Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
16/01/2025, 12:31
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_7656f3c27387917026b4b6faa424be4b.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
JaffaCakes118_7656f3c27387917026b4b6faa424be4b.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_7656f3c27387917026b4b6faa424be4b.exe
-
Size
182KB
-
MD5
7656f3c27387917026b4b6faa424be4b
-
SHA1
a5581d13c6c76f7e57373d45960d93d8d14e86c4
-
SHA256
5b3462bea319a6caff97418313eb9852d276ca419330ac07ec5421fd0c06ca0c
-
SHA512
95013eee1c570682ad188ee62bc41c78d74a5475440b7e3f5fabb55ff9bf2b6a7ba26e36f8b83a1504c3b87afa92e22ab7d589116ce197094cb6489bb007ba65
-
SSDEEP
3072:MlFKJnKOSSMpeTGpPFygYK95MsVk1JQ0GiP/SPx42el+LA51/3oE:kFqnkJNMYVunPK62RuBoE
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 6 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/1056-9-0x0000000000400000-0x0000000000443000-memory.dmp family_cycbot behavioral1/memory/1056-7-0x0000000000400000-0x0000000000443000-memory.dmp family_cycbot behavioral1/memory/1236-14-0x0000000000400000-0x0000000000443000-memory.dmp family_cycbot behavioral1/memory/2656-75-0x0000000000400000-0x0000000000443000-memory.dmp family_cycbot behavioral1/memory/1236-128-0x0000000000400000-0x0000000000443000-memory.dmp family_cycbot behavioral1/memory/1236-173-0x0000000000400000-0x0000000000443000-memory.dmp family_cycbot -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe" JaffaCakes118_7656f3c27387917026b4b6faa424be4b.exe -
resource yara_rule behavioral1/memory/1236-1-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/1056-9-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/1056-7-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/1236-14-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/2656-74-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/2656-75-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/1236-128-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/1236-173-0x0000000000400000-0x0000000000443000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7656f3c27387917026b4b6faa424be4b.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1236 wrote to memory of 1056 1236 JaffaCakes118_7656f3c27387917026b4b6faa424be4b.exe 30 PID 1236 wrote to memory of 1056 1236 JaffaCakes118_7656f3c27387917026b4b6faa424be4b.exe 30 PID 1236 wrote to memory of 1056 1236 JaffaCakes118_7656f3c27387917026b4b6faa424be4b.exe 30 PID 1236 wrote to memory of 1056 1236 JaffaCakes118_7656f3c27387917026b4b6faa424be4b.exe 30 PID 1236 wrote to memory of 2656 1236 JaffaCakes118_7656f3c27387917026b4b6faa424be4b.exe 33 PID 1236 wrote to memory of 2656 1236 JaffaCakes118_7656f3c27387917026b4b6faa424be4b.exe 33 PID 1236 wrote to memory of 2656 1236 JaffaCakes118_7656f3c27387917026b4b6faa424be4b.exe 33 PID 1236 wrote to memory of 2656 1236 JaffaCakes118_7656f3c27387917026b4b6faa424be4b.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7656f3c27387917026b4b6faa424be4b.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7656f3c27387917026b4b6faa424be4b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7656f3c27387917026b4b6faa424be4b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7656f3c27387917026b4b6faa424be4b.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵PID:1056
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7656f3c27387917026b4b6faa424be4b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7656f3c27387917026b4b6faa424be4b.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵PID:2656
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
600B
MD549c569169884fe065b5b7b4230bde8e8
SHA1fe6805b5c638ce40fd3eb53ac08152de59f1e29a
SHA2566579f03038f0adc474b4afa9507d55848265bd71afa47371e163300905a625fb
SHA51271b2659f96ae897b33ab733e9182fc46cddc5c2a9a11575febcb51bcbbb64d5463e6bc0f68c13a338e1d7690ad4cde9e06bc42b0d989ede3b0b10c6a878fa368
-
Filesize
1KB
MD5fde8e160dc5d45ab2e6e58e9c01ed73e
SHA128ca297e3732619d081fbc270ae9b340e48c4bfe
SHA256abbd8963f97c9ece58c95bdda673c29d47798c881baa84e1cf24cfd1b663545a
SHA512fca4e44484dc1306d5c954fc1b527d4d9cd4f693189573b5ab99d5d873965edf9145cfa698ecb108860a8a271d50df915bdfa8e37db6aa0713136c8b6ff7bf9c
-
Filesize
996B
MD5b2797e2acf42053b6afaafcf1815adc0
SHA1b173e446fd876ebf17f5b653e9dc43703cf43f44
SHA256c5ebb2340a168ca07ac6517b0f2bf3a34386f74d844076a79a9605c6e20a48c3
SHA5123f91abc5b921448c57b5d1bdbc23843c5012d71d441cab5d7342c02d6c64573287957a6d3197a32fe5a2ef19038e612e38f867c0b012a9035d6c225c826bc629