Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
71s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
17/01/2025, 09:00
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exe
Resource
win7-20241010-en
General
-
Target
JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exe
-
Size
165KB
-
MD5
8701351287784126d2b6fc00a3f7215b
-
SHA1
1b8f28a02416d12e485f06b445994c17ecf89fff
-
SHA256
198bf94a578eb6a3403029983d49bfaec46c5faa07053de40168a6572e9ebf9c
-
SHA512
f9cd6aa7bc05611c1f2baf2f968be3dca989af33286d40132e3fb16f7c4fcc202ddb254dfe4d4e1b1103cdf20e11271df7f63760259cb745eddaaf02d74d35b2
-
SSDEEP
3072:snouwXqQPvUubHKBT3D8kH4/xA02cRHwneYifp5rMARkygyNbVGPzYtKrU:EouwXqQPvUuSDH4Jp2OaIRCJtHU
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 7 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2852-15-0x0000000000400000-0x0000000000490000-memory.dmp family_cycbot behavioral1/memory/2852-17-0x0000000000400000-0x0000000000490000-memory.dmp family_cycbot behavioral1/memory/2380-18-0x0000000000400000-0x0000000000490000-memory.dmp family_cycbot behavioral1/memory/2380-19-0x0000000000400000-0x000000000048E000-memory.dmp family_cycbot behavioral1/memory/2952-129-0x0000000000400000-0x0000000000490000-memory.dmp family_cycbot behavioral1/memory/2380-132-0x0000000000400000-0x0000000000490000-memory.dmp family_cycbot behavioral1/memory/2380-306-0x0000000000400000-0x0000000000490000-memory.dmp family_cycbot -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\99C53\\FBEB6.exe" JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2380-4-0x0000000000400000-0x0000000000490000-memory.dmp upx behavioral1/memory/2852-14-0x0000000000400000-0x0000000000490000-memory.dmp upx behavioral1/memory/2852-15-0x0000000000400000-0x0000000000490000-memory.dmp upx behavioral1/memory/2852-17-0x0000000000400000-0x0000000000490000-memory.dmp upx behavioral1/memory/2380-18-0x0000000000400000-0x0000000000490000-memory.dmp upx behavioral1/memory/2380-19-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral1/memory/2952-129-0x0000000000400000-0x0000000000490000-memory.dmp upx behavioral1/memory/2380-132-0x0000000000400000-0x0000000000490000-memory.dmp upx behavioral1/memory/2380-306-0x0000000000400000-0x0000000000490000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2852 2380 JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exe 29 PID 2380 wrote to memory of 2852 2380 JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exe 29 PID 2380 wrote to memory of 2852 2380 JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exe 29 PID 2380 wrote to memory of 2852 2380 JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exe 29 PID 2380 wrote to memory of 2952 2380 JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exe 31 PID 2380 wrote to memory of 2952 2380 JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exe 31 PID 2380 wrote to memory of 2952 2380 JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exe 31 PID 2380 wrote to memory of 2952 2380 JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exe"1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exe startC:\Program Files (x86)\LP\B669\826.exe%C:\Program Files (x86)\LP\B6692⤵
- System Location Discovery: System Language Discovery
PID:2852
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exe startC:\Program Files (x86)\53C6A\lvvm.exe%C:\Program Files (x86)\53C6A2⤵
- System Location Discovery: System Language Discovery
PID:2952
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD592a5e8150ce76a1dad14320f96f36152
SHA1674f21a853afb0c343174d776d074ef2b78da7ff
SHA2564449fab1fc194d84e609f368083dddb9dc5ea3991a502880a5b894e2dbe4e8e4
SHA512f12db5e6d0f9e849edc169f24d093fc24de15d373e7af21aebcdf20af6f2ebcb6d800d8ba1d13b6984c572116632b3b5eb7eefad6bca390b7544d320e310fca1
-
Filesize
600B
MD5560fdfc457ce360bc183b95d072e24d0
SHA17fa6ad78e94c5fb96b99b3ae5435d0f3e4ae7c26
SHA25627797dc2e45c8ec0f8b1dffd81a4e98ec5cd86619d1866ebf6cea7f0f1b64e84
SHA51273876cc38142338cc96ddc9f48807e805d1a4eb844c213515dd2d91ede589b074f2c52531358ef49214ab91f81f537e644ef2865ad443e47a40d8ba8aa50a62b
-
Filesize
1KB
MD51bbdf1a3dccae515602154d87b3ad1ea
SHA15bebb8203c1f44b2e903f48fdd02f5c8ebe691b0
SHA256c75f54130a40a65fe956a954109bd51f2bc7c6333ef4382f00891f22c2248c72
SHA512ac1cbd16075ab9f591ca57b8dcbc39cd936165857dfa283a84bbf733d86a9a9a18a9ab69e9bc94c2f0a77c475c4688a985fbd5ddc2bbc8c8e0e932acd8ca2fab