Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26/01/2025, 23:01
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_39e98f35addb6820603e70ee1f1d0d15.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_39e98f35addb6820603e70ee1f1d0d15.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_39e98f35addb6820603e70ee1f1d0d15.exe
-
Size
169KB
-
MD5
39e98f35addb6820603e70ee1f1d0d15
-
SHA1
e240171dcf6600333b31e717ea85cc15bade5882
-
SHA256
0e9ef42e87a0cc6b83e73e6a466d89a3076dbc8c3366a229c2147eae5d74208c
-
SHA512
2b20260f2efdbaf1ac1ec03e25537223ffb9ef0e912c257637f254863d6eaf715b73b57e42eaf2a354db9facffaea57196b3d1ba2a2ac45c9bc73766145526d0
-
SSDEEP
3072:j+LEc7MnG6adF32co5vf/HzjkSOEdIe29VBKDzPMS8TMaS6VjC:2EcMnPaL3q53rjk8ee23BK0S83Si
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2812-9-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2124-20-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2124-81-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/816-83-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2124-196-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe" JaffaCakes118_39e98f35addb6820603e70ee1f1d0d15.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2124-1-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2812-7-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2812-9-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2124-20-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2124-81-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/816-83-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2124-196-0x0000000000400000-0x000000000046A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_39e98f35addb6820603e70ee1f1d0d15.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_39e98f35addb6820603e70ee1f1d0d15.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_39e98f35addb6820603e70ee1f1d0d15.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2124 wrote to memory of 2812 2124 JaffaCakes118_39e98f35addb6820603e70ee1f1d0d15.exe 30 PID 2124 wrote to memory of 2812 2124 JaffaCakes118_39e98f35addb6820603e70ee1f1d0d15.exe 30 PID 2124 wrote to memory of 2812 2124 JaffaCakes118_39e98f35addb6820603e70ee1f1d0d15.exe 30 PID 2124 wrote to memory of 2812 2124 JaffaCakes118_39e98f35addb6820603e70ee1f1d0d15.exe 30 PID 2124 wrote to memory of 816 2124 JaffaCakes118_39e98f35addb6820603e70ee1f1d0d15.exe 32 PID 2124 wrote to memory of 816 2124 JaffaCakes118_39e98f35addb6820603e70ee1f1d0d15.exe 32 PID 2124 wrote to memory of 816 2124 JaffaCakes118_39e98f35addb6820603e70ee1f1d0d15.exe 32 PID 2124 wrote to memory of 816 2124 JaffaCakes118_39e98f35addb6820603e70ee1f1d0d15.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_39e98f35addb6820603e70ee1f1d0d15.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_39e98f35addb6820603e70ee1f1d0d15.exe"1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_39e98f35addb6820603e70ee1f1d0d15.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_39e98f35addb6820603e70ee1f1d0d15.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft2⤵
- System Location Discovery: System Language Discovery
PID:2812
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_39e98f35addb6820603e70ee1f1d0d15.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_39e98f35addb6820603e70ee1f1d0d15.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵
- System Location Discovery: System Language Discovery
PID:816
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
597B
MD527b35666bb22346552d9173f7e1e0f19
SHA1ced161df97cf60248d29496fcb3c7c91c00019ec
SHA2567faa6ee88c48bfbf4e71eab2d7dd2dfa3d2d33e8072cfaec4340100a589a6b33
SHA51210d6caa98b5c078a79577572d4f8aa6e52f1aec965e166dc0a55d297b15e19c742c780068907521840b5bf4aaa283e1ee2d9281d042bdced6a3cbe6ae12a0708
-
Filesize
1KB
MD5547c4ae83ee3f73c7ef7feed1ba142f8
SHA168a5f74c26c74b0379ea45c050ea336bd6294e99
SHA2562c669a58dd572f09cd46839dad4a67e857c7397fc45589f3ec0e30ab929822db
SHA512b6b6526f2dbaee5e28e325b1a4975c0b9fcc6ea1272b9b4e711a9ccf509ecd4107176b6a5b4bde1b83acea87fc870d5be514216c9a9440e4ef8582e6d597c41e
-
Filesize
897B
MD582c638d546ebc640d6f95a598786fbeb
SHA1e0df2407e28ee32c0c4c2f0b7ce6982883eeb857
SHA25675961636514dd163ef155ea9d78db4a5bff004cecd293d6519af915ff44483b4
SHA51257cf22d46f8052d0f29b48fde1ba9e46eaa46479a22f7758071285d8c102cf2efec44ab74dc0e973f1f863d95e993543ddc8e202ce97c9208043ef2a367476f4
-
Filesize
1KB
MD507e5c3433b9aac1c3ca8f27edd69c905
SHA1f29093c379913b0d88b17f77bf6011c9ea3c13dc
SHA256386f7d8566c8f6dbec45d709cd23d442da58d51e8dad7f09f8781d04ebf597b6
SHA512f84351ee24fdb00fc32498aeb16bc1857c3f18e596f0299f6af0d87834c1fb9cefc5e063bba613957fd64f6cc903c997a5717a606039fb04dedcde614d080e3f