Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18/01/2025, 12:27
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_a9c3788bc20fcb8bdfd08fbf5f5d1ac0.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_a9c3788bc20fcb8bdfd08fbf5f5d1ac0.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_a9c3788bc20fcb8bdfd08fbf5f5d1ac0.exe
-
Size
157KB
-
MD5
a9c3788bc20fcb8bdfd08fbf5f5d1ac0
-
SHA1
e03d31663d8025891e2a5796b501e4e5bc8da736
-
SHA256
4d2446f38afde87f4612280dca26dba96d9bfb053b0e279f37de37b760c376aa
-
SHA512
6b31d01c2786b000929e3b851b22e36070b5c926f6661aa4fb5939190597d6a74028db1da73cf5e2ba93c0333e199a7c191dad3dedd37695b82d3e5cdbcfedc8
-
SSDEEP
3072:joWSnw50VEm4RpccVQTW+lSdyjvY00npX22bRRijKYF:jini0VEm4ceQqAw6YvnpjbPY
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 6 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2968-7-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot behavioral1/memory/2296-15-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot behavioral1/memory/2296-78-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot behavioral1/memory/2992-80-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot behavioral1/memory/2296-150-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot behavioral1/memory/2296-184-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe" JaffaCakes118_a9c3788bc20fcb8bdfd08fbf5f5d1ac0.exe -
resource yara_rule behavioral1/memory/2296-2-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2968-5-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2968-7-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2296-15-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2296-78-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2992-80-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2296-150-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2296-184-0x0000000000400000-0x0000000000442000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_a9c3788bc20fcb8bdfd08fbf5f5d1ac0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_a9c3788bc20fcb8bdfd08fbf5f5d1ac0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_a9c3788bc20fcb8bdfd08fbf5f5d1ac0.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2296 wrote to memory of 2968 2296 JaffaCakes118_a9c3788bc20fcb8bdfd08fbf5f5d1ac0.exe 31 PID 2296 wrote to memory of 2968 2296 JaffaCakes118_a9c3788bc20fcb8bdfd08fbf5f5d1ac0.exe 31 PID 2296 wrote to memory of 2968 2296 JaffaCakes118_a9c3788bc20fcb8bdfd08fbf5f5d1ac0.exe 31 PID 2296 wrote to memory of 2968 2296 JaffaCakes118_a9c3788bc20fcb8bdfd08fbf5f5d1ac0.exe 31 PID 2296 wrote to memory of 2992 2296 JaffaCakes118_a9c3788bc20fcb8bdfd08fbf5f5d1ac0.exe 33 PID 2296 wrote to memory of 2992 2296 JaffaCakes118_a9c3788bc20fcb8bdfd08fbf5f5d1ac0.exe 33 PID 2296 wrote to memory of 2992 2296 JaffaCakes118_a9c3788bc20fcb8bdfd08fbf5f5d1ac0.exe 33 PID 2296 wrote to memory of 2992 2296 JaffaCakes118_a9c3788bc20fcb8bdfd08fbf5f5d1ac0.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a9c3788bc20fcb8bdfd08fbf5f5d1ac0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a9c3788bc20fcb8bdfd08fbf5f5d1ac0.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a9c3788bc20fcb8bdfd08fbf5f5d1ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a9c3788bc20fcb8bdfd08fbf5f5d1ac0.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵
- System Location Discovery: System Language Discovery
PID:2968
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a9c3788bc20fcb8bdfd08fbf5f5d1ac0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a9c3788bc20fcb8bdfd08fbf5f5d1ac0.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵
- System Location Discovery: System Language Discovery
PID:2992
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
600B
MD5a6abf9053b9d5eee3f8dbf07f9f0ca6a
SHA10dd736623d4fe752d733e2e7a44a6aac3647d01b
SHA25625fc57540daf5942e8f3559e98a9d399696622943b22978fd2c50b616549c3e3
SHA51279f08f5831923b4c2a26dd24e0927cc0c3d7953f99ec7f3f0e2a3fcf42de93cee636096f18068ae85c711b3ff07e312333250910d755c4ec5d5fb1946f1ff4eb
-
Filesize
1KB
MD586436ca899902ee27e061c210043b91d
SHA1f37c97093c3bf06651e6e28f83f00bd19ebcc2ac
SHA2568a934b7e755fb059bd917763de2324e6acad5efce9f7ffaed84ddbc40ded3e3b
SHA5120c7a29ea1e354d8b8f63618718522015d5554ee6e0aeae7b533ae98e347c60c907791cc36b2fd93d82d28a1ac6d9fce6d846b22e36472bfc31ce14658031061c
-
Filesize
996B
MD5802136d53b38a6026fc2c7604309b5ff
SHA1f3010541805e8f34290f0eea31ad507c654528f5
SHA2565de12a19519036a25350c8bd61a99c93ef17077f85270cda013fd4b72b426bf7
SHA512a399606690cdf291da3393f0eeaefe33d07bed233764270031a6fc42f8dd38bc8fdda7e93d6b733c0a0397bdc7cb0e14d654c1455a18839e01c467bae07ba016