Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01/02/2025, 13:07
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_72091eba11bf04f6b0bdce63b3a83d29.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_72091eba11bf04f6b0bdce63b3a83d29.exe
Resource
win10v2004-20250129-en
General
-
Target
JaffaCakes118_72091eba11bf04f6b0bdce63b3a83d29.exe
-
Size
180KB
-
MD5
72091eba11bf04f6b0bdce63b3a83d29
-
SHA1
b397dcc04eab938ec49d2e7830cabf94ac7bb289
-
SHA256
0b7c159fd30910bccbb940431096f801d949831de5cf74d3fa26a4b4857b25ae
-
SHA512
95e426da8a687ee3baccfd6884e1519a26cc6a336a4b21189d1d6450a9324438aaf80f46f13f3312eafeaafad625eae290a11a4aa75a567a0a0f1272ce92b9c1
-
SSDEEP
3072:6CJ9hL38oNg7mrC3vUIgZxu9/ZNR33/2U7vvosyJqN:6CJ9J3n3W3ngZxE3/DN
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2696-7-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot behavioral1/memory/768-14-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot behavioral1/memory/1096-88-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot behavioral1/memory/768-89-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot behavioral1/memory/768-190-0x0000000000400000-0x0000000000442000-memory.dmp family_cycbot -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe" JaffaCakes118_72091eba11bf04f6b0bdce63b3a83d29.exe -
resource yara_rule behavioral1/memory/768-2-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2696-6-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2696-7-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/768-14-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/1096-86-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/1096-88-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/768-89-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/768-190-0x0000000000400000-0x0000000000442000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_72091eba11bf04f6b0bdce63b3a83d29.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_72091eba11bf04f6b0bdce63b3a83d29.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_72091eba11bf04f6b0bdce63b3a83d29.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 768 wrote to memory of 2696 768 JaffaCakes118_72091eba11bf04f6b0bdce63b3a83d29.exe 30 PID 768 wrote to memory of 2696 768 JaffaCakes118_72091eba11bf04f6b0bdce63b3a83d29.exe 30 PID 768 wrote to memory of 2696 768 JaffaCakes118_72091eba11bf04f6b0bdce63b3a83d29.exe 30 PID 768 wrote to memory of 2696 768 JaffaCakes118_72091eba11bf04f6b0bdce63b3a83d29.exe 30 PID 768 wrote to memory of 1096 768 JaffaCakes118_72091eba11bf04f6b0bdce63b3a83d29.exe 33 PID 768 wrote to memory of 1096 768 JaffaCakes118_72091eba11bf04f6b0bdce63b3a83d29.exe 33 PID 768 wrote to memory of 1096 768 JaffaCakes118_72091eba11bf04f6b0bdce63b3a83d29.exe 33 PID 768 wrote to memory of 1096 768 JaffaCakes118_72091eba11bf04f6b0bdce63b3a83d29.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_72091eba11bf04f6b0bdce63b3a83d29.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_72091eba11bf04f6b0bdce63b3a83d29.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_72091eba11bf04f6b0bdce63b3a83d29.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_72091eba11bf04f6b0bdce63b3a83d29.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵
- System Location Discovery: System Language Discovery
PID:2696
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_72091eba11bf04f6b0bdce63b3a83d29.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_72091eba11bf04f6b0bdce63b3a83d29.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵
- System Location Discovery: System Language Discovery
PID:1096
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5334218bc89d4d63492c5037d2207cc88
SHA1502116c45cbb3b19d4ce417b2ca44f2f42bfd264
SHA256cb690d4c0faafd319ec52cb2084f7164d26c4bccd509d9ea820cfb17c65ef5af
SHA5128ccd9a0a1465dbc85e18048e97fba6e52ab929cfb54be6c833d91b82699529247f8c463f3d9059ebef4885cb7d9536a1e7310fdbafd6354ccf92f0f9aa167ea6
-
Filesize
600B
MD55b13f0c4b78ff64fa00f35bdbbfa3ed4
SHA1758a6cc83db8fce7488b97183b0e12ede16cc25c
SHA2567700905bafa19f3d3a73c6623da62d19ccce94d0a5b92e2b97678f815780562c
SHA5122941c73fa520d2c7c51b61e559175af18943b459e158c9cc56810ce3e1b3351bc48011919e6bd0e0908fca5b0742cf9a389aa74670eb22b6379967ca4333062e
-
Filesize
996B
MD50119c3427df98285088633340a1eba68
SHA10f84f6e50ea7625be61c7c4d93ce689add1743e7
SHA2564b352f93e8de68dbe0aa5e8b562180f7d2140283b5b1e3a23714d8df1a088187
SHA5128ab437df6f4d1ddab596a47e62065c0383ea3527fe3070f0518a457d2aabec74f03ae4625c4f940fb61550b6148fbf96f8aa8e2c3067e9ac36b6de1ab112f0f2