Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18/01/2025, 03:50

General

  • Target

    JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe

  • Size

    180KB

  • MD5

    9ec6fc94432fa78a7585004d03eceabf

  • SHA1

    d739dab40b405822b4b89ab2ca208731b354f30a

  • SHA256

    292c20d20889ba64ce3cdbdbb5467786f9ae807e2606aa4a14ec0dbf4c741639

  • SHA512

    80bef760aba69cf9b81910a2e10cc5deb44d36501877176d1dc23d43f854c89bdee0b19cac2a2c98197eb3306ec5fa5e4b406ea83bf9c1fbb200b89a89114ab6

  • SSDEEP

    3072:dklnqbpEekz2+pU1LnJAKd5gG8WrjFP0GBLFO4DTgEhtSKJylxq:dInYpEeg2+q1LnJAufgEcKIf

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 6 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1364
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe startC:\Program Files (x86)\LP\AF0A\82B.exe%C:\Program Files (x86)\LP\AF0A
      2⤵
        PID:1664
      • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe startC:\Users\Admin\AppData\Roaming\A1C0F\EC9AF.exe%C:\Users\Admin\AppData\Roaming\A1C0F
        2⤵
          PID:572

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\A1C0F\F371.1C0

        Filesize

        996B

        MD5

        96fd61604be8ec54315fe35b673a3461

        SHA1

        3559531f86c1a9f85dbd54a65a29c50d1c2d4649

        SHA256

        514ba003685ce46b054ce5ff16dd4faacf680c6c877bb23280abef4ab4b246b1

        SHA512

        2c1907479b240cdf79fa7c162caff43706fd8d786dcd6179af3f2fc819e1dc8b58288f32d5a02aa603cb912b34a0617f0f521d5ef0cfdfc1f0355261a81235e8

      • C:\Users\Admin\AppData\Roaming\A1C0F\F371.1C0

        Filesize

        600B

        MD5

        a47d310119fa5941ced132ad9606b06f

        SHA1

        291247c8e5c423121eb02051adb488e87227e045

        SHA256

        835d4006ef9dc5e076d20bc8d9b37891861f800939f7ec61dabaa3baa99e0cf9

        SHA512

        f62bbc72f023c59c03a8a8bbe420ddf04e8ed1c3ca2fe66cab947156ab931e479ff96f0b53da9fae3e6690abe9c54764f71afd92bfa1940218c6ef323c7c0c89

      • C:\Users\Admin\AppData\Roaming\A1C0F\F371.1C0

        Filesize

        1KB

        MD5

        5489119700d9f27ab9594ff8361f7972

        SHA1

        0d05ef1b79999b9895e5374713c6685a3dd8233b

        SHA256

        065a066ce77cf7e475ab8740520bf253a1c7f5c52b81702092e8f2e096562b82

        SHA512

        757965e1c89c1fc2b21af2ce2d48b6d740fdf1e9eef4c8531e78389eaa3fe98629320d5ec71da822ba20ce30bc3a66185a4773da6a7fea7748fe2fb1261f6233

      • memory/572-125-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

      • memory/572-126-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

      • memory/1364-17-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

      • memory/1364-0-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

      • memory/1364-18-0x0000000000400000-0x0000000000452000-memory.dmp

        Filesize

        328KB

      • memory/1364-3-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

      • memory/1364-2-0x0000000000400000-0x0000000000452000-memory.dmp

        Filesize

        328KB

      • memory/1364-305-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

      • memory/1664-16-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

      • memory/1664-14-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

      • memory/1664-13-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB