Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/01/2025, 00:30
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe
-
Size
172KB
-
MD5
48c15e2fa6716f40bbe47d31106d7767
-
SHA1
abd8edafa983c34dbf7961a96106fecbcd603dda
-
SHA256
ae81fee6aa8eb428f282471db50b348b22f0f399d5e9c97a6721f74ad6788b46
-
SHA512
7e35e63e71f06a5d2ba0e42f9b800e67fa12c9a7a1ed186d83a733b53b18420b9c410d9b218e76618a6ca50269274fc14d879aa6abf5cd92a44c44880614b73d
-
SSDEEP
3072:29OqKsgTwk7/5ePtqWIwIax1xEyhUGRjTc2A+WgoW+QxZiFpO2Q2D6:dbwU0cWIPaDxThUKTAcv+QxZi3G
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2868-15-0x0000000000400000-0x0000000000445000-memory.dmp family_cycbot behavioral1/memory/1228-16-0x0000000000400000-0x0000000000445000-memory.dmp family_cycbot behavioral1/memory/1228-79-0x0000000000400000-0x0000000000445000-memory.dmp family_cycbot behavioral1/memory/264-82-0x0000000000400000-0x0000000000445000-memory.dmp family_cycbot behavioral1/memory/1228-197-0x0000000000400000-0x0000000000445000-memory.dmp family_cycbot -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe" JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe -
resource yara_rule behavioral1/memory/1228-2-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/2868-13-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/2868-15-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/2868-12-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/1228-16-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/1228-79-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/264-81-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/264-82-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/1228-197-0x0000000000400000-0x0000000000445000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1228 wrote to memory of 2868 1228 JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe 30 PID 1228 wrote to memory of 2868 1228 JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe 30 PID 1228 wrote to memory of 2868 1228 JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe 30 PID 1228 wrote to memory of 2868 1228 JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe 30 PID 1228 wrote to memory of 264 1228 JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe 32 PID 1228 wrote to memory of 264 1228 JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe 32 PID 1228 wrote to memory of 264 1228 JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe 32 PID 1228 wrote to memory of 264 1228 JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵
- System Location Discovery: System Language Discovery
PID:2868
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵
- System Location Discovery: System Language Discovery
PID:264
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50217feab6f35c324f5544be97da17af2
SHA17d52e1528e78b6fae5d4114bced145a52b603bae
SHA2567794592b72141ca74c53ded47fb1186f51ec834ae96279639984ca3f0e58275e
SHA512b5e9e7121831596380592e69466d14d64c11fa89c40f871ca11319b73714761ebf9b180f9e5450dce7c71485f64fc1aba2bf42c6e64ca2f5a3b696f2265b27b9
-
Filesize
600B
MD5e2bb6090906c4dd45fea834c6791047c
SHA19e935aa829df2ab61a00e0d4159c2e04edd31969
SHA25686d7cf3f85923cf240e834fd0a0ac12fd6ffd004eb183c414d547f647a54a809
SHA5126c59d314f3ea2fd0a2ecbb3a122e2f0c8bff611f680c1845b0825115f41362aa670b567ff311ce0ad45b23f43e54c61f070a449037884cfd97bd052efc584f39
-
Filesize
996B
MD59d7d5578d88b347f4a07e494919ce34e
SHA1b8965adcbcf8a25a7b08515310fd01397791cb43
SHA2566b47ef16931730264c7dd080dd3c291096891769e1818c7be96aa30f0824ce95
SHA51279afe4d90cb766fd87d14bd8bbd7d8d2c3ae259dbfeab6defd038af84a355bc0680f0ee8f2c6671160d982539b7dcafed68bfa6b4bbb403682118a4b130cd01a