Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16/01/2025, 22:08

General

  • Target

    JaffaCakes118_832fe98ca30a2d3b552d7d54b5054780.exe

  • Size

    159KB

  • MD5

    832fe98ca30a2d3b552d7d54b5054780

  • SHA1

    d33c21ff4710274a7cd89c66ffbfd5b10e22326b

  • SHA256

    69609f8b310cd2d655cf3ced4ca97edd60e8f489d1d79dc471eac96a9b6ddfe7

  • SHA512

    e333fbb70f5db4f1bac2d3020bcd43cd0dd4b5f12a603c867c53db115fad9ac1e04b7eaf5ca330f688f703c5c06d40f336992f2de851d1bc0690131b630c6f7b

  • SSDEEP

    3072:2Lyeymq4e1DR44OH3x15jitcDiOD7bGXHKDngzP4ma20V4d:VeA4sDQ3x13rOHKLgzP4ma20C

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 5 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_832fe98ca30a2d3b552d7d54b5054780.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_832fe98ca30a2d3b552d7d54b5054780.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_832fe98ca30a2d3b552d7d54b5054780.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_832fe98ca30a2d3b552d7d54b5054780.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2700
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_832fe98ca30a2d3b552d7d54b5054780.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_832fe98ca30a2d3b552d7d54b5054780.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2904

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\AD13.452

    Filesize

    597B

    MD5

    a9e99005f5df0537adc08e0ad48bf400

    SHA1

    db9375985ee931b9eeea34fca6b2c2b953ab071d

    SHA256

    fda6cea8b841e977cc66706f7f0d4ad439eac5ac3a67b0bac7073ee0aa18654c

    SHA512

    96dbbe7bcbc49caaf3b027448c62ce12a13459796519c8a6569ca9ea4ea5e874e7f6375a44ce820cc89453ba2b2045b181c4f83c4e44d139af80cd96b7158078

  • C:\Users\Admin\AppData\Roaming\AD13.452

    Filesize

    1KB

    MD5

    fd797f6b8124da5eed7648a282d429d7

    SHA1

    bf8edbee61c6ce1bab28fec663cfa4f4c16dbfcc

    SHA256

    67c763654c8bf281adb3e26fd81c2df3632b8b9705ef0b437d81ef4ea3be5681

    SHA512

    a7b28a55266acc444f6ced4b386612a2463941dde40b1ef45a12c0d4add67dddf0505fe4d874af4148277bccf051e837f4566749b00cdac68c666793a0998d78

  • C:\Users\Admin\AppData\Roaming\AD13.452

    Filesize

    897B

    MD5

    5cd37ded55f3560f45eda113b0be1af5

    SHA1

    d2f962356b4f607040d34f195b8ec627b893c9b7

    SHA256

    76e2ab13b32f61d3c4dbc69349457126fc7bc51d018dbd5c7a25612e57ff6320

    SHA512

    96be1431c6d365b4fa343e8bc1c8a07a699597b3b4b4424fb7aabff0424047ec37466cce3c96b148b9f7d813471504efd1328c204a8fab480826693165d2add1

  • C:\Users\Admin\AppData\Roaming\AD13.452

    Filesize

    1KB

    MD5

    81acddefc9cb3cff61dbb28a5a6bdfc0

    SHA1

    d79bf11da229fc8b893868de33f4d42fb1091818

    SHA256

    773a4347356ddd962f2bd86d747cc1aa15a6ad2e754e3364a0f4b422addb8d6b

    SHA512

    a23c6169b0637053c081e67e7a659a6fb88ef31a318c1eb1b15f4daa93058f98d22338a40f2356dfa839d525bdd4f736aad5e6996a653f932d064d1b857e85ca

  • memory/2700-9-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2700-7-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2848-20-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2848-1-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2848-79-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2848-2-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2848-186-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2904-81-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2904-82-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB