Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

d76d39c59a...18.exe

windows7-x64

10

d76d39c59a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/12/2024, 14:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d76d39c59aa86990c4b93df62a066774_JaffaCakes118.exe

  • Size

    162KB

  • MD5

    d76d39c59aa86990c4b93df62a066774

  • SHA1

    00c538a5e1a6bad55768998b44f99c6ae56633cf

  • SHA256

    05c80405e3db755a4e5ae985f7c32bc7d1039e36278dd1f845e1e07a34e2bf41

  • SHA512

    4aa7f240b55d310fa41839ed29ac9048ff1e1326f556df921b7585eeecc8db6e72986e6a3be1eb8fe0adfaca1b687826e20e78b4e3cfabdebc4d18c445340eb4

  • SSDEEP

    3072:gWtPChgcBSEWv1Jvo7MhpJvdQyj4mhDCVP5i0H0/xq0mKgDqSm5Z8pQEeq:JPzn1RVzvdz4LU/x4mvEZ

Score
10/10
cycbotbackdoordiscoverypersistenceratupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 6 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d76d39c59aa86990c4b93df62a066774_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d76d39c59aa86990c4b93df62a066774_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2456
    • C:\Users\Admin\AppData\Local\Temp\d76d39c59aa86990c4b93df62a066774_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\d76d39c59aa86990c4b93df62a066774_JaffaCakes118.exe startC:\Program Files (x86)\LP\298B\E92.exe%C:\Program Files (x86)\LP\298B
      2⤵
        PID:2976
      • C:\Users\Admin\AppData\Local\Temp\d76d39c59aa86990c4b93df62a066774_JaffaCakes118.exe
        C:\Users\Admin\AppData\Local\Temp\d76d39c59aa86990c4b93df62a066774_JaffaCakes118.exe startC:\Program Files (x86)\B510B\lvvm.exe%C:\Program Files (x86)\B510B
        2⤵
          PID:4232

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\BC3B5\510B.C3B
        Filesize

        1KB

        MD5

        7ce077ff94c2645931aa879c32a314d7

        SHA1

        aeebcdbe3126eac27ec681c981c5308ef55813f4

        SHA256

        34c1d90bf2cc204b2ec0ee3673196e33af5398758868d885e7bdd6d431a34fbc

        SHA512

        ada05b3e832a43b2ef521b54158450937dc05401cd6b88615d1a8bf228d5f8f9a0c5bad5f7323d9ca9b94d4d264c10cbd9baa95cd7a7c827c4803e8e2177f4dc

        Download Submit

      • C:\Users\Admin\AppData\Roaming\BC3B5\510B.C3B
        Filesize

        600B

        MD5

        c19632f4f1c062f207ba4b3d6b646b7b

        SHA1

        12039f0d625f0691841f6e911d8a9598724c7edc

        SHA256

        820750b7ce7a526afb37a1c434a9fc78875a4bc5b99d1e4ab4f110aa866cb602

        SHA512

        a209f2c1096ce1432c4f2048c3e611b1b5a321ab60d5acc631de2926e9549558dcbcca44f7b04bbd2f97f0928474690b55928aa3f1224182e6242e58c5c9a4d8

        Download Submit

      • C:\Users\Admin\AppData\Roaming\BC3B5\510B.C3B
        Filesize

        996B

        MD5

        b594b5e12370cf095f7af46c42a8953e

        SHA1

        5b17df48985311a72c71d626376b3080a2b2802a

        SHA256

        415f2b47eae179613767948af535c189475372ecf630a6c8b24dfc7e369eaebb

        SHA512

        1063218d0a7f95af9698d461de2aa6fb63e9431050416e556d8256c720616051ddcfe520d8a37ab8820599701fcdef8dd49b23b97b1262d3b67e941cf0facf7f

        Download Submit

      • memory/2456-2-0x0000000000400000-0x0000000000491000-memory.dmp

        Filesize

        580KB

        Download

      • memory/2456-185-0x0000000000400000-0x0000000000491000-memory.dmp

        Filesize

        580KB

        Download

      • memory/2456-1-0x0000000000400000-0x000000000048E000-memory.dmp

        Filesize

        568KB

        Download

      • memory/2456-16-0x0000000000400000-0x000000000048E000-memory.dmp

        Filesize

        568KB

        Download

      • memory/2456-17-0x0000000000400000-0x0000000000491000-memory.dmp

        Filesize

        580KB

        Download

      • memory/2456-77-0x0000000000400000-0x0000000000491000-memory.dmp

        Filesize

        580KB

        Download

      • memory/2976-13-0x0000000000400000-0x0000000000491000-memory.dmp

        Filesize

        580KB

        Download

      • memory/2976-12-0x0000000000400000-0x0000000000491000-memory.dmp

        Filesize

        580KB

        Download

      • memory/2976-15-0x0000000000400000-0x0000000000491000-memory.dmp

        Filesize

        580KB

        Download

      • memory/4232-80-0x0000000000400000-0x0000000000491000-memory.dmp

        Filesize

        580KB

        Download

      • memory/4232-79-0x0000000000400000-0x0000000000491000-memory.dmp

        Filesize

        580KB

        Download