Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14/12/2024, 14:11
Static task
static1
Behavioral task
behavioral1
Sample
ef284bd39e5166fbd51daa027494a3b7_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
ef284bd39e5166fbd51daa027494a3b7_JaffaCakes118.exe
-
Size
171KB
-
MD5
ef284bd39e5166fbd51daa027494a3b7
-
SHA1
6e7be07b1bd64eea4c66e6599fca7a34b911b2fa
-
SHA256
7af75b257f5bc4f4324c0dfd66b00d151b49e1e167903439f15022fc09fcbb9e
-
SHA512
60a50d7c74ec86bce86fe3598f02b4b4e7069b5a2e0a5f0ded6a64573f18daa5f6e64a263003d6884807182ef72b352ef180fc5cc4758bd00936b7ee65a1c1ec
-
SSDEEP
3072:YAgKXXQs6KIMcxScZNUTBaDi1Aj0E0nzWzKBRkwt:Qg5wUFbEs3vkw
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 6 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral2/memory/4328-14-0x0000000000400000-0x0000000000491000-memory.dmp family_cycbot behavioral2/memory/3284-15-0x0000000000400000-0x0000000000491000-memory.dmp family_cycbot behavioral2/memory/3284-16-0x0000000000400000-0x000000000048E000-memory.dmp family_cycbot behavioral2/memory/4048-77-0x0000000000400000-0x0000000000491000-memory.dmp family_cycbot behavioral2/memory/3284-78-0x0000000000400000-0x0000000000491000-memory.dmp family_cycbot behavioral2/memory/3284-168-0x0000000000400000-0x0000000000491000-memory.dmp family_cycbot -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\5EA09\\6E6C1.exe" ef284bd39e5166fbd51daa027494a3b7_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/3284-2-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/4328-13-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/4328-14-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/3284-15-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/3284-16-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral2/memory/4048-75-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/4048-77-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/3284-78-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/3284-168-0x0000000000400000-0x0000000000491000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ef284bd39e5166fbd51daa027494a3b7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ef284bd39e5166fbd51daa027494a3b7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ef284bd39e5166fbd51daa027494a3b7_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3284 wrote to memory of 4328 3284 ef284bd39e5166fbd51daa027494a3b7_JaffaCakes118.exe 82 PID 3284 wrote to memory of 4328 3284 ef284bd39e5166fbd51daa027494a3b7_JaffaCakes118.exe 82 PID 3284 wrote to memory of 4328 3284 ef284bd39e5166fbd51daa027494a3b7_JaffaCakes118.exe 82 PID 3284 wrote to memory of 4048 3284 ef284bd39e5166fbd51daa027494a3b7_JaffaCakes118.exe 87 PID 3284 wrote to memory of 4048 3284 ef284bd39e5166fbd51daa027494a3b7_JaffaCakes118.exe 87 PID 3284 wrote to memory of 4048 3284 ef284bd39e5166fbd51daa027494a3b7_JaffaCakes118.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef284bd39e5166fbd51daa027494a3b7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ef284bd39e5166fbd51daa027494a3b7_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Users\Admin\AppData\Local\Temp\ef284bd39e5166fbd51daa027494a3b7_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\ef284bd39e5166fbd51daa027494a3b7_JaffaCakes118.exe startC:\Program Files (x86)\LP\C1B5\7B5.exe%C:\Program Files (x86)\LP\C1B52⤵
- System Location Discovery: System Language Discovery
PID:4328
-
-
C:\Users\Admin\AppData\Local\Temp\ef284bd39e5166fbd51daa027494a3b7_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\ef284bd39e5166fbd51daa027494a3b7_JaffaCakes118.exe startC:\Program Files (x86)\091A4\lvvm.exe%C:\Program Files (x86)\091A42⤵
- System Location Discovery: System Language Discovery
PID:4048
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD593d557b6e1d153f5c5b87f9122982921
SHA19d415fb9722f806f07207eebcc4c8f81a03afca4
SHA256422aa99859ab2d16be3209cf48f4e6ac70b921b88ef4a43f037400d9d8991fb2
SHA5126fa984cce28f1263b01c6f476aad87feb366b0a0a2e37617cc7980d0c5a16e8960e2106650336596e6d564e9227744b512d210fda9ad28d249301de3ecd29628
-
Filesize
600B
MD554e91ecf47ced9f3840d7d80b0b10afa
SHA1601d916430e9c1ed12ececf553aec57c353481ba
SHA256f44546feb40d5f4aea0284ed0ca1b5aef127aa1d437448718af07c4626644ac8
SHA512275b4ad8cc8e622fe6e9d42b6a67ddf152c89946a00bacd70e3929f3ac286e8214a87a9534dcefa294a1a2e063e785f2dab30c9d1db880cc5af21c8a7b36d335
-
Filesize
996B
MD54de7816127abfde8cf995af7cc656976
SHA1971c476d10e06c6b34b5bdc5332a9ecdfd360fe9
SHA256fe9d53d9b73297e68db54a2c3f25596515d0af7dea40c5a593afd7d6957c1278
SHA512c123563aec6dc1f81b583e012a1d3f753626d2e11ebc97a58ba810d614d10fe5af5b8a0411359a4e46d2831879eabbf16ad686e29b7909e61b38f75b272b3fb4