Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/01/2025, 22:08
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_832fe98ca30a2d3b552d7d54b5054780.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_832fe98ca30a2d3b552d7d54b5054780.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_832fe98ca30a2d3b552d7d54b5054780.exe
-
Size
159KB
-
MD5
832fe98ca30a2d3b552d7d54b5054780
-
SHA1
d33c21ff4710274a7cd89c66ffbfd5b10e22326b
-
SHA256
69609f8b310cd2d655cf3ced4ca97edd60e8f489d1d79dc471eac96a9b6ddfe7
-
SHA512
e333fbb70f5db4f1bac2d3020bcd43cd0dd4b5f12a603c867c53db115fad9ac1e04b7eaf5ca330f688f703c5c06d40f336992f2de851d1bc0690131b630c6f7b
-
SSDEEP
3072:2Lyeymq4e1DR44OH3x15jitcDiOD7bGXHKDngzP4ma20V4d:VeA4sDQ3x13rOHKLgzP4ma20C
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2700-9-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot behavioral1/memory/2848-20-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot behavioral1/memory/2848-79-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot behavioral1/memory/2904-82-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot behavioral1/memory/2848-186-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe" JaffaCakes118_832fe98ca30a2d3b552d7d54b5054780.exe -
resource yara_rule behavioral1/memory/2848-2-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2700-7-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2700-9-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2848-20-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2848-79-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2904-81-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2904-82-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2848-186-0x0000000000400000-0x0000000000442000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_832fe98ca30a2d3b552d7d54b5054780.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_832fe98ca30a2d3b552d7d54b5054780.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_832fe98ca30a2d3b552d7d54b5054780.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2848 wrote to memory of 2700 2848 JaffaCakes118_832fe98ca30a2d3b552d7d54b5054780.exe 31 PID 2848 wrote to memory of 2700 2848 JaffaCakes118_832fe98ca30a2d3b552d7d54b5054780.exe 31 PID 2848 wrote to memory of 2700 2848 JaffaCakes118_832fe98ca30a2d3b552d7d54b5054780.exe 31 PID 2848 wrote to memory of 2700 2848 JaffaCakes118_832fe98ca30a2d3b552d7d54b5054780.exe 31 PID 2848 wrote to memory of 2904 2848 JaffaCakes118_832fe98ca30a2d3b552d7d54b5054780.exe 33 PID 2848 wrote to memory of 2904 2848 JaffaCakes118_832fe98ca30a2d3b552d7d54b5054780.exe 33 PID 2848 wrote to memory of 2904 2848 JaffaCakes118_832fe98ca30a2d3b552d7d54b5054780.exe 33 PID 2848 wrote to memory of 2904 2848 JaffaCakes118_832fe98ca30a2d3b552d7d54b5054780.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_832fe98ca30a2d3b552d7d54b5054780.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_832fe98ca30a2d3b552d7d54b5054780.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_832fe98ca30a2d3b552d7d54b5054780.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_832fe98ca30a2d3b552d7d54b5054780.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵
- System Location Discovery: System Language Discovery
PID:2700
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_832fe98ca30a2d3b552d7d54b5054780.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_832fe98ca30a2d3b552d7d54b5054780.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵
- System Location Discovery: System Language Discovery
PID:2904
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
597B
MD5a9e99005f5df0537adc08e0ad48bf400
SHA1db9375985ee931b9eeea34fca6b2c2b953ab071d
SHA256fda6cea8b841e977cc66706f7f0d4ad439eac5ac3a67b0bac7073ee0aa18654c
SHA51296dbbe7bcbc49caaf3b027448c62ce12a13459796519c8a6569ca9ea4ea5e874e7f6375a44ce820cc89453ba2b2045b181c4f83c4e44d139af80cd96b7158078
-
Filesize
1KB
MD5fd797f6b8124da5eed7648a282d429d7
SHA1bf8edbee61c6ce1bab28fec663cfa4f4c16dbfcc
SHA25667c763654c8bf281adb3e26fd81c2df3632b8b9705ef0b437d81ef4ea3be5681
SHA512a7b28a55266acc444f6ced4b386612a2463941dde40b1ef45a12c0d4add67dddf0505fe4d874af4148277bccf051e837f4566749b00cdac68c666793a0998d78
-
Filesize
897B
MD55cd37ded55f3560f45eda113b0be1af5
SHA1d2f962356b4f607040d34f195b8ec627b893c9b7
SHA25676e2ab13b32f61d3c4dbc69349457126fc7bc51d018dbd5c7a25612e57ff6320
SHA51296be1431c6d365b4fa343e8bc1c8a07a699597b3b4b4424fb7aabff0424047ec37466cce3c96b148b9f7d813471504efd1328c204a8fab480826693165d2add1
-
Filesize
1KB
MD581acddefc9cb3cff61dbb28a5a6bdfc0
SHA1d79bf11da229fc8b893868de33f4d42fb1091818
SHA256773a4347356ddd962f2bd86d747cc1aa15a6ad2e754e3364a0f4b422addb8d6b
SHA512a23c6169b0637053c081e67e7a659a6fb88ef31a318c1eb1b15f4daa93058f98d22338a40f2356dfa839d525bdd4f736aad5e6996a653f932d064d1b857e85ca