Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01/02/2025, 22:06
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_76292ec163591beb993ea1b6ff9518e2.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_76292ec163591beb993ea1b6ff9518e2.exe
Resource
win10v2004-20250129-en
General
-
Target
JaffaCakes118_76292ec163591beb993ea1b6ff9518e2.exe
-
Size
183KB
-
MD5
76292ec163591beb993ea1b6ff9518e2
-
SHA1
293bfbed8cd5639c6bb705ed96f6cddd4370bd5d
-
SHA256
0ff8b19635e74795f89635e81c8478a3f1a08c7b7a2c0dd842b218b7c9755941
-
SHA512
25bd43e9a3f0764fb6b0b0ec45c2f2c1976cc21f269f020ccccc8f26d32cda2f531f11ea250ab79c1d1fd11902c0e5fbb2aeb7f60fe404012bc5652cb090a1e3
-
SSDEEP
3072:HlV+x57RtcT6sQ9QnpQxYNj6oLq2RhwU20So2QX6Za8BTLzV8TeAjEJeJHo:FVS57DxsQYQxYNusqDo2QqzBT/V8efcI
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 4 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2300-15-0x0000000000400000-0x000000000044F000-memory.dmp family_cycbot behavioral1/memory/1972-16-0x0000000000400000-0x000000000044F000-memory.dmp family_cycbot behavioral1/memory/2800-87-0x0000000000400000-0x000000000044F000-memory.dmp family_cycbot behavioral1/memory/1972-200-0x0000000000400000-0x000000000044F000-memory.dmp family_cycbot -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/1972-2-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral1/memory/2300-13-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral1/memory/2300-12-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral1/memory/2300-15-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral1/memory/1972-16-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral1/memory/2800-85-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral1/memory/2800-87-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral1/memory/1972-200-0x0000000000400000-0x000000000044F000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_76292ec163591beb993ea1b6ff9518e2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_76292ec163591beb993ea1b6ff9518e2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_76292ec163591beb993ea1b6ff9518e2.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1972 wrote to memory of 2300 1972 JaffaCakes118_76292ec163591beb993ea1b6ff9518e2.exe 30 PID 1972 wrote to memory of 2300 1972 JaffaCakes118_76292ec163591beb993ea1b6ff9518e2.exe 30 PID 1972 wrote to memory of 2300 1972 JaffaCakes118_76292ec163591beb993ea1b6ff9518e2.exe 30 PID 1972 wrote to memory of 2300 1972 JaffaCakes118_76292ec163591beb993ea1b6ff9518e2.exe 30 PID 1972 wrote to memory of 2800 1972 JaffaCakes118_76292ec163591beb993ea1b6ff9518e2.exe 33 PID 1972 wrote to memory of 2800 1972 JaffaCakes118_76292ec163591beb993ea1b6ff9518e2.exe 33 PID 1972 wrote to memory of 2800 1972 JaffaCakes118_76292ec163591beb993ea1b6ff9518e2.exe 33 PID 1972 wrote to memory of 2800 1972 JaffaCakes118_76292ec163591beb993ea1b6ff9518e2.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76292ec163591beb993ea1b6ff9518e2.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76292ec163591beb993ea1b6ff9518e2.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76292ec163591beb993ea1b6ff9518e2.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76292ec163591beb993ea1b6ff9518e2.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft2⤵
- System Location Discovery: System Language Discovery
PID:2300
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76292ec163591beb993ea1b6ff9518e2.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76292ec163591beb993ea1b6ff9518e2.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵
- System Location Discovery: System Language Discovery
PID:2800
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5769a7678c0781b51608b80238de30c8c
SHA1800ca3f0f86534e1c424270b691af6440b036a75
SHA25696cde77e562f76dcf0eaa9a7b7fc7d538df50a8624f46bb762d426b91c4f62e3
SHA5122a87bd715a4cae24de6d88e3987fe19f2fc8bff0fdba3d31d8100beff2d45e3f9cdb29734318222468397f59aaf83eb0a097f29d49acf81891bd001e844bd655
-
Filesize
600B
MD5df6838ea3e3a534c577738ca2d51a90f
SHA1ed4c45d095155e6b416e053a2c095e7afdb7b19f
SHA256398b2f3eb600696a15bb79716b234d2fc69bf5e373b31ec6350d8e427d08e7ab
SHA51290d360c1e824ea6471add29b623382607ce966cbcc004b2e0af53dfd8245e32e17a5598f304b00fac0716295af84705cdace94ca0cae0f58079e1e23c2df6f47
-
Filesize
996B
MD5abf71cf1e08037063bd61bafd95f4126
SHA15a0331cb152aacd2eabe73b6097e0d90cf56aa03
SHA256ecb72cb2eeb0ba3abaa4814fb3f4fa88bbf3a69275a0b94ffc35eacc6493437c
SHA512268d0bfd1bb990bfe41552bb62b3905d3951bb1d86d1ab8dbb48ad3d874808e1363cfcb3ded725c14ba5143cb83f132612b7421790590e4b3483cfc6ea60322b