Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

e2b6b4ba49...18.exe

windows7-x64

10

e2b6b4ba49...18.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    140s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    11/12/2024, 18:37 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe

  • Size

    164KB

  • MD5

    e2b6b4ba492e29d1f371cd7ee6009481

  • SHA1

    bd9a29a0373119f5b57b5cd0036f189031d74d05

  • SHA256

    b1c009523e7737a3943d0e8cf838315d65a27e3e6bcf5cb4a475a48c9396d89e

  • SHA512

    248a60a27646802e179e9d384dbdf87d144f31e80a52b5f392608f47faf0826807ea559f9e586c312461fb4c388009d7d6f89a5414159b44960efbcb5d518504

  • SSDEEP

    3072:4E1OQ5robrIkju3n6LrL0p/doKH6NHeNcfEForE8EDFjmyNds+Bgy:4kncLju36LrLc/7hNhoADhmyNdVBgy

Score
10/10
cycbotbackdoordiscoveryratspywarestealerupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 4 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3060
    • C:\Users\Admin\AppData\Local\Temp\e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2224
    • C:\Users\Admin\AppData\Local\Temp\e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2356

Network

  • flag-us
    DNS
    greenherbalteaonline.com
    e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    greenherbalteaonline.com
    IN A
    Response
  • flag-us
    DNS
    greenherbalteaonline.com
    e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    greenherbalteaonline.com
    IN A
  • flag-us
    DNS
    extremerollerclub.com
    e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    extremerollerclub.com
    IN A
    Response
  • flag-us
    DNS
    zonetf.com
    e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    zonetf.com
    IN A
    Response
    zonetf.com
    IN A
    13.248.169.48
    zonetf.com
    IN A
    76.223.54.146
  • flag-us
    DNS
    zonetf.com
    e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    zonetf.com
    IN A
    Response
    zonetf.com
    IN A
    76.223.54.146
    zonetf.com
    IN A
    13.248.169.48
  • flag-us
    DNS
    searchmobilecode.com
    e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    searchmobilecode.com
    IN A
    Response
  • flag-us
    POST
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBk7l%2FnN2QTzGT7iisypAfMYP5f%2F0alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
    e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe
    Remote address:
    13.248.169.48:80
    Request
    POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBk7l%2FnN2QTzGT7iisypAfMYP5f%2F0alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
    Host: zonetf.com
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
    Content-Length: 0
    Connection: close
    Response
    HTTP/1.1 405 Method Not Allowed
    content-length: 0
    connection: close
  • flag-us
    POST
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBk7l%2FnN2QTzGT7iisypAfMYP5f%2F0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D
    e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe
    Remote address:
    76.223.54.146:80
    Request
    POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBk7l%2FnN2QTzGT7iisypAfMYP5f%2F0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
    Host: zonetf.com
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
    Content-Length: 0
    Connection: close
    Response
    HTTP/1.1 405 Method Not Allowed
    content-length: 0
    connection: close
  • flag-us
    DNS
    www.google.com
    e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    www.google.com
    IN A
    Response
    www.google.com
    IN A
    172.217.20.164
  • flag-fr
    GET
    http://www.google.com/
    e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe
    Remote address:
    172.217.20.164:80
    Request
    GET / HTTP/1.0
    Connection: close
    Host: www.google.com
    Accept: */*
    Response
    HTTP/1.0 302 Found
    Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGNuB67oGIjDnkDER0LVQqJMQkcrPmh1wJu2QK_EVbCXdoSKeotcMPKP03Q2-l4qsCmaUp3qX2AcyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    x-hallmonitor-challenge: CgwI24HrugYQ3_zyoAMSBLXXsFM
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-mZk_0uqWHSYBu4gRKwZUFQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
    Date: Thu, 12 Dec 2024 10:54:19 GMT
    Server: gws
    Content-Length: 396
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: AEC=AZ6Zc-WXtPVpLQWTVnaVdAS7IVKTKqUXDSrVA4n9vIeGYjrm3rw9n9G6aQ; expires=Tue, 10-Jun-2025 10:54:19 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
  • flag-us
    DNS
    pdadatarestore.com
    e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    pdadatarestore.com
    IN A
    Response
  • flag-fr
    GET
    http://www.google.com/
    e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe
    Remote address:
    172.217.20.164:80
    Request
    GET / HTTP/1.1
    Connection: close
    Pragma: no-cache
    Host: www.google.com
    Response
    HTTP/1.1 302 Found
    Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGNyB67oGIjCz0zT_iPiaY1ZaUoeHkIHXSAF-zgsJgh9Iu3Td_M9ZyrtfbbAST2hErkb-h8W2tTsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    x-hallmonitor-challenge: CgwI3IHrugYQnMO9sAESBLXXsFM
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-r1eggk7zimiulLfbFClwgQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
    Date: Thu, 12 Dec 2024 10:54:20 GMT
    Server: gws
    Content-Length: 396
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: AEC=AZ6Zc-Us13GASydt1GTBZRgTj4dBbZaERLQl6VbarbO54VtoheIGzgUZbA; expires=Tue, 10-Jun-2025 10:54:20 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
    Connection: close
  • flag-fr
    GET
    http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGNyB67oGIjCz0zT_iPiaY1ZaUoeHkIHXSAF-zgsJgh9Iu3Td_M9ZyrtfbbAST2hErkb-h8W2tTsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe
    Remote address:
    172.217.20.164:80
    Request
    GET /sorry/index?continue=http://www.google.com/&q=EgS117BTGNyB67oGIjCz0zT_iPiaY1ZaUoeHkIHXSAF-zgsJgh9Iu3Td_M9ZyrtfbbAST2hErkb-h8W2tTsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
    Connection: close
    Pragma: no-cache
    Host: www.google.com
    Response
    HTTP/1.1 429 Too Many Requests
    Date: Thu, 12 Dec 2024 10:54:20 GMT
    Pragma: no-cache
    Expires: Fri, 01 Jan 1990 00:00:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Content-Type: text/html
    Server: HTTP server (unknown)
    Content-Length: 3075
    X-XSS-Protection: 0
    Connection: close
  • 13.248.169.48:80
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBk7l%2FnN2QTzGT7iisypAfMYP5f%2F0alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
    http
    e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe
    585 B
     245 B
     5
    4

    HTTP Request

    POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBk7l%2FnN2QTzGT7iisypAfMYP5f%2F0alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D

    HTTP Response

    405
  • 76.223.54.146:80
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBk7l%2FnN2QTzGT7iisypAfMYP5f%2F0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D
    http
    e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe
    583 B
     245 B
     5
    4

    HTTP Request

    POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBk7l%2FnN2QTzGT7iisypAfMYP5f%2F0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D

    HTTP Response

    405
  • 172.217.20.164:80
    http://www.google.com/
    http
    e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe
    466 B
     1.5kB
     7
    6

    HTTP Request

    GET http://www.google.com/

    HTTP Response

    302
  • 127.0.0.1:61394
    e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe
  • 172.217.20.164:80
    http://www.google.com/
    http
    e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe
    307 B
     1.5kB
     5
    5

    HTTP Request

    GET http://www.google.com/

    HTTP Response

    302
  • 172.217.20.164:80
    http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGNyB67oGIjCz0zT_iPiaY1ZaUoeHkIHXSAF-zgsJgh9Iu3Td_M9ZyrtfbbAST2hErkb-h8W2tTsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    http
    e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe
    618 B
     3.7kB
     8
    7

    HTTP Request

    GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGNyB67oGIjCz0zT_iPiaY1ZaUoeHkIHXSAF-zgsJgh9Iu3Td_M9ZyrtfbbAST2hErkb-h8W2tTsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

    HTTP Response

    429
  • 127.0.0.1:61394
    e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe
  • 8.8.8.8:53
    greenherbalteaonline.com
    dns
    e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe
    140 B
     143 B
     2
    1

    DNS Request

    greenherbalteaonline.com

    DNS Request

    greenherbalteaonline.com

  • 8.8.8.8:53
    extremerollerclub.com
    dns
    e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe
    67 B
     140 B
     1
    1

    DNS Request

    extremerollerclub.com

  • 8.8.8.8:53
    zonetf.com
    dns
    e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe
    56 B
     88 B
     1
    1

    DNS Request

    zonetf.com

    DNS Response

    13.248.169.48
    76.223.54.146

  • 8.8.8.8:53
    zonetf.com
    dns
    e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe
    56 B
     88 B
     1
    1

    DNS Request

    zonetf.com

    DNS Response

    76.223.54.146
    13.248.169.48

  • 8.8.8.8:53
    searchmobilecode.com
    dns
    e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe
    66 B
     139 B
     1
    1

    DNS Request

    searchmobilecode.com

  • 8.8.8.8:53
    www.google.com
    dns
    e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe
    60 B
     76 B
     1
    1

    DNS Request

    www.google.com

    DNS Response

    172.217.20.164

  • 8.8.8.8:53
    pdadatarestore.com
    dns
    e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe
    64 B
     137 B
     1
    1

    DNS Request

    pdadatarestore.com

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\DEF4.2F7
    Filesize

    1KB

    MD5

    ca03956ac09d4a5663ba9996cd38d133

    SHA1

    ac744cd92f44250d351817adc896d24bbff02f33

    SHA256

    a798fa286353a107f0bb04b1c4c4424e1794583c09d70f6517523ff525eec24f

    SHA512

    317266b488a81f505f58d542419f253af1c8ce83be031a956a2c5c5aab6e676bd3f39e118f9b88628330831bed9a1d068f83919c9d5d4beff5990c619c89f29c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DEF4.2F7
    Filesize

    600B

    MD5

    4485dc8bc3d5b0e7a10218523fff4142

    SHA1

    aefb254f611240d9f5b1b80b195357fc850618e1

    SHA256

    01c8cfd89f9659f86c6aa5c85448c0ce9ce86529b71774be86fda9dd448654da

    SHA512

    d6fa216cfcfc47ec634bebba812dcb5fcf23b79e0205520a385d8035e82cd6d33739e2a4a4d10a08e1087092cd1e351b8a0be95240c4f4a046a6c52c02b53fde

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DEF4.2F7
    Filesize

    996B

    MD5

    6321cab05a0b23cc86feae42bdb70ce2

    SHA1

    9824f7c545869500d001499493e5396abc0f6135

    SHA256

    4d91c4cdb8f4b2b1e10882ccd1950ec5a4fdca22a27ddd21419c966982f0109a

    SHA512

    b087d4f1b2ec96e088dba9bb25d69b08b10f11eedbe3519b9f0323119c075552686f81f5fe8424f0071fb4ad3b413834355e9543e4d682f9b191ca5b0336a60e

    Download Submit

  • memory/2224-6-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

    Download

  • memory/2224-5-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

    Download

  • memory/2356-81-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

    Download

  • memory/3060-1-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

    Download

  • memory/3060-2-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

    Download

  • memory/3060-14-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

    Download

  • memory/3060-184-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.