Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

e3563b8f44...18.exe

windows7-x64

10

e3563b8f44...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    68s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    11/12/2024, 21:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e3563b8f44d31ee37795092a84a4528e_JaffaCakes118.exe

  • Size

    176KB

  • MD5

    e3563b8f44d31ee37795092a84a4528e

  • SHA1

    aeea6518b9129f6c25a98a5932eb36a257286feb

  • SHA256

    c6f79560d75fa7e7aed3dc0ed4a409b2da1079801f3c825b3537d993652a3845

  • SHA512

    1fea4eb86b76317f6dcf22e01c22eb197b569dbcf823e16de5b70446453da511bb47639bdb97a87beb44889fd381ffaba8422847fbd93e08d642b66b9848336e

  • SSDEEP

    3072:PZsEiz8LfmCmKSkPcJjmQk3yt+IymbuAB2RKwRB/pjWwbeSG:PZsE+K7cJjXk3ypyxezGB/pSwbeS

Score
10/10
cycbotbackdoordiscoverypersistenceratspywarestealerupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 5 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e3563b8f44d31ee37795092a84a4528e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e3563b8f44d31ee37795092a84a4528e_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Users\Admin\AppData\Local\Temp\e3563b8f44d31ee37795092a84a4528e_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\e3563b8f44d31ee37795092a84a4528e_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2212
    • C:\Users\Admin\AppData\Local\Temp\e3563b8f44d31ee37795092a84a4528e_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\e3563b8f44d31ee37795092a84a4528e_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1316

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\1BA0.10D
    Filesize

    597B

    MD5

    b6c2912cdceb38ebdce47fed36c7448e

    SHA1

    0311a6384241283d41f86e997ece93f08a5ac733

    SHA256

    c2e0d07f306cf06e5e96919de32ab1c2b5daf01d9ddf80448df2d84c05ce9345

    SHA512

    fa116d142bd6472fdb313b17a0b66e42bf76a1b881a4a3ea31a4d1d9e4c7a33aad86672b16fcda4af71ac4b97e048ed38ed241b7ae501c2091f5bfc77c1637e9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\1BA0.10D
    Filesize

    1KB

    MD5

    5cda7ae1bc8fe37b21d6701c31f08060

    SHA1

    a67e9e29e651e7216ed7e693487c1eeede2a8b6b

    SHA256

    0aea54ed57c23004c9ffce7983c57fde43b5b52d438c5e45c8c1f5654cc0c5aa

    SHA512

    4d1e4e19f425e62a9b2e10b8fe83732f816a1cf6b3a57a0886ddb1983e6b8f0ae69dbe12d23b5fd7f5ab67dc4499292ef139d85774a759050c3ab4241f098fab

    Download Submit

  • C:\Users\Admin\AppData\Roaming\1BA0.10D
    Filesize

    897B

    MD5

    c751c3b932e4f969f0d00a208556c5eb

    SHA1

    aa7bcc83a37c97ff89d4c5a746e6d4b4a131adfe

    SHA256

    59ff95216d008f1fe1d9a2fef40b84daae1ad7f12f54d8fcf666738a126604b8

    SHA512

    adc7aa7e115171793b9938ad054ff5206f8355f85ab58acbbfa4649286b887b0569c0db8e9b333783cc948a80189018d573c42d3fb09ea6463e8d792e54da025

    Download Submit

  • C:\Users\Admin\AppData\Roaming\1BA0.10D
    Filesize

    1KB

    MD5

    69893fbed5e696a53540e11af5739dd6

    SHA1

    94170ce4849028bd8a158aa36e5e4cbf00e83675

    SHA256

    95bedb6ebbcb78b5c06e72aff31a1f4f2cdcc20d6133dd83d510daaab96d865c

    SHA512

    3a562c0efa1757f100639c65bb21b2ff79117003d06172527180d9ecafc179d80b3bcf2d894db3753f95a520ced4ebb683f056b24ffdff57b53d64ed508aa183

    Download Submit

  • memory/1316-81-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/1316-79-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/1316-80-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/1736-20-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/1736-1-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/1736-82-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/1736-2-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/1736-184-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/2212-19-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/2212-18-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/2212-17-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download