5

    cfaf14c4d79fd529c79c6e356d1c4ef7

    SHA1

    f0155d4ac3c16fdcb9f49ae7b6d9f5f771a3283d

    SHA256

    923cd1a012f3335db0110f2ded707f81eefa9ce6914171619d4817c18732ec1b

    SHA512

    eabb4a20af3418002376a7194d9d4dfc77689a43e8d494235b0b9281e301e653ca12bdc41a48390313606f2d8f2af298896ea01cf5bcf70bcaf7ba7843ee3979

  • memory/1544-5-0x0000000000400000-0x0000000000443000-memory.dmp

    Filesize

    268KB

  • memory/1544-6-0x0000000000400000-0x0000000000443000-memory.dmp

    Filesize

    268KB

  • memory/2088-67-0x0000000000400000-0x0000000000443000-memory.dmp

    Filesize

    268KB

  • memory/3060-1-0x0000000000400000-0x0000000000443000-memory.dmp

    Filesize

    268KB

  • memory/3060-2-0x0000000000400000-0x0000000000443000-memory.dmp

    Filesize

    268KB

  • memory/3060-13-0x0000000000400000-0x0000000000443000-memory.dmp

    Filesize

    268KB

  • memory/3060-68-0x0000000000400000-0x0000000000443000-memory.dmp

    Filesize

    268KB

  • memory/3060-172-0x0000000000400000-0x0000000000443000-memory.dmp

    Filesize

    268KB