Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29/01/2025, 13:44 UTC
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe
-
Size
187KB
-
MD5
5787714b5e0d7a8637009e5dd6a91a58
-
SHA1
549626c9602412bcd27712c44531ced2ed443200
-
SHA256
0d6bfde6fd87862c17ec21189950d9bf07b51793c704023f717129ec65b367e6
-
SHA512
0445fdfcc8a5c4963c7fd63f4b145bb55cdcc74f9972340b548b9b4cda51807724d9898e3846a1d300ef59be776dab71c14466e24b8a6dd6c770f5c66e7c03b4
-
SSDEEP
3072:is04FXKn40nNqekDdjvb9Eo7JjMe6i6V68fh0bSaJQtBZ2FoAEzuFKjVf1SF1KxB:isfFSqekDdVEo7Jj76lfOQtDYEq98x/5
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 6 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2916-6-0x0000000000400000-0x0000000000443000-memory.dmp family_cycbot behavioral1/memory/2376-15-0x0000000000400000-0x0000000000443000-memory.dmp family_cycbot behavioral1/memory/3024-74-0x0000000000400000-0x0000000000443000-memory.dmp family_cycbot behavioral1/memory/2376-75-0x0000000000400000-0x0000000000443000-memory.dmp family_cycbot behavioral1/memory/2376-174-0x0000000000400000-0x0000000000443000-memory.dmp family_cycbot behavioral1/memory/2376-179-0x0000000000400000-0x0000000000443000-memory.dmp family_cycbot -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe" JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe -
resource yara_rule behavioral1/memory/2376-2-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/2916-5-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/2916-6-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/2376-15-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/3024-74-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/2376-75-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/2376-174-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/2376-179-0x0000000000400000-0x0000000000443000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2376 wrote to memory of 2916 2376 JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe 30 PID 2376 wrote to memory of 2916 2376 JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe 30 PID 2376 wrote to memory of 2916 2376 JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe 30 PID 2376 wrote to memory of 2916 2376 JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe 30 PID 2376 wrote to memory of 3024 2376 JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe 32 PID 2376 wrote to memory of 3024 2376 JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe 32 PID 2376 wrote to memory of 3024 2376 JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe 32 PID 2376 wrote to memory of 3024 2376 JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵
- System Location Discovery: System Language Discovery
PID:2916
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵
- System Location Discovery: System Language Discovery
PID:3024
-
Network
-
Remote address:8.8.8.8:53Requestrossroadbags.comIN AResponse
-
Remote address:8.8.8.8:53Requestzonetf.comIN AResponsezonetf.comIN A76.223.54.146zonetf.comIN A13.248.169.48
-
Remote address:8.8.8.8:53Requestzonetf.comIN A
-
Remote address:8.8.8.8:53Requestfreemaildotaccess.comIN AResponse
-
Remote address:8.8.8.8:53Requestdifferentdata-one.comIN AResponse
-
Remote address:8.8.8.8:53Requestwww.google.comIN AResponsewww.google.comIN A172.217.16.228
-
Remote address:172.217.16.228:80RequestGET / HTTP/1.0
Connection: close
Host: www.google.com
Accept: */*
ResponseHTTP/1.0 302 Found
x-hallmonitor-challenge: CgwI_OHovAYQ8azcjgMSBLXXsFM
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-7oypwNmXr_2R0u-Rw54gtQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Wed, 29 Jan 2025 13:45:32 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AVcja2eDdyNM7JxtsZfnLGaUv1yfZnRGCS2Rvmgp4GswvPKoPQlxI_aVK4E; expires=Mon, 28-Jul-2025 13:45:32 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
-
Remote address:8.8.8.8:53Requestzoneom.comIN AResponsezoneom.comIN A76.223.67.189zoneom.comIN A13.248.213.45
-
GEThttp://zoneom.com/images/im133.jpg?tq=gHZutDyMv5rJeyG1J8K%2B1MWCJbP4lltXIA%3D%3DJaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exeRemote address:76.223.67.189:80RequestGET /images/im133.jpg?tq=gHZutDyMv5rJeyG1J8K%2B1MWCJbP4lltXIA%3D%3D HTTP/1.0
Connection: close
Host: zoneom.com
Accept: */*
User-Agent: opera/8.11
ResponseHTTP/1.0 200 OK
date: Wed, 29 Jan 2025 13:45:33 GMT
content-length: 160
-
Remote address:172.217.16.228:80RequestGET / HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com
ResponseHTTP/1.1 302 Found
x-hallmonitor-challenge: CgwIieLovAYQ_Pr_xQISBLXXsFM
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-KO5WgIxvuaHr7b_0insDeA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Wed, 29 Jan 2025 13:45:45 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AVcja2dFbXzSpD1op8EAjyqtIzVz23G2g3XW1T8gqDZYnoQqxum3vZuCSw; expires=Mon, 28-Jul-2025 13:45:45 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Connection: close
-
GEThttp://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGIni6LwGIjBDfaeOMSAL6U94o2d0xOh71FS1IHV7wN4uG6mXOtf-gU-d8BvD8aKdlXXEhkU3o-oyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMJaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exeRemote address:172.217.16.228:80RequestGET /sorry/index?continue=http://www.google.com/&q=EgS117BTGIni6LwGIjBDfaeOMSAL6U94o2d0xOh71FS1IHV7wN4uG6mXOtf-gU-d8BvD8aKdlXXEhkU3o-oyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com
ResponseHTTP/1.1 429 Too Many Requests
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/html
Server: HTTP server (unknown)
Content-Length: 3075
X-XSS-Protection: 0
Connection: close
-
152 B 3
-
394 B 1.5kB 7 6
HTTP Request
GET http://www.google.com/HTTP Response
302 -
76.223.67.189:80http://zoneom.com/images/im133.jpg?tq=gHZutDyMv5rJeyG1J8K%2B1MWCJbP4lltXIA%3D%3DhttpJaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe430 B 514 B 6 6
HTTP Request
GET http://zoneom.com/images/im133.jpg?tq=gHZutDyMv5rJeyG1J8K%2B1MWCJbP4lltXIA%3D%3DHTTP Response
200 -
691 B 1.5kB 10 6
HTTP Request
GET http://www.google.com/HTTP Response
302 -
-
172.217.16.228:80http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGIni6LwGIjBDfaeOMSAL6U94o2d0xOh71FS1IHV7wN4uG6mXOtf-gU-d8BvD8aKdlXXEhkU3o-oyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMhttpJaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe526 B 3.7kB 6 7
HTTP Request
GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGIni6LwGIjBDfaeOMSAL6U94o2d0xOh71FS1IHV7wN4uG6mXOtf-gU-d8BvD8aKdlXXEhkU3o-oyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMHTTP Response
429 -
-
62 B 135 B 1 1
DNS Request
rossroadbags.com
-
112 B 88 B 2 1
DNS Request
zonetf.com
DNS Request
zonetf.com
DNS Response
76.223.54.14613.248.169.48
-
67 B 140 B 1 1
DNS Request
freemaildotaccess.com
-
67 B 140 B 1 1
DNS Request
differentdata-one.com
-
60 B 76 B 1 1
DNS Request
www.google.com
DNS Response
172.217.16.228
-
56 B 88 B 1 1
DNS Request
zoneom.com
DNS Response
76.223.67.18913.248.213.45
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a48817801b6815814ffe0f5b614d881b
SHA14cd3f805d19f89ca1a602c350f61a8896609d3f9
SHA256ca01657d3d6ffd06588b8b640db273c7d9f3f23904649c4b20e08b3c22563c35
SHA512d07b16e48570c846fc2468cdcfd34523dc6ad98389f7f13f17b4494b9607c7528d999575d9a615863b3b285f57d9279c43712be596461e7949f2c187a11e4024
-
Filesize
600B
MD54a57e37613aec8c047cf91beedd7691f
SHA1087c654fc2e66c4825970372dea5bea55927544e
SHA2569f3046e64948ea702a2fd0ad7ce94506f467c3f828fe7c33d241589ed81e503c
SHA512ac1f66da02da92bb20f1dbfb3a758f950ad86c0180ee2c828111093f6b3947ad047ef0d885e5d0586fbe5fc651f533f87e0150cc3bbdd4ee3712401a4f8dd66c
-
Filesize
996B
MD5f95d33aeddf02f81def492bb4ec16432
SHA199e88129786733bcd005fe3663f50dd66d141c11
SHA2560d84fc923d4a130e17eb274a6d065716003654fd22102bbbe41240f6b051f90a
SHA512b5161071041f6588ffd096f4a32c44ef44ffb16ab9dcc3f11c47d790eefc28df4e5eaaf8ad64cb07790689b6adb55e48f38403e332810e6450d277ac4cb643fc