Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18/01/2025, 07:36

General

  • Target

    JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe

  • Size

    198KB

  • MD5

    a3a36fec487f44d087bb90f3eb052b6c

  • SHA1

    5387df31b2a60d172fd38b198bc3deeef4f59200

  • SHA256

    18b8b770461734681869971080662175b78e19a7d888dddcc363536960ef9632

  • SHA512

    0b42db3e558cf371161a32454bec0d7a5622543c74d7874fb7c3ae1b5d3a32ca8fddcd9fe3f7c4b2fbb49b01614b9e8fd8af72a4b76b6ca8378867f6e68c8003

  • SSDEEP

    3072:RjcQPoihTA7yirtDRuxErDP1QeaR+GYp2whoD2cRRkxbx1B9EjwB:RjcQPF7uduerL14UGA2whoD2gK+

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 4 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2216
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1748

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\1B3A.A71

    Filesize

    1KB

    MD5

    7976ba13d7c3934612a2160d10474061

    SHA1

    7b3a5f7806290b59671bca488e0fd3c4c27fb7ce

    SHA256

    cefe3c4d767a59cca4f05dc64b874f6110678f22930dd8f969b716176737e964

    SHA512

    19a987fe8223ff822dc175772d18b0f35735d1f389fa41f4e02c247b8eb033eda8923ba581b95f305fb535f7f13e8c4ad915c10625a73dfa97f711d2ee0b0d15

  • C:\Users\Admin\AppData\Roaming\1B3A.A71

    Filesize

    600B

    MD5

    ca0ae6e3091cc00ef48f70f9758802a7

    SHA1

    c6a40c3ed3b1df1445d5a5c1ef7a4c7a0b416a9e

    SHA256

    ec3d963e625e10dfd7560f904099c4dbf08d1d26bd1b1ed15a1b6de8ed3673eb

    SHA512

    5619b88f94aa29b1bb38b6c180963d14532aa93fb0f193f46fa6cd1bd7cd5238b26efc6580171614e31e3ffe01f08690ae8000034e7fedae19aa5386c4e347c1

  • C:\Users\Admin\AppData\Roaming\1B3A.A71

    Filesize

    996B

    MD5

    2a0afda87ee763b4b19fbd99a3d7e206

    SHA1

    3427a6e73d40e9652fe7f53529df899c04716d53

    SHA256

    34e291dda3f40fc81b81e20702af4f7702582eeeb409a109f83aecd0abb505f9

    SHA512

    ed40e353f775f3eb8d9168706a1ee96099e00c3330ead29245b251ac886c40ff9609e2401ddd5365759c9b23c3b5ff9b58856a997acb78a66d2b624fe17aaf20

  • memory/1748-83-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

  • memory/1748-85-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

  • memory/1916-1-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

  • memory/1916-2-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

  • memory/1916-14-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

  • memory/1916-188-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

  • memory/2216-12-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

  • memory/2216-13-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB