Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18/01/2025, 03:50
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe
-
Size
180KB
-
MD5
9ec6fc94432fa78a7585004d03eceabf
-
SHA1
d739dab40b405822b4b89ab2ca208731b354f30a
-
SHA256
292c20d20889ba64ce3cdbdbb5467786f9ae807e2606aa4a14ec0dbf4c741639
-
SHA512
80bef760aba69cf9b81910a2e10cc5deb44d36501877176d1dc23d43f854c89bdee0b19cac2a2c98197eb3306ec5fa5e4b406ea83bf9c1fbb200b89a89114ab6
-
SSDEEP
3072:dklnqbpEekz2+pU1LnJAKd5gG8WrjFP0GBLFO4DTgEhtSKJylxq:dInYpEeg2+q1LnJAufgEcKIf
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 6 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/1664-14-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot behavioral1/memory/1664-16-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot behavioral1/memory/1364-17-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot behavioral1/memory/1364-18-0x0000000000400000-0x0000000000452000-memory.dmp family_cycbot behavioral1/memory/572-126-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot behavioral1/memory/1364-305-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/1364-3-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/1664-13-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/1664-14-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/1664-16-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/1364-17-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/1364-18-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral1/memory/572-126-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/572-125-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/1364-305-0x0000000000400000-0x0000000000455000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1364 wrote to memory of 1664 1364 JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe 30 PID 1364 wrote to memory of 1664 1364 JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe 30 PID 1364 wrote to memory of 1664 1364 JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe 30 PID 1364 wrote to memory of 1664 1364 JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe 30 PID 1364 wrote to memory of 572 1364 JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe 33 PID 1364 wrote to memory of 572 1364 JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe 33 PID 1364 wrote to memory of 572 1364 JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe 33 PID 1364 wrote to memory of 572 1364 JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe startC:\Program Files (x86)\LP\AF0A\82B.exe%C:\Program Files (x86)\LP\AF0A2⤵PID:1664
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe startC:\Users\Admin\AppData\Roaming\A1C0F\EC9AF.exe%C:\Users\Admin\AppData\Roaming\A1C0F2⤵PID:572
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD596fd61604be8ec54315fe35b673a3461
SHA13559531f86c1a9f85dbd54a65a29c50d1c2d4649
SHA256514ba003685ce46b054ce5ff16dd4faacf680c6c877bb23280abef4ab4b246b1
SHA5122c1907479b240cdf79fa7c162caff43706fd8d786dcd6179af3f2fc819e1dc8b58288f32d5a02aa603cb912b34a0617f0f521d5ef0cfdfc1f0355261a81235e8
-
Filesize
600B
MD5a47d310119fa5941ced132ad9606b06f
SHA1291247c8e5c423121eb02051adb488e87227e045
SHA256835d4006ef9dc5e076d20bc8d9b37891861f800939f7ec61dabaa3baa99e0cf9
SHA512f62bbc72f023c59c03a8a8bbe420ddf04e8ed1c3ca2fe66cab947156ab931e479ff96f0b53da9fae3e6690abe9c54764f71afd92bfa1940218c6ef323c7c0c89
-
Filesize
1KB
MD55489119700d9f27ab9594ff8361f7972
SHA10d05ef1b79999b9895e5374713c6685a3dd8233b
SHA256065a066ce77cf7e475ab8740520bf253a1c7f5c52b81702092e8f2e096562b82
SHA512757965e1c89c1fc2b21af2ce2d48b6d740fdf1e9eef4c8531e78389eaa3fe98629320d5ec71da822ba20ce30bc3a66185a4773da6a7fea7748fe2fb1261f6233