Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
71s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
02/02/2025, 02:15
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_77f507f18e64b9ffe1ae0aee298d0da0.exe
Resource
win7-20241010-en
General
-
Target
JaffaCakes118_77f507f18e64b9ffe1ae0aee298d0da0.exe
-
Size
175KB
-
MD5
77f507f18e64b9ffe1ae0aee298d0da0
-
SHA1
dffa6a73b70db4339ad1277b285d407b94c5cf58
-
SHA256
67880949a839dbe013c3835d2ae13346c6e04cf7c905a4b369b5a22ad724c5ab
-
SHA512
9bb7e8182f965bb743daa6bafd2f57a52f12c71f2d4956ca3d99eafe3cd9a71eab79322ac4cfc51e73c42e1030c110ce72aa287045622026a7cf02d45733d31a
-
SSDEEP
3072:dud6rklJ9W8wwstPRhJ5mM38xVicj3EvRvrLp8VyFIzLiJ:dudLVW/pRGoKEJ/p8V2Iq
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 6 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2980-14-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot behavioral1/memory/2172-15-0x0000000000400000-0x0000000000452000-memory.dmp family_cycbot behavioral1/memory/2172-16-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot behavioral1/memory/2320-131-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot behavioral1/memory/2320-130-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot behavioral1/memory/2172-282-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2172-3-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2980-14-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2172-15-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral1/memory/2172-16-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2320-131-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2320-130-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2172-282-0x0000000000400000-0x0000000000455000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_77f507f18e64b9ffe1ae0aee298d0da0.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2172 wrote to memory of 2980 2172 JaffaCakes118_77f507f18e64b9ffe1ae0aee298d0da0.exe 29 PID 2172 wrote to memory of 2980 2172 JaffaCakes118_77f507f18e64b9ffe1ae0aee298d0da0.exe 29 PID 2172 wrote to memory of 2980 2172 JaffaCakes118_77f507f18e64b9ffe1ae0aee298d0da0.exe 29 PID 2172 wrote to memory of 2980 2172 JaffaCakes118_77f507f18e64b9ffe1ae0aee298d0da0.exe 29 PID 2172 wrote to memory of 2320 2172 JaffaCakes118_77f507f18e64b9ffe1ae0aee298d0da0.exe 31 PID 2172 wrote to memory of 2320 2172 JaffaCakes118_77f507f18e64b9ffe1ae0aee298d0da0.exe 31 PID 2172 wrote to memory of 2320 2172 JaffaCakes118_77f507f18e64b9ffe1ae0aee298d0da0.exe 31 PID 2172 wrote to memory of 2320 2172 JaffaCakes118_77f507f18e64b9ffe1ae0aee298d0da0.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77f507f18e64b9ffe1ae0aee298d0da0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77f507f18e64b9ffe1ae0aee298d0da0.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77f507f18e64b9ffe1ae0aee298d0da0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77f507f18e64b9ffe1ae0aee298d0da0.exe startC:\Program Files (x86)\LP\AF66\88C.exe%C:\Program Files (x86)\LP\AF662⤵PID:2980
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77f507f18e64b9ffe1ae0aee298d0da0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77f507f18e64b9ffe1ae0aee298d0da0.exe startC:\Users\Admin\AppData\Roaming\61C8F\279AF.exe%C:\Users\Admin\AppData\Roaming\61C8F2⤵PID:2320
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD549b398b69ac54870fa77b5ab077560c9
SHA1c50f05e6328859f0d0c4cffd470a462c5ad50a31
SHA256ec81d4a5958dcfb5f3b2acd301b17545b23a73842e71124dab985b7b02e18953
SHA512852b0871faafb18b73de7a2f0c6d1f8577f4088e47982ed5bf5e385e90d2828ead4640c57b2c38c4d946b8772d83f3f54823088b8d2f1510da0fe861132c9252
-
Filesize
600B
MD59f2a85c6f1ef9d22dc7534186ad391ae
SHA1e7a66aee84b6a8b5f63ed17d5ac0737999047b38
SHA256fcdb9fe64d0e522163bdc898e9743cace9316d73ee60b6835a3173de0f434395
SHA5122e6bac7200ae0c5e9713b2c77d88e7235e333c91ecdd05ec23c223a1b7a3b768be00686592060224e31a94c27db3f8010732d4afb79bd7d4900d12fe1ec459c8
-
Filesize
1KB
MD5ba706e993f234995fda114f87ea6bf40
SHA134ca7f175fab223a8f89a7fafbe223dc601097d3
SHA25699d2802d4602001ce9218ffecc3cc8812b557b19b89b52d1531ff200c5f66764
SHA512032a26c9be33652518e2f8e56f62505ebff871762ceee5719952b7a04f201c7903d1c34a2249925677e65102d07b84820b83d430c6cfc4325bf15002f1196067