Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/01/2025, 23:05
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_306ddef8dd05ca4da80890839bbcaa7d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_306ddef8dd05ca4da80890839bbcaa7d.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_306ddef8dd05ca4da80890839bbcaa7d.exe
-
Size
170KB
-
MD5
306ddef8dd05ca4da80890839bbcaa7d
-
SHA1
6908c0407cd8f3042ab09a74ff752947dc71c9d5
-
SHA256
0b5ed9179e3a25ef6d9ee8504293c96b9cbc1c3cdc3cad8b46d1083e089be9db
-
SHA512
a40c12742f4690b56ae959fb9370eb84da894c387eaa920a19a01549d37df807433a10800aebe4210e9bc90b8d6cbdac5b0b34509d23d0b52fdb5c7302e374d8
-
SSDEEP
3072:6iGifTBzP8Yxv9OuabnFezAu5INkmzasdh3p6CLYb5eelB+vs4:vNV7tq5ezp2zF33pW5eelB+
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 4 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/1732-15-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/1120-16-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/1488-87-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/1120-163-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/1120-2-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1732-13-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1732-15-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1120-16-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1488-87-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1488-86-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1120-163-0x0000000000400000-0x000000000046B000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_306ddef8dd05ca4da80890839bbcaa7d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_306ddef8dd05ca4da80890839bbcaa7d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_306ddef8dd05ca4da80890839bbcaa7d.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1120 wrote to memory of 1732 1120 JaffaCakes118_306ddef8dd05ca4da80890839bbcaa7d.exe 28 PID 1120 wrote to memory of 1732 1120 JaffaCakes118_306ddef8dd05ca4da80890839bbcaa7d.exe 28 PID 1120 wrote to memory of 1732 1120 JaffaCakes118_306ddef8dd05ca4da80890839bbcaa7d.exe 28 PID 1120 wrote to memory of 1732 1120 JaffaCakes118_306ddef8dd05ca4da80890839bbcaa7d.exe 28 PID 1120 wrote to memory of 1488 1120 JaffaCakes118_306ddef8dd05ca4da80890839bbcaa7d.exe 30 PID 1120 wrote to memory of 1488 1120 JaffaCakes118_306ddef8dd05ca4da80890839bbcaa7d.exe 30 PID 1120 wrote to memory of 1488 1120 JaffaCakes118_306ddef8dd05ca4da80890839bbcaa7d.exe 30 PID 1120 wrote to memory of 1488 1120 JaffaCakes118_306ddef8dd05ca4da80890839bbcaa7d.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_306ddef8dd05ca4da80890839bbcaa7d.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_306ddef8dd05ca4da80890839bbcaa7d.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_306ddef8dd05ca4da80890839bbcaa7d.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_306ddef8dd05ca4da80890839bbcaa7d.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft2⤵
- System Location Discovery: System Language Discovery
PID:1732
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_306ddef8dd05ca4da80890839bbcaa7d.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_306ddef8dd05ca4da80890839bbcaa7d.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵
- System Location Discovery: System Language Discovery
PID:1488
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e5ec80e0bc2b9e921b8d487d71257c36
SHA14c53efc0a35a533bdfec8f6d0a1b1407be80e84e
SHA25699b518deb9030294e6dc5addf120aa1bbb6ab1f7577d71bd16729c9ee0f5417f
SHA5127db78147a33be2f11605b9fb836afd8b65bc283c4de62cad7e95a11c7c530178c9794dae8fef83d6d0bcc6a1fa0204aa51de7cbd7255be9dc880c3ea9338e9e1
-
Filesize
600B
MD5b0abdf4022041897edbe60cbca9e6b9c
SHA1c4831ad57a7470d095889ace57b37cfabd0d804a
SHA25632159d9e7b1a80d71fdcd95d10557205d4f3d03f519689f5263de8deb085168e
SHA512821cd689bb5e585e5e0de836cae744b1a1e4a5e5a963d536bb934e3f211b47cb0ec6c5305c677eb64d0250a963e7fcdfc6519d234ead2c2edeec48dfd2c24f72
-
Filesize
996B
MD5bb5922297e625b85d389be87c3b38f30
SHA1acfcb2a7b9542280a1bd5b9570b8a03367f7d1c2
SHA256cafcd34515518c445341ed987eeda1c399213f7aeb7daf04e523ff218c2891e8
SHA5122c312f6dc554369345243f0fee956e51bf7140e63f600699badbcd5c2c36527e36512e23a21e03f53dac3a38b0031f7ca9d11f83b35c4daca55d4f1eae15ce9d