Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/01/2025, 06:19
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe
-
Size
168KB
-
MD5
bfbae6e4f9471a56861ee583ebbf41e4
-
SHA1
7f7963f4db6b16c508264f68e8f318b1b5927506
-
SHA256
4e9a85a50de1c4d5a8cee8e5aebbc451971cb3558222cc1f5aa66691a656ea69
-
SHA512
7806a8a755af678fffa6ebd1e872902b246e5c1cd5b7b6d1c7a9f7dd997d7412d34c3d655d251388302fc96fa66533d9001f45719460a18c7357d015925c1a6c
-
SSDEEP
3072:LCnlARdtmxC06aYl+5ir6Vl0Cs8IJJ1CMPI3Y6XkY6x/pH7:OebmxCpB+5ir6QOIJJ1CMPI3ZXk5xBH7
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 6 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2540-5-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2100-14-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2100-83-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/1244-87-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2100-146-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2100-185-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe" JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2540-6-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2540-5-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2100-2-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2100-14-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2100-83-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1244-85-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1244-87-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2100-146-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2100-185-0x0000000000400000-0x000000000046A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2100 wrote to memory of 2540 2100 JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe 30 PID 2100 wrote to memory of 2540 2100 JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe 30 PID 2100 wrote to memory of 2540 2100 JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe 30 PID 2100 wrote to memory of 2540 2100 JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe 30 PID 2100 wrote to memory of 1244 2100 JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe 32 PID 2100 wrote to memory of 1244 2100 JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe 32 PID 2100 wrote to memory of 1244 2100 JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe 32 PID 2100 wrote to memory of 1244 2100 JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe"1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft2⤵
- System Location Discovery: System Language Discovery
PID:2540
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵
- System Location Discovery: System Language Discovery
PID:1244
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD561fa83c67f653e612f05eb82be3e758f
SHA1c5f2d87d1a818f7600aa90cf79bf139b23758606
SHA2566d5d0be53dba19cb4a49419987bb18b9bbd27f765c2d7ef1df8c7d9789234bcb
SHA512337d39f9386e4551976c2f96f16afe57aef464aaca1337d88c56a820a0ef585725cbd7b0ec14bea28a81d5a82d5f35cfe21c36b08b2c98348ffcf7ace23f9775
-
Filesize
600B
MD5e786035e340b174f44771a7cdd682026
SHA16c07844f2f4e0741c263832d5c30d63fd0aaf4d6
SHA25621d03c526de75c140358ce049d1022fdb183dbcc2e8571ca99e4bdfe9ab59a5a
SHA512f7ff098bb54951ca215faedc8467ba12c217328cb093897368ae1ac29e2c2926a7d729b97c8167750bf5e586addd89d6fcd9faeebfed0c5e03ac1e24d0d9bfd8
-
Filesize
996B
MD5cf59a23d6680064af2defa4fbd0e7b88
SHA129e650334d0549a9261c2ea3075aad6b3dae552d
SHA25605acb7a986c5ee445468352cf9e9a9f7e4f2b83b336c5d8ccbf6ba5459815ec6
SHA512fa9a2e2e4935dcf1760c9f022ad227b5073a61bbe47ba13cb47fc5dc8a00db32b0b64ef8a17d695ca4cc2d809d7d51f0de81d4f764e01ed336f1d2baf0cd044c