Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16/01/2025, 15:43

General

  • Target

    JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe

  • Size

    180KB

  • MD5

    7aeb7e393793c9081460346fed9352aa

  • SHA1

    92ef0dfc7211b2303529e7fe18a8071bbf4e0717

  • SHA256

    a790549fa8ddbfe09d00824809c969cc5f15345f323579dea1c84bc95b23f3fe

  • SHA512

    c60fb3885b3e5fe35626d6a8e52593a3a0379db86cf848cb1b3c21b1a76830f52d9a799915540c83ef8c547215755f11f9eca363920b80aa5fde038e69c3134a

  • SSDEEP

    3072:YoQ+V8r79/ZwWlLGZsA9J8rFGu1Ictws/BAwu6EB1+qOmnJcJlaM:7QC8rph9LGWAD8rFG2PwiB7qfXRM

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 4 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1904
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3044
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1560

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\BC1E.4A4

    Filesize

    1KB

    MD5

    294639951bb862c7468b027f4f940ecd

    SHA1

    ba619571fc47ff12c3d06bd9869739cafa574c12

    SHA256

    37b5fbb4bd9e91f594910df4f014f5f4c04f4b479457e2eea7cd07db559b0719

    SHA512

    add75e6031980e58d607a75c674b63a83584af47c1767c6fa4e8ba36dd81f5d9e9da7ec10d27d9794a7283d4ce4a05406b629c70a828d779d4819533b3ac8e53

  • C:\Users\Admin\AppData\Roaming\BC1E.4A4

    Filesize

    600B

    MD5

    e7bfccd6d66a08db8d25d496a318edd8

    SHA1

    8801228e5d236224d36840499a0e50937f9d6d55

    SHA256

    00a85bda77a4867f49c94b68808b651a2b88d9726468f94162938265c7592d98

    SHA512

    16aa3111fd1723906f6e8f14f8f5f9247b5a5a67af0e1e5c452d878cdba6b2cc77fc8c4a804fd556629d72ebcd7811bba21ab419b426a2a53d8d879c6017c15e

  • C:\Users\Admin\AppData\Roaming\BC1E.4A4

    Filesize

    996B

    MD5

    a46f1787e3b95b720077b921ff4267fc

    SHA1

    b29c5badf90fbe4bb70bfcc5e7253ef59d65f28d

    SHA256

    f07c7328dbba6eec4c275811270f786cd6c6b6eee074f074c05b07201299490f

    SHA512

    3633b63f7e9d03f5272ae2a19e98edb6b072448ee711a7e355744d03a211fa7cd8a70380a2f318131b0ca189f7d4a26924d38bf274e7719763c5788f8dd4c187

  • memory/1560-87-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/1904-1-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/1904-2-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/1904-15-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/1904-181-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/3044-6-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/3044-5-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/3044-7-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB