Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01/02/2025, 08:23
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_6fd58d0b82026b04e51105a546fd5f27.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_6fd58d0b82026b04e51105a546fd5f27.exe
Resource
win10v2004-20250129-en
General
-
Target
JaffaCakes118_6fd58d0b82026b04e51105a546fd5f27.exe
-
Size
169KB
-
MD5
6fd58d0b82026b04e51105a546fd5f27
-
SHA1
3f3c5d12d0549d18be014de42867ef9dd95b4c0d
-
SHA256
df8ae7b67ad4dece60dfe921d2320d5f353f973488247e9280634686cde5a786
-
SHA512
b700ce80cceb35bf6804ee6427a8b8967e73b92516b4bf9a64f53a20065e552c0b2ac7578a31651c2a15f27d81bb1cd26e5cf3a1a4f4e9e0173b4053dfbc8551
-
SSDEEP
3072:Ni3pVQmKSSKmqKTi836jEbul6ZZ8AMsWIh72s69WBtzmWw0Db3OB:Y5K7pqCig5bulK8AMsp72j9W7zmIO
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2568-7-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2568-8-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2300-16-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2080-83-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2300-190-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2300-2-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2568-5-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2568-7-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2568-8-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2300-16-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2080-82-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2080-83-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2300-190-0x0000000000400000-0x000000000046A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_6fd58d0b82026b04e51105a546fd5f27.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_6fd58d0b82026b04e51105a546fd5f27.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_6fd58d0b82026b04e51105a546fd5f27.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2300 wrote to memory of 2568 2300 JaffaCakes118_6fd58d0b82026b04e51105a546fd5f27.exe 30 PID 2300 wrote to memory of 2568 2300 JaffaCakes118_6fd58d0b82026b04e51105a546fd5f27.exe 30 PID 2300 wrote to memory of 2568 2300 JaffaCakes118_6fd58d0b82026b04e51105a546fd5f27.exe 30 PID 2300 wrote to memory of 2568 2300 JaffaCakes118_6fd58d0b82026b04e51105a546fd5f27.exe 30 PID 2300 wrote to memory of 2080 2300 JaffaCakes118_6fd58d0b82026b04e51105a546fd5f27.exe 32 PID 2300 wrote to memory of 2080 2300 JaffaCakes118_6fd58d0b82026b04e51105a546fd5f27.exe 32 PID 2300 wrote to memory of 2080 2300 JaffaCakes118_6fd58d0b82026b04e51105a546fd5f27.exe 32 PID 2300 wrote to memory of 2080 2300 JaffaCakes118_6fd58d0b82026b04e51105a546fd5f27.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6fd58d0b82026b04e51105a546fd5f27.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6fd58d0b82026b04e51105a546fd5f27.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6fd58d0b82026b04e51105a546fd5f27.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6fd58d0b82026b04e51105a546fd5f27.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft2⤵
- System Location Discovery: System Language Discovery
PID:2568
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6fd58d0b82026b04e51105a546fd5f27.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6fd58d0b82026b04e51105a546fd5f27.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵
- System Location Discovery: System Language Discovery
PID:2080
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52c3c7f659d6261229f510383e75f715c
SHA169a0cc4676715c824a4c7602d7fb7ae75c54c658
SHA2568938196899cddba3065b839ab46362babc840107244b3ffd5733081b6cc72166
SHA5123abaaf5ed195f8d3b0b9ee49b7c66925692fd6d114cd09c3167b1c82784512a243831343fd562e13ed5e2ae44217bd790dfe596d5e5d839cd3b96d2cba7ebaf4
-
Filesize
600B
MD5a8ebafd3ed7d8d6b4dcab7b71a3f2ead
SHA1f8393760fc9f2943ecd0719d555ae2fd9003d87e
SHA256f016ce98b439395a049cd9ebcd114bfcc432699bd83083012df2c37010e5681c
SHA5126169f65b006fcfb369a1256184c526e148416bc21f1264c1234159ac61b38647d2a4f537bc684158cc588c015a7a69d077e986881f649f82037ef4832abd042f
-
Filesize
996B
MD579d996189ecb2e22eb82f248307693aa
SHA1708f38ea20e5248bd2e0491afc15ac5ba6c5a7b3
SHA256cd6ed2c878f86779f7a3e40a11d11f2052316c0cec2b30ca613ecc5f0d684b3d
SHA512fe118a78ff24a5f2ed0fb6df03b0fb8cd1645f236e14721c9e6174e211b9ff5a3d077555c1f14663632958e0e338b3939755264b19de3242e863dfd6398ffe1c