Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/01/2025, 23:05

General

  • Target

    JaffaCakes118_306ddef8dd05ca4da80890839bbcaa7d.exe

  • Size

    170KB

  • MD5

    306ddef8dd05ca4da80890839bbcaa7d

  • SHA1

    6908c0407cd8f3042ab09a74ff752947dc71c9d5

  • SHA256

    0b5ed9179e3a25ef6d9ee8504293c96b9cbc1c3cdc3cad8b46d1083e089be9db

  • SHA512

    a40c12742f4690b56ae959fb9370eb84da894c387eaa920a19a01549d37df807433a10800aebe4210e9bc90b8d6cbdac5b0b34509d23d0b52fdb5c7302e374d8

  • SSDEEP

    3072:6iGifTBzP8Yxv9OuabnFezAu5INkmzasdh3p6CLYb5eelB+vs4:vNV7tq5ezp2zF33pW5eelB+

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 4 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_306ddef8dd05ca4da80890839bbcaa7d.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_306ddef8dd05ca4da80890839bbcaa7d.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1120
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_306ddef8dd05ca4da80890839bbcaa7d.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_306ddef8dd05ca4da80890839bbcaa7d.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1732
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_306ddef8dd05ca4da80890839bbcaa7d.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_306ddef8dd05ca4da80890839bbcaa7d.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1488

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\A472.96A

    Filesize

    1KB

    MD5

    e5ec80e0bc2b9e921b8d487d71257c36

    SHA1

    4c53efc0a35a533bdfec8f6d0a1b1407be80e84e

    SHA256

    99b518deb9030294e6dc5addf120aa1bbb6ab1f7577d71bd16729c9ee0f5417f

    SHA512

    7db78147a33be2f11605b9fb836afd8b65bc283c4de62cad7e95a11c7c530178c9794dae8fef83d6d0bcc6a1fa0204aa51de7cbd7255be9dc880c3ea9338e9e1

  • C:\Users\Admin\AppData\Roaming\A472.96A

    Filesize

    600B

    MD5

    b0abdf4022041897edbe60cbca9e6b9c

    SHA1

    c4831ad57a7470d095889ace57b37cfabd0d804a

    SHA256

    32159d9e7b1a80d71fdcd95d10557205d4f3d03f519689f5263de8deb085168e

    SHA512

    821cd689bb5e585e5e0de836cae744b1a1e4a5e5a963d536bb934e3f211b47cb0ec6c5305c677eb64d0250a963e7fcdfc6519d234ead2c2edeec48dfd2c24f72

  • C:\Users\Admin\AppData\Roaming\A472.96A

    Filesize

    996B

    MD5

    bb5922297e625b85d389be87c3b38f30

    SHA1

    acfcb2a7b9542280a1bd5b9570b8a03367f7d1c2

    SHA256

    cafcd34515518c445341ed987eeda1c399213f7aeb7daf04e523ff218c2891e8

    SHA512

    2c312f6dc554369345243f0fee956e51bf7140e63f600699badbcd5c2c36527e36512e23a21e03f53dac3a38b0031f7ca9d11f83b35c4daca55d4f1eae15ce9d

  • memory/1120-1-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

  • memory/1120-2-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

  • memory/1120-16-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

  • memory/1120-163-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

  • memory/1488-87-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

  • memory/1488-86-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

  • memory/1732-12-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

  • memory/1732-13-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

  • memory/1732-15-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB