Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/01/2025, 17:31
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe
-
Size
180KB
-
MD5
7d54f09d2cd3220d3794dc738fbde3ae
-
SHA1
130a3e621f60338da373d8dc2b812a4bd938113d
-
SHA256
278f84565d879538acce3295e0257515ec856ebba85cc5aade3ec6b8c4f09230
-
SHA512
0132849efe2008610130ff75258661f6a10b5babdb796558c309a215cb2b61467efd7dc672e9b1d4925d37bb3305e2cd6215bef39000c58dd0823c825a5f8b35
-
SSDEEP
3072:e/oHwqvsl1URuMthYIM2EfqsftIYkGJIurF0eTuVSPChNUmt+QYCZ5RsuT/:e/C0l14uS3ofJIurF0VVSKzUmt+hikur
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/3036-20-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot behavioral1/memory/2348-21-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot behavioral1/memory/2348-22-0x0000000000400000-0x0000000000452000-memory.dmp family_cycbot behavioral1/memory/2436-116-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot behavioral1/memory/2348-291-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2348-3-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/3036-18-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/3036-20-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2348-21-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2348-22-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral1/memory/2436-116-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2348-291-0x0000000000400000-0x0000000000455000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2348 wrote to memory of 3036 2348 JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe 30 PID 2348 wrote to memory of 3036 2348 JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe 30 PID 2348 wrote to memory of 3036 2348 JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe 30 PID 2348 wrote to memory of 3036 2348 JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe 30 PID 2348 wrote to memory of 2436 2348 JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe 33 PID 2348 wrote to memory of 2436 2348 JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe 33 PID 2348 wrote to memory of 2436 2348 JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe 33 PID 2348 wrote to memory of 2436 2348 JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe startC:\Program Files (x86)\LP\9A6F\EB5.exe%C:\Program Files (x86)\LP\9A6F2⤵
- System Location Discovery: System Language Discovery
PID:3036
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe startC:\Users\Admin\AppData\Roaming\F18C9\37C9A.exe%C:\Users\Admin\AppData\Roaming\F18C92⤵
- System Location Discovery: System Language Discovery
PID:2436
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
597B
MD5692b5c472c22a2d46aa07fa10f419f21
SHA1715863f87e2d73ef3abf6a8ef4042675906a7ac7
SHA25620f20a820db2efae6c8e29605f0f616f3c8d1cd7ece6ddc24124e674fffa4f22
SHA512314e1cd93a74186302cb18f2a036f68a5f874033518e30c2b720a46f1b71a37283e2ee6374325134aa439cf96d41144c3efa74910a5756df1a14f577d80a2f0e
-
Filesize
1KB
MD597c4ea64622a6faafe9af6d138462c3d
SHA170df9a2a35109d5731fc4663691a2ea5e90cf0e9
SHA2567f8b0659e856d505cc438573d4e209541b49ec0d64112ee34f810e3844f8b4f2
SHA512902628650be7758585f1aa383e05371f83d4c5e51aaca43dea68f81fd253126d89f01d59bd8e5d011327963279faa29afe48badb44b2e46cd6916d6ff34ac928
-
Filesize
1KB
MD550033e26ea510dc8e00992874dad0a85
SHA166f877f38b6f10997a58f749da4f785be3c75118
SHA256caab21f5bd01b61fb4f768d8bc844e147ecf4ca3060db48c82ac9d80946be3b2
SHA512f4fdf8d3ebca735d6c8a4c6721851b077c7f23afccd3b46a69f27822f19debf72698b4f7e329fddd619a2e3ce5e8be42e259250568185517bca2fb6419aa0c19
-
Filesize
897B
MD578ee08d79e31dace38fedabf0e83b672
SHA1fab6d771c0f2cb9d7d4a22e491225f74e6b8bf9e
SHA25608e92b961481a3acd6c292241c2a7e548a107aa5264dc898079b7fb15d28c3b7
SHA512ff0fe8ed2f6cc86b1f90910e35f8d48766307fa4e6434e471f2a1cfa7a09f79778258148da531c9b099e0f17f1b1866e7e1841fcd2d781c18a8cd6cfb1bfb9d5