Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/01/2025, 10:10
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_2a9857d443b225a1e2f408a4a7eeb3b7.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_2a9857d443b225a1e2f408a4a7eeb3b7.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_2a9857d443b225a1e2f408a4a7eeb3b7.exe
-
Size
182KB
-
MD5
2a9857d443b225a1e2f408a4a7eeb3b7
-
SHA1
4c64b1ace28f8360087eee016cafe4d9589d06bb
-
SHA256
e7f6682960beb570c02bf70aed795a4b6bdc88017c4498b5a0616b295fe9c81e
-
SHA512
aa497017f514d67a9bb0604974746b6e0387c24ac0ed3246bc0f93b4e1cc61ba130ec936296000df7d19425615204c87263625c804c2c1bbb7b71f32fcd2e2c1
-
SSDEEP
3072:H2Nu+u6t71AZkPRS9HNv0j7d5bmiolHJybr7vbXr87sLL3dwr6h3FDnHj9l8V5J:H2VWcRckOPlHJYr4sLyrC1D5eVfY0JF
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2696-5-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot behavioral1/memory/1720-13-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot behavioral1/memory/2896-82-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot behavioral1/memory/1720-83-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot behavioral1/memory/1720-182-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe" JaffaCakes118_2a9857d443b225a1e2f408a4a7eeb3b7.exe -
resource yara_rule behavioral1/memory/2696-4-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2696-5-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/1720-13-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2896-82-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/1720-83-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/1720-182-0x0000000000400000-0x0000000000442000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_2a9857d443b225a1e2f408a4a7eeb3b7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_2a9857d443b225a1e2f408a4a7eeb3b7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_2a9857d443b225a1e2f408a4a7eeb3b7.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1720 wrote to memory of 2696 1720 JaffaCakes118_2a9857d443b225a1e2f408a4a7eeb3b7.exe 30 PID 1720 wrote to memory of 2696 1720 JaffaCakes118_2a9857d443b225a1e2f408a4a7eeb3b7.exe 30 PID 1720 wrote to memory of 2696 1720 JaffaCakes118_2a9857d443b225a1e2f408a4a7eeb3b7.exe 30 PID 1720 wrote to memory of 2696 1720 JaffaCakes118_2a9857d443b225a1e2f408a4a7eeb3b7.exe 30 PID 1720 wrote to memory of 2896 1720 JaffaCakes118_2a9857d443b225a1e2f408a4a7eeb3b7.exe 33 PID 1720 wrote to memory of 2896 1720 JaffaCakes118_2a9857d443b225a1e2f408a4a7eeb3b7.exe 33 PID 1720 wrote to memory of 2896 1720 JaffaCakes118_2a9857d443b225a1e2f408a4a7eeb3b7.exe 33 PID 1720 wrote to memory of 2896 1720 JaffaCakes118_2a9857d443b225a1e2f408a4a7eeb3b7.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2a9857d443b225a1e2f408a4a7eeb3b7.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2a9857d443b225a1e2f408a4a7eeb3b7.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2a9857d443b225a1e2f408a4a7eeb3b7.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2a9857d443b225a1e2f408a4a7eeb3b7.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵
- System Location Discovery: System Language Discovery
PID:2696
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2a9857d443b225a1e2f408a4a7eeb3b7.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2a9857d443b225a1e2f408a4a7eeb3b7.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵
- System Location Discovery: System Language Discovery
PID:2896
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57058196c673ffbf2d0ffc61785a5c7aa
SHA1a6cba42ccb00daf562d508ddd73cade0e9a906e9
SHA2563d83e4fa35a5c23cc45f98374f284b55491f7a7cb6cc9ec87fec3e9df9df5eee
SHA5126fc42dfa0adad138e2711144711c2e5bdefeb499982f6d1223a1ff20a4b474147e13aab30d09550b93691d24286e742d6c3ec9bd76815ee53bb7a6218deed678
-
Filesize
600B
MD5c7930f496757df7c4e0ac0e77931024e
SHA119c804aea16d1913cf8e43d8154acb263c33f165
SHA256a2690c40e642cc0e91d24b477eb1c27eabcc046b078d1eecdbe12994e560a56a
SHA5124ef3115e773a75b82df4c8c475c9f4118e1361402ef29463b6762ab74754efaa4738d8d5b5d41d3a1236e6095067983516dec3b6cf3103c31d59a658f1ea1caf
-
Filesize
996B
MD5df71700b72d415cba518cdfc5984e33c
SHA1980e50f2f98e2ed966dd9747afc4ef6a9f9eab30
SHA25613850fc3b1190e096a741ee8b7d85c47c5f7870127a4f872a3e2bf628e2be73e
SHA5120b00f4c58e7e2f2cba2cb1f4773ef0c9608a374f2074475e692c3c90a49addf74c3c0c0d957a9086fccc3e85399888a01dbeb9bad6cda563a8a37d36d6be4370