Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/01/2025, 10:10

General

  • Target

    JaffaCakes118_2a9857d443b225a1e2f408a4a7eeb3b7.exe

  • Size

    182KB

  • MD5

    2a9857d443b225a1e2f408a4a7eeb3b7

  • SHA1

    4c64b1ace28f8360087eee016cafe4d9589d06bb

  • SHA256

    e7f6682960beb570c02bf70aed795a4b6bdc88017c4498b5a0616b295fe9c81e

  • SHA512

    aa497017f514d67a9bb0604974746b6e0387c24ac0ed3246bc0f93b4e1cc61ba130ec936296000df7d19425615204c87263625c804c2c1bbb7b71f32fcd2e2c1

  • SSDEEP

    3072:H2Nu+u6t71AZkPRS9HNv0j7d5bmiolHJybr7vbXr87sLL3dwr6h3FDnHj9l8V5J:H2VWcRckOPlHJYr4sLyrC1D5eVfY0JF

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 5 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2a9857d443b225a1e2f408a4a7eeb3b7.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2a9857d443b225a1e2f408a4a7eeb3b7.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2a9857d443b225a1e2f408a4a7eeb3b7.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2a9857d443b225a1e2f408a4a7eeb3b7.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2696
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2a9857d443b225a1e2f408a4a7eeb3b7.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2a9857d443b225a1e2f408a4a7eeb3b7.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2896

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\4389.78F

    Filesize

    1KB

    MD5

    7058196c673ffbf2d0ffc61785a5c7aa

    SHA1

    a6cba42ccb00daf562d508ddd73cade0e9a906e9

    SHA256

    3d83e4fa35a5c23cc45f98374f284b55491f7a7cb6cc9ec87fec3e9df9df5eee

    SHA512

    6fc42dfa0adad138e2711144711c2e5bdefeb499982f6d1223a1ff20a4b474147e13aab30d09550b93691d24286e742d6c3ec9bd76815ee53bb7a6218deed678

  • C:\Users\Admin\AppData\Roaming\4389.78F

    Filesize

    600B

    MD5

    c7930f496757df7c4e0ac0e77931024e

    SHA1

    19c804aea16d1913cf8e43d8154acb263c33f165

    SHA256

    a2690c40e642cc0e91d24b477eb1c27eabcc046b078d1eecdbe12994e560a56a

    SHA512

    4ef3115e773a75b82df4c8c475c9f4118e1361402ef29463b6762ab74754efaa4738d8d5b5d41d3a1236e6095067983516dec3b6cf3103c31d59a658f1ea1caf

  • C:\Users\Admin\AppData\Roaming\4389.78F

    Filesize

    996B

    MD5

    df71700b72d415cba518cdfc5984e33c

    SHA1

    980e50f2f98e2ed966dd9747afc4ef6a9f9eab30

    SHA256

    13850fc3b1190e096a741ee8b7d85c47c5f7870127a4f872a3e2bf628e2be73e

    SHA512

    0b00f4c58e7e2f2cba2cb1f4773ef0c9608a374f2074475e692c3c90a49addf74c3c0c0d957a9086fccc3e85399888a01dbeb9bad6cda563a8a37d36d6be4370

  • memory/1720-1-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/1720-13-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/1720-83-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/1720-182-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2696-4-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2696-5-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2896-82-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB