Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26/01/2025, 23:01

General

  • Target

    JaffaCakes118_39e98f35addb6820603e70ee1f1d0d15.exe

  • Size

    169KB

  • MD5

    39e98f35addb6820603e70ee1f1d0d15

  • SHA1

    e240171dcf6600333b31e717ea85cc15bade5882

  • SHA256

    0e9ef42e87a0cc6b83e73e6a466d89a3076dbc8c3366a229c2147eae5d74208c

  • SHA512

    2b20260f2efdbaf1ac1ec03e25537223ffb9ef0e912c257637f254863d6eaf715b73b57e42eaf2a354db9facffaea57196b3d1ba2a2ac45c9bc73766145526d0

  • SSDEEP

    3072:j+LEc7MnG6adF32co5vf/HzjkSOEdIe29VBKDzPMS8TMaS6VjC:2EcMnPaL3q53rjk8ee23BK0S83Si

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 5 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_39e98f35addb6820603e70ee1f1d0d15.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_39e98f35addb6820603e70ee1f1d0d15.exe"
    1⤵
    • Modifies WinLogon for persistence
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2124
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_39e98f35addb6820603e70ee1f1d0d15.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_39e98f35addb6820603e70ee1f1d0d15.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2812
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_39e98f35addb6820603e70ee1f1d0d15.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_39e98f35addb6820603e70ee1f1d0d15.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
      2⤵
      • System Location Discovery: System Language Discovery
      PID:816

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\FA1B.7AC

    Filesize

    597B

    MD5

    27b35666bb22346552d9173f7e1e0f19

    SHA1

    ced161df97cf60248d29496fcb3c7c91c00019ec

    SHA256

    7faa6ee88c48bfbf4e71eab2d7dd2dfa3d2d33e8072cfaec4340100a589a6b33

    SHA512

    10d6caa98b5c078a79577572d4f8aa6e52f1aec965e166dc0a55d297b15e19c742c780068907521840b5bf4aaa283e1ee2d9281d042bdced6a3cbe6ae12a0708

  • C:\Users\Admin\AppData\Roaming\FA1B.7AC

    Filesize

    1KB

    MD5

    547c4ae83ee3f73c7ef7feed1ba142f8

    SHA1

    68a5f74c26c74b0379ea45c050ea336bd6294e99

    SHA256

    2c669a58dd572f09cd46839dad4a67e857c7397fc45589f3ec0e30ab929822db

    SHA512

    b6b6526f2dbaee5e28e325b1a4975c0b9fcc6ea1272b9b4e711a9ccf509ecd4107176b6a5b4bde1b83acea87fc870d5be514216c9a9440e4ef8582e6d597c41e

  • C:\Users\Admin\AppData\Roaming\FA1B.7AC

    Filesize

    897B

    MD5

    82c638d546ebc640d6f95a598786fbeb

    SHA1

    e0df2407e28ee32c0c4c2f0b7ce6982883eeb857

    SHA256

    75961636514dd163ef155ea9d78db4a5bff004cecd293d6519af915ff44483b4

    SHA512

    57cf22d46f8052d0f29b48fde1ba9e46eaa46479a22f7758071285d8c102cf2efec44ab74dc0e973f1f863d95e993543ddc8e202ce97c9208043ef2a367476f4

  • C:\Users\Admin\AppData\Roaming\FA1B.7AC

    Filesize

    1KB

    MD5

    07e5c3433b9aac1c3ca8f27edd69c905

    SHA1

    f29093c379913b0d88b17f77bf6011c9ea3c13dc

    SHA256

    386f7d8566c8f6dbec45d709cd23d442da58d51e8dad7f09f8781d04ebf597b6

    SHA512

    f84351ee24fdb00fc32498aeb16bc1857c3f18e596f0299f6af0d87834c1fb9cefc5e063bba613957fd64f6cc903c997a5717a606039fb04dedcde614d080e3f

  • memory/816-83-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2124-1-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2124-20-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2124-81-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2124-196-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2812-6-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2812-7-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2812-9-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB