Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/01/2025, 07:17
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_48424d61bbe95463813d519028f55816.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_48424d61bbe95463813d519028f55816.exe
-
Size
184KB
-
MD5
48424d61bbe95463813d519028f55816
-
SHA1
99b2cf21e7ad98dbee855347db5e88b04691e2f6
-
SHA256
b1d5250f9238e7a26eda172a27a5e8d783b2fbf992631a1c42be72a976ef5af3
-
SHA512
a64662c0617aae47358272a2b14a665ca16985f73253bb72efff7a10d40f0561061205b9786056a518f59d7d1252788c51c7746086f38d9242189a27ecb349d5
-
SSDEEP
3072:0f3ZM5kiCeDxS7txhF7BiOk+5cOWAuEJONr3lsT6O8vaUO/NwbX850pMIWqojEW:6pM5kuSJxhdBiOk+5cOvJOR46O8v5Zit
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2776-9-0x0000000000400000-0x000000000046E000-memory.dmp family_cycbot behavioral1/memory/2280-14-0x0000000000400000-0x000000000046E000-memory.dmp family_cycbot behavioral1/memory/2280-81-0x0000000000400000-0x000000000046E000-memory.dmp family_cycbot behavioral1/memory/1220-84-0x0000000000400000-0x000000000046E000-memory.dmp family_cycbot behavioral1/memory/2280-199-0x0000000000400000-0x000000000046E000-memory.dmp family_cycbot -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe" JaffaCakes118_48424d61bbe95463813d519028f55816.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2280-2-0x0000000000400000-0x000000000046E000-memory.dmp upx behavioral1/memory/2776-9-0x0000000000400000-0x000000000046E000-memory.dmp upx behavioral1/memory/2280-14-0x0000000000400000-0x000000000046E000-memory.dmp upx behavioral1/memory/2280-81-0x0000000000400000-0x000000000046E000-memory.dmp upx behavioral1/memory/1220-83-0x0000000000400000-0x000000000046E000-memory.dmp upx behavioral1/memory/1220-84-0x0000000000400000-0x000000000046E000-memory.dmp upx behavioral1/memory/2280-199-0x0000000000400000-0x000000000046E000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_48424d61bbe95463813d519028f55816.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_48424d61bbe95463813d519028f55816.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_48424d61bbe95463813d519028f55816.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2280 wrote to memory of 2776 2280 JaffaCakes118_48424d61bbe95463813d519028f55816.exe 31 PID 2280 wrote to memory of 2776 2280 JaffaCakes118_48424d61bbe95463813d519028f55816.exe 31 PID 2280 wrote to memory of 2776 2280 JaffaCakes118_48424d61bbe95463813d519028f55816.exe 31 PID 2280 wrote to memory of 2776 2280 JaffaCakes118_48424d61bbe95463813d519028f55816.exe 31 PID 2280 wrote to memory of 1220 2280 JaffaCakes118_48424d61bbe95463813d519028f55816.exe 33 PID 2280 wrote to memory of 1220 2280 JaffaCakes118_48424d61bbe95463813d519028f55816.exe 33 PID 2280 wrote to memory of 1220 2280 JaffaCakes118_48424d61bbe95463813d519028f55816.exe 33 PID 2280 wrote to memory of 1220 2280 JaffaCakes118_48424d61bbe95463813d519028f55816.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48424d61bbe95463813d519028f55816.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48424d61bbe95463813d519028f55816.exe"1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48424d61bbe95463813d519028f55816.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48424d61bbe95463813d519028f55816.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft2⤵
- System Location Discovery: System Language Discovery
PID:2776
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48424d61bbe95463813d519028f55816.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48424d61bbe95463813d519028f55816.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵
- System Location Discovery: System Language Discovery
PID:1220
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
600B
MD5c7c5a62dc4d615097b3ed1d6fac1ba75
SHA14cddc0dadd8c22b7c5a1b1cfda44fb5a345ac218
SHA256b4acb89c34b8f201bf405c7cc53e17acf10b6a603b37d9530ae4cb443c626992
SHA5122006e3650b40aa734be6948c00ecbb2c83a58c5ef0cc588103028d61d3c49d836c8d13818d52498ff56ff0751cb935c2f7cc8eff28d974114c38c6cde7b5f46e
-
Filesize
1KB
MD5e830a33d7c2bfa1f0412f491c906d091
SHA19738bb601d33dc3471a6d1b8bb765d28eac6f4e7
SHA256ab40d4e5378e71295d964c3e93467c22a5e2c6b4fc716378a79b3a48b910cb92
SHA512081b0f1074a587bbadad4534ac6e34b0e2f565da1ce34a6e60759dc647a936ea03008c34bf264a7ec56484216aa603230a39d0743e5dc88037c3f832d4c6661e
-
Filesize
996B
MD516acd03374f8873e5cbcc505ad617d00
SHA17a25e2ae29881b84807ccd131cc4704e9f988c01
SHA2561ef9bd120268a64077771a9caea61c838b8e8c6c0205f0912d3820a90f57e209
SHA512c65180bddf6549cf6bbf9bade0065d386fd6c74386dbc0d449660d875e459248b65d539d8e514e66087f6ab833c0cd22c7dbeaf703478cdfc7653c15830bae52