Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18/01/2025, 07:36
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe
-
Size
198KB
-
MD5
a3a36fec487f44d087bb90f3eb052b6c
-
SHA1
5387df31b2a60d172fd38b198bc3deeef4f59200
-
SHA256
18b8b770461734681869971080662175b78e19a7d888dddcc363536960ef9632
-
SHA512
0b42db3e558cf371161a32454bec0d7a5622543c74d7874fb7c3ae1b5d3a32ca8fddcd9fe3f7c4b2fbb49b01614b9e8fd8af72a4b76b6ca8378867f6e68c8003
-
SSDEEP
3072:RjcQPoihTA7yirtDRuxErDP1QeaR+GYp2whoD2cRRkxbx1B9EjwB:RjcQPF7uduerL14UGA2whoD2gK+
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 4 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2216-13-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot behavioral1/memory/1916-14-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot behavioral1/memory/1748-85-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot behavioral1/memory/1916-188-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/1916-2-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2216-12-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2216-13-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/1916-14-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/1748-83-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/1748-85-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/1916-188-0x0000000000400000-0x0000000000455000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1916 wrote to memory of 2216 1916 JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe 31 PID 1916 wrote to memory of 2216 1916 JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe 31 PID 1916 wrote to memory of 2216 1916 JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe 31 PID 1916 wrote to memory of 2216 1916 JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe 31 PID 1916 wrote to memory of 1748 1916 JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe 33 PID 1916 wrote to memory of 1748 1916 JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe 33 PID 1916 wrote to memory of 1748 1916 JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe 33 PID 1916 wrote to memory of 1748 1916 JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft2⤵
- System Location Discovery: System Language Discovery
PID:2216
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵
- System Location Discovery: System Language Discovery
PID:1748
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57976ba13d7c3934612a2160d10474061
SHA17b3a5f7806290b59671bca488e0fd3c4c27fb7ce
SHA256cefe3c4d767a59cca4f05dc64b874f6110678f22930dd8f969b716176737e964
SHA51219a987fe8223ff822dc175772d18b0f35735d1f389fa41f4e02c247b8eb033eda8923ba581b95f305fb535f7f13e8c4ad915c10625a73dfa97f711d2ee0b0d15
-
Filesize
600B
MD5ca0ae6e3091cc00ef48f70f9758802a7
SHA1c6a40c3ed3b1df1445d5a5c1ef7a4c7a0b416a9e
SHA256ec3d963e625e10dfd7560f904099c4dbf08d1d26bd1b1ed15a1b6de8ed3673eb
SHA5125619b88f94aa29b1bb38b6c180963d14532aa93fb0f193f46fa6cd1bd7cd5238b26efc6580171614e31e3ffe01f08690ae8000034e7fedae19aa5386c4e347c1
-
Filesize
996B
MD52a0afda87ee763b4b19fbd99a3d7e206
SHA13427a6e73d40e9652fe7f53529df899c04716d53
SHA25634e291dda3f40fc81b81e20702af4f7702582eeeb409a109f83aecd0abb505f9
SHA512ed40e353f775f3eb8d9168706a1ee96099e00c3330ead29245b251ac886c40ff9609e2401ddd5365759c9b23c3b5ff9b58856a997acb78a66d2b624fe17aaf20