Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/01/2025, 06:19

General

  • Target

    JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe

  • Size

    168KB

  • MD5

    bfbae6e4f9471a56861ee583ebbf41e4

  • SHA1

    7f7963f4db6b16c508264f68e8f318b1b5927506

  • SHA256

    4e9a85a50de1c4d5a8cee8e5aebbc451971cb3558222cc1f5aa66691a656ea69

  • SHA512

    7806a8a755af678fffa6ebd1e872902b246e5c1cd5b7b6d1c7a9f7dd997d7412d34c3d655d251388302fc96fa66533d9001f45719460a18c7357d015925c1a6c

  • SSDEEP

    3072:LCnlARdtmxC06aYl+5ir6Vl0Cs8IJJ1CMPI3Y6XkY6x/pH7:OebmxCpB+5ir6QOIJJ1CMPI3ZXk5xBH7

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 6 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe"
    1⤵
    • Modifies WinLogon for persistence
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2540
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1244

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\2B18.3A6

    Filesize

    1KB

    MD5

    61fa83c67f653e612f05eb82be3e758f

    SHA1

    c5f2d87d1a818f7600aa90cf79bf139b23758606

    SHA256

    6d5d0be53dba19cb4a49419987bb18b9bbd27f765c2d7ef1df8c7d9789234bcb

    SHA512

    337d39f9386e4551976c2f96f16afe57aef464aaca1337d88c56a820a0ef585725cbd7b0ec14bea28a81d5a82d5f35cfe21c36b08b2c98348ffcf7ace23f9775

  • C:\Users\Admin\AppData\Roaming\2B18.3A6

    Filesize

    600B

    MD5

    e786035e340b174f44771a7cdd682026

    SHA1

    6c07844f2f4e0741c263832d5c30d63fd0aaf4d6

    SHA256

    21d03c526de75c140358ce049d1022fdb183dbcc2e8571ca99e4bdfe9ab59a5a

    SHA512

    f7ff098bb54951ca215faedc8467ba12c217328cb093897368ae1ac29e2c2926a7d729b97c8167750bf5e586addd89d6fcd9faeebfed0c5e03ac1e24d0d9bfd8

  • C:\Users\Admin\AppData\Roaming\2B18.3A6

    Filesize

    996B

    MD5

    cf59a23d6680064af2defa4fbd0e7b88

    SHA1

    29e650334d0549a9261c2ea3075aad6b3dae552d

    SHA256

    05acb7a986c5ee445468352cf9e9a9f7e4f2b83b336c5d8ccbf6ba5459815ec6

    SHA512

    fa9a2e2e4935dcf1760c9f022ad227b5073a61bbe47ba13cb47fc5dc8a00db32b0b64ef8a17d695ca4cc2d809d7d51f0de81d4f764e01ed336f1d2baf0cd044c

  • memory/1244-87-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/1244-85-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2100-14-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2100-1-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2100-2-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2100-83-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2100-146-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2100-185-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2540-6-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2540-5-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB