Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/01/2025, 15:43
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe
-
Size
180KB
-
MD5
7aeb7e393793c9081460346fed9352aa
-
SHA1
92ef0dfc7211b2303529e7fe18a8071bbf4e0717
-
SHA256
a790549fa8ddbfe09d00824809c969cc5f15345f323579dea1c84bc95b23f3fe
-
SHA512
c60fb3885b3e5fe35626d6a8e52593a3a0379db86cf848cb1b3c21b1a76830f52d9a799915540c83ef8c547215755f11f9eca363920b80aa5fde038e69c3134a
-
SSDEEP
3072:YoQ+V8r79/ZwWlLGZsA9J8rFGu1Ictws/BAwu6EB1+qOmnJcJlaM:7QC8rph9LGWAD8rFG2PwiB7qfXRM
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 4 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/3044-7-0x0000000000400000-0x000000000044B000-memory.dmp family_cycbot behavioral1/memory/1904-15-0x0000000000400000-0x000000000044B000-memory.dmp family_cycbot behavioral1/memory/1560-87-0x0000000000400000-0x000000000044B000-memory.dmp family_cycbot behavioral1/memory/1904-181-0x0000000000400000-0x000000000044B000-memory.dmp family_cycbot -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/1904-2-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/3044-6-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/3044-7-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1904-15-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1560-87-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1904-181-0x0000000000400000-0x000000000044B000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1904 wrote to memory of 3044 1904 JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe 30 PID 1904 wrote to memory of 3044 1904 JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe 30 PID 1904 wrote to memory of 3044 1904 JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe 30 PID 1904 wrote to memory of 3044 1904 JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe 30 PID 1904 wrote to memory of 1560 1904 JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe 33 PID 1904 wrote to memory of 1560 1904 JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe 33 PID 1904 wrote to memory of 1560 1904 JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe 33 PID 1904 wrote to memory of 1560 1904 JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft2⤵
- System Location Discovery: System Language Discovery
PID:3044
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵
- System Location Discovery: System Language Discovery
PID:1560
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5294639951bb862c7468b027f4f940ecd
SHA1ba619571fc47ff12c3d06bd9869739cafa574c12
SHA25637b5fbb4bd9e91f594910df4f014f5f4c04f4b479457e2eea7cd07db559b0719
SHA512add75e6031980e58d607a75c674b63a83584af47c1767c6fa4e8ba36dd81f5d9e9da7ec10d27d9794a7283d4ce4a05406b629c70a828d779d4819533b3ac8e53
-
Filesize
600B
MD5e7bfccd6d66a08db8d25d496a318edd8
SHA18801228e5d236224d36840499a0e50937f9d6d55
SHA25600a85bda77a4867f49c94b68808b651a2b88d9726468f94162938265c7592d98
SHA51216aa3111fd1723906f6e8f14f8f5f9247b5a5a67af0e1e5c452d878cdba6b2cc77fc8c4a804fd556629d72ebcd7811bba21ab419b426a2a53d8d879c6017c15e
-
Filesize
996B
MD5a46f1787e3b95b720077b921ff4267fc
SHA1b29c5badf90fbe4bb70bfcc5e7253ef59d65f28d
SHA256f07c7328dbba6eec4c275811270f786cd6c6b6eee074f074c05b07201299490f
SHA5123633b63f7e9d03f5272ae2a19e98edb6b072448ee711a7e355744d03a211fa7cd8a70380a2f318131b0ca189f7d4a26924d38bf274e7719763c5788f8dd4c187