Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16/01/2025, 17:31

General

  • Target

    JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe

  • Size

    180KB

  • MD5

    7d54f09d2cd3220d3794dc738fbde3ae

  • SHA1

    130a3e621f60338da373d8dc2b812a4bd938113d

  • SHA256

    278f84565d879538acce3295e0257515ec856ebba85cc5aade3ec6b8c4f09230

  • SHA512

    0132849efe2008610130ff75258661f6a10b5babdb796558c309a215cb2b61467efd7dc672e9b1d4925d37bb3305e2cd6215bef39000c58dd0823c825a5f8b35

  • SSDEEP

    3072:e/oHwqvsl1URuMthYIM2EfqsftIYkGJIurF0eTuVSPChNUmt+QYCZ5RsuT/:e/C0l14uS3ofJIurF0VVSKzUmt+hikur

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 5 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe startC:\Program Files (x86)\LP\9A6F\EB5.exe%C:\Program Files (x86)\LP\9A6F
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3036
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe startC:\Users\Admin\AppData\Roaming\F18C9\37C9A.exe%C:\Users\Admin\AppData\Roaming\F18C9
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2436

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\F18C9\9461.18C

    Filesize

    597B

    MD5

    692b5c472c22a2d46aa07fa10f419f21

    SHA1

    715863f87e2d73ef3abf6a8ef4042675906a7ac7

    SHA256

    20f20a820db2efae6c8e29605f0f616f3c8d1cd7ece6ddc24124e674fffa4f22

    SHA512

    314e1cd93a74186302cb18f2a036f68a5f874033518e30c2b720a46f1b71a37283e2ee6374325134aa439cf96d41144c3efa74910a5756df1a14f577d80a2f0e

  • C:\Users\Admin\AppData\Roaming\F18C9\9461.18C

    Filesize

    1KB

    MD5

    97c4ea64622a6faafe9af6d138462c3d

    SHA1

    70df9a2a35109d5731fc4663691a2ea5e90cf0e9

    SHA256

    7f8b0659e856d505cc438573d4e209541b49ec0d64112ee34f810e3844f8b4f2

    SHA512

    902628650be7758585f1aa383e05371f83d4c5e51aaca43dea68f81fd253126d89f01d59bd8e5d011327963279faa29afe48badb44b2e46cd6916d6ff34ac928

  • C:\Users\Admin\AppData\Roaming\F18C9\9461.18C

    Filesize

    1KB

    MD5

    50033e26ea510dc8e00992874dad0a85

    SHA1

    66f877f38b6f10997a58f749da4f785be3c75118

    SHA256

    caab21f5bd01b61fb4f768d8bc844e147ecf4ca3060db48c82ac9d80946be3b2

    SHA512

    f4fdf8d3ebca735d6c8a4c6721851b077c7f23afccd3b46a69f27822f19debf72698b4f7e329fddd619a2e3ce5e8be42e259250568185517bca2fb6419aa0c19

  • C:\Users\Admin\AppData\Roaming\F18C9\9461.18C

    Filesize

    897B

    MD5

    78ee08d79e31dace38fedabf0e83b672

    SHA1

    fab6d771c0f2cb9d7d4a22e491225f74e6b8bf9e

    SHA256

    08e92b961481a3acd6c292241c2a7e548a107aa5264dc898079b7fb15d28c3b7

    SHA512

    ff0fe8ed2f6cc86b1f90910e35f8d48766307fa4e6434e471f2a1cfa7a09f79778258148da531c9b099e0f17f1b1866e7e1841fcd2d781c18a8cd6cfb1bfb9d5

  • memory/2348-21-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

  • memory/2348-0-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

  • memory/2348-22-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

  • memory/2348-3-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

  • memory/2348-2-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

  • memory/2348-291-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

  • memory/2436-116-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

  • memory/3036-20-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

  • memory/3036-18-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB