Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
16/01/2025, 19:54
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_80763613f2ef1ea0aa0c6066a28998af.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_80763613f2ef1ea0aa0c6066a28998af.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_80763613f2ef1ea0aa0c6066a28998af.exe
-
Size
163KB
-
MD5
80763613f2ef1ea0aa0c6066a28998af
-
SHA1
344d64593d47393bf5f009460181e8d3cef64c01
-
SHA256
4fbbee23970040460e28cd804df5bac7cf9f88bb1becf9b4c1790fa45974777e
-
SHA512
6a782e1626bb4cb89b23438a1d7fe2396b24055fec84988272311d7b31399be6e4a8a356f2fc2644f01b8651afec9b718a71fc3fa25836e6c42bc65e5db9440c
-
SSDEEP
3072:2FxGLemEfiXg+L+l0dxYFjt6aa4xvwQvM9geFvwnSPAvEpUQov:2FUpoipL+l0j+jAthQvM99FvwnoAvEyQ
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2720-9-0x0000000000400000-0x0000000000469000-memory.dmp family_cycbot behavioral1/memory/3048-20-0x0000000000400000-0x0000000000469000-memory.dmp family_cycbot behavioral1/memory/772-91-0x0000000000400000-0x0000000000469000-memory.dmp family_cycbot behavioral1/memory/772-93-0x0000000000400000-0x0000000000469000-memory.dmp family_cycbot behavioral1/memory/3048-199-0x0000000000400000-0x0000000000469000-memory.dmp family_cycbot -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/3048-2-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2720-9-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2720-8-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/3048-20-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/772-91-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/772-93-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/3048-199-0x0000000000400000-0x0000000000469000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_80763613f2ef1ea0aa0c6066a28998af.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_80763613f2ef1ea0aa0c6066a28998af.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_80763613f2ef1ea0aa0c6066a28998af.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3048 wrote to memory of 2720 3048 JaffaCakes118_80763613f2ef1ea0aa0c6066a28998af.exe 30 PID 3048 wrote to memory of 2720 3048 JaffaCakes118_80763613f2ef1ea0aa0c6066a28998af.exe 30 PID 3048 wrote to memory of 2720 3048 JaffaCakes118_80763613f2ef1ea0aa0c6066a28998af.exe 30 PID 3048 wrote to memory of 2720 3048 JaffaCakes118_80763613f2ef1ea0aa0c6066a28998af.exe 30 PID 3048 wrote to memory of 772 3048 JaffaCakes118_80763613f2ef1ea0aa0c6066a28998af.exe 32 PID 3048 wrote to memory of 772 3048 JaffaCakes118_80763613f2ef1ea0aa0c6066a28998af.exe 32 PID 3048 wrote to memory of 772 3048 JaffaCakes118_80763613f2ef1ea0aa0c6066a28998af.exe 32 PID 3048 wrote to memory of 772 3048 JaffaCakes118_80763613f2ef1ea0aa0c6066a28998af.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_80763613f2ef1ea0aa0c6066a28998af.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_80763613f2ef1ea0aa0c6066a28998af.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_80763613f2ef1ea0aa0c6066a28998af.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_80763613f2ef1ea0aa0c6066a28998af.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft2⤵
- System Location Discovery: System Language Discovery
PID:2720
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_80763613f2ef1ea0aa0c6066a28998af.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_80763613f2ef1ea0aa0c6066a28998af.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵
- System Location Discovery: System Language Discovery
PID:772
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
597B
MD58803c9f349f56a3fed8ab31d60f285e0
SHA1c5621cfc9434069fc4290c5509499ceb9ba1d564
SHA2561869df3a59b724b13ec8be336d4749ad79f1a8f3abdc09128a883373d337e69d
SHA512e41260f0fa1271e7ec7854d7ebe7a32e2ea352fb31ef25a7c6adfd878fb3c8cd2addb9941de0ba7864bc944d6bcbe03f09c75ec327d230546543e9b6a1814ff8
-
Filesize
1KB
MD59ec588d572311f90b6adbb52b48fdccd
SHA189dc7a4b534cc386d1df2b67c0cd6ff973e1cbbb
SHA256a70902cc13c0af3e8c00a2a6a41e6521819547e769704effdbd8b8dc194f5f15
SHA512103fa5825de8a3bc13ed125ae71c4d23296d411babd9c03f8e77085d12ee90fd29234b27efb5b23978a7df0f00da4cf36ca18ca9edd22bf110097bf0c95bf2b4
-
Filesize
897B
MD59d7fff28cfe86920712df4c1445881df
SHA127d7677924f3a99b155ce23d87b173d81297fc7e
SHA2566eabede32c5cf971179c7ecf4397d4a5f6a92e5a26b47ea41ef6bc58df5faa4d
SHA512898bd179ab394d0073eb23e6286a0fbf309695bb90397639d1da1badfb851e984c9027c43d664ac83ffbf014f9d02e1a0bd7985086164ac627e46cd10b3febd3
-
Filesize
1KB
MD59bbb4a7764b4169425b6d7043c5946ea
SHA1431192a3d0ed936d7acdf4a260129045f753d43d
SHA25699ef044ead710cb09e0917c033892acdb49cffc7287b0ef0b2ca9286f23fdb32
SHA512d3a40794fe852af2e8d4552c87ec21850cadb9c45c59010ce097809b2051cef7d2ad89f92c145206b2c65c3c46489331c3cd742b9eee79aae556f1574ab27645