Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/01/2025, 00:31
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_48c5af8114a5aed07fa3a400877132d5.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_48c5af8114a5aed07fa3a400877132d5.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_48c5af8114a5aed07fa3a400877132d5.exe
-
Size
179KB
-
MD5
48c5af8114a5aed07fa3a400877132d5
-
SHA1
f564562c0a363069fd5684857876d68e19555841
-
SHA256
4f9d4b811f5c7f7d2ed411dc11d1d8d8f7ddd6a38f678cbda7c08d2b81c85cc0
-
SHA512
dd7a02cc60ae37e15fa40e88a549dbb7bcd3a08e28708be023a4280484c149c15ae91e3e0344dd582b98cc1b14e44805c2b1850099cd845e98dc3a0b794ff603
-
SSDEEP
3072:qXj5OufhDwkH8m0Df4v9coDzldEM4Q/GxO/aUm76/CdD0lZnJJDwY:Wj5bfhDp8mQfovPEML0O/C7FKPk
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/1544-6-0x0000000000400000-0x0000000000443000-memory.dmp family_cycbot behavioral1/memory/3060-13-0x0000000000400000-0x0000000000443000-memory.dmp family_cycbot behavioral1/memory/2088-67-0x0000000000400000-0x0000000000443000-memory.dmp family_cycbot behavioral1/memory/3060-68-0x0000000000400000-0x0000000000443000-memory.dmp family_cycbot behavioral1/memory/3060-172-0x0000000000400000-0x0000000000443000-memory.dmp family_cycbot -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe" JaffaCakes118_48c5af8114a5aed07fa3a400877132d5.exe -
resource yara_rule behavioral1/memory/3060-2-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/1544-5-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/1544-6-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/3060-13-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/2088-67-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/3060-68-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/3060-172-0x0000000000400000-0x0000000000443000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_48c5af8114a5aed07fa3a400877132d5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_48c5af8114a5aed07fa3a400877132d5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_48c5af8114a5aed07fa3a400877132d5.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3060 wrote to memory of 1544 3060 JaffaCakes118_48c5af8114a5aed07fa3a400877132d5.exe 31 PID 3060 wrote to memory of 1544 3060 JaffaCakes118_48c5af8114a5aed07fa3a400877132d5.exe 31 PID 3060 wrote to memory of 1544 3060 JaffaCakes118_48c5af8114a5aed07fa3a400877132d5.exe 31 PID 3060 wrote to memory of 1544 3060 JaffaCakes118_48c5af8114a5aed07fa3a400877132d5.exe 31 PID 3060 wrote to memory of 2088 3060 JaffaCakes118_48c5af8114a5aed07fa3a400877132d5.exe 33 PID 3060 wrote to memory of 2088 3060 JaffaCakes118_48c5af8114a5aed07fa3a400877132d5.exe 33 PID 3060 wrote to memory of 2088 3060 JaffaCakes118_48c5af8114a5aed07fa3a400877132d5.exe 33 PID 3060 wrote to memory of 2088 3060 JaffaCakes118_48c5af8114a5aed07fa3a400877132d5.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48c5af8114a5aed07fa3a400877132d5.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48c5af8114a5aed07fa3a400877132d5.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48c5af8114a5aed07fa3a400877132d5.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48c5af8114a5aed07fa3a400877132d5.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵
- System Location Discovery: System Language Discovery
PID:1544
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48c5af8114a5aed07fa3a400877132d5.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48c5af8114a5aed07fa3a400877132d5.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵
- System Location Discovery: System Language Discovery
PID:2088
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5875f37ceaa32444b1385a4ab6f6d96a4
SHA139b0cf89f65ffcde45348fa83076d5e99845bb5b
SHA256628be44cc95c4ff67773e49435a4781fea07c11930942aedac2c777ef7e76bd2
SHA51224cb4bd0860dd67a0324207c4eb9596b1b0966eca4e77853a44b921aa830a940433a39a9bf1afd83d6c9c34ad48833da38ad090cbcc81d37527383add1c3e1d8
-
Filesize
600B
MD5fad1d86e184a2042f41a5431831cd81d
SHA1fed8168ed68f2021db20ee0fdb2709d26cbdca32
SHA2566840d21d53cff8581e7718661b630c7fa84dd4ff808e702dfcb13c49039c9f23
SHA512d9ea433f86347deb0700acf9cad30bfa498a5063fee294c93818c0c8fe037f68659f74b56542f132ada6d4fbd3978692211c750436564438bf562e330407cda3
-
Filesize
996B
MD5cfaf14c4d79fd529c79c6e356d1c4ef7
SHA1f0155d4ac3c16fdcb9f49ae7b6d9f5f771a3283d
SHA256923cd1a012f3335db0110f2ded707f81eefa9ce6914171619d4817c18732ec1b
SHA512eabb4a20af3418002376a7194d9d4dfc77689a43e8d494235b0b9281e301e653ca12bdc41a48390313606f2d8f2af298896ea01cf5bcf70bcaf7ba7843ee3979