Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    16/01/2025, 19:54

General

  • Target

    JaffaCakes118_80763613f2ef1ea0aa0c6066a28998af.exe

  • Size

    163KB

  • MD5

    80763613f2ef1ea0aa0c6066a28998af

  • SHA1

    344d64593d47393bf5f009460181e8d3cef64c01

  • SHA256

    4fbbee23970040460e28cd804df5bac7cf9f88bb1becf9b4c1790fa45974777e

  • SHA512

    6a782e1626bb4cb89b23438a1d7fe2396b24055fec84988272311d7b31399be6e4a8a356f2fc2644f01b8651afec9b718a71fc3fa25836e6c42bc65e5db9440c

  • SSDEEP

    3072:2FxGLemEfiXg+L+l0dxYFjt6aa4xvwQvM9geFvwnSPAvEpUQov:2FUpoipL+l0j+jAthQvM99FvwnoAvEyQ

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 5 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_80763613f2ef1ea0aa0c6066a28998af.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_80763613f2ef1ea0aa0c6066a28998af.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_80763613f2ef1ea0aa0c6066a28998af.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_80763613f2ef1ea0aa0c6066a28998af.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2720
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_80763613f2ef1ea0aa0c6066a28998af.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_80763613f2ef1ea0aa0c6066a28998af.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
      2⤵
      • System Location Discovery: System Language Discovery
      PID:772

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\C2EE.E78

    Filesize

    597B

    MD5

    8803c9f349f56a3fed8ab31d60f285e0

    SHA1

    c5621cfc9434069fc4290c5509499ceb9ba1d564

    SHA256

    1869df3a59b724b13ec8be336d4749ad79f1a8f3abdc09128a883373d337e69d

    SHA512

    e41260f0fa1271e7ec7854d7ebe7a32e2ea352fb31ef25a7c6adfd878fb3c8cd2addb9941de0ba7864bc944d6bcbe03f09c75ec327d230546543e9b6a1814ff8

  • C:\Users\Admin\AppData\Roaming\C2EE.E78

    Filesize

    1KB

    MD5

    9ec588d572311f90b6adbb52b48fdccd

    SHA1

    89dc7a4b534cc386d1df2b67c0cd6ff973e1cbbb

    SHA256

    a70902cc13c0af3e8c00a2a6a41e6521819547e769704effdbd8b8dc194f5f15

    SHA512

    103fa5825de8a3bc13ed125ae71c4d23296d411babd9c03f8e77085d12ee90fd29234b27efb5b23978a7df0f00da4cf36ca18ca9edd22bf110097bf0c95bf2b4

  • C:\Users\Admin\AppData\Roaming\C2EE.E78

    Filesize

    897B

    MD5

    9d7fff28cfe86920712df4c1445881df

    SHA1

    27d7677924f3a99b155ce23d87b173d81297fc7e

    SHA256

    6eabede32c5cf971179c7ecf4397d4a5f6a92e5a26b47ea41ef6bc58df5faa4d

    SHA512

    898bd179ab394d0073eb23e6286a0fbf309695bb90397639d1da1badfb851e984c9027c43d664ac83ffbf014f9d02e1a0bd7985086164ac627e46cd10b3febd3

  • C:\Users\Admin\AppData\Roaming\C2EE.E78

    Filesize

    1KB

    MD5

    9bbb4a7764b4169425b6d7043c5946ea

    SHA1

    431192a3d0ed936d7acdf4a260129045f753d43d

    SHA256

    99ef044ead710cb09e0917c033892acdb49cffc7287b0ef0b2ca9286f23fdb32

    SHA512

    d3a40794fe852af2e8d4552c87ec21850cadb9c45c59010ce097809b2051cef7d2ad89f92c145206b2c65c3c46489331c3cd742b9eee79aae556f1574ab27645

  • memory/772-91-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

  • memory/772-93-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

  • memory/2720-9-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

  • memory/2720-8-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

  • memory/3048-1-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

  • memory/3048-2-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

  • memory/3048-20-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

  • memory/3048-199-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB