Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...6e.exe

windows7-x64

10

JaffaCakes...6e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    66s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    13/01/2025, 23:52 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe

  • Size

    182KB

  • MD5

    3195e5c0a2481f5b4ebddd7d2044f66e

  • SHA1

    f4b63ea4be71d6384fdf1b5c5e17a6ed706ae841

  • SHA256

    adbdb8436b47f907de5bbc6aa0cecd0d69ecb7ad1049b41aeb0b5e49d3af2c4e

  • SHA512

    de6769f09ec4c6e568c70527c73767a83dc983a740f60d22f95d23b5103c5fb5154e24e3871c4bc46717278050800d66a72ea8b9ce82f84f36ca3f2de1294a0b

  • SSDEEP

    3072:1h2kPSwsifzeSprPbouzcGhPfqBcG/eIuP/P7vt+2Vw8+GqWPG+rbh8XWVMWPUr:/2kECBrDo2iBAIuTFvVwmqW2KK

Score
10/10
cycbotbackdoordiscoverypersistenceratspywarestealerupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 6 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe"
    1⤵
    • Modifies WinLogon for persistence
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2880
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1600

Network

  • flag-us
    DNS
    onlinebizdirectory.com
    JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe
    Remote address:
    8.8.8.8:53
    Request
    onlinebizdirectory.com
    IN A
    Response
    onlinebizdirectory.com
    IN A
    68.178.225.178
  • flag-sg
    GET
    http://onlinebizdirectory.com/images/PowerShowBanner.gif?v12=12&tq=gHZutDyMv5rJfyG1J8K%2B1MWCJbP4lltXIA%3D%3D
    JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe
    Remote address:
    68.178.225.178:80
    Request
    GET /images/PowerShowBanner.gif?v12=12&tq=gHZutDyMv5rJfyG1J8K%2B1MWCJbP4lltXIA%3D%3D HTTP/1.0
    Connection: close
    Host: onlinebizdirectory.com
    Accept: */*
    User-Agent: mozilla/2.0
    Response
    HTTP/1.1 404 Not Found
    Date: Mon, 13 Jan 2025 23:52:44 GMT
    Server: Apache
    X-Powered-By: PHP/8.1.31
    Expires: Wed, 11 Jan 1984 05:00:00 GMT
    Cache-Control: no-cache, must-revalidate, max-age=0
    Link: <https://onlinebizdirectory.com/wp-json/>; rel="https://api.w.org/"
    Upgrade: h2,h2c
    Connection: Upgrade, close
    Vary: Accept-Encoding
    Content-Type: text/html; charset=UTF-8
  • flag-us
    DNS
    worldmotoblo.com
    JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe
    Remote address:
    8.8.8.8:53
    Request
    worldmotoblo.com
    IN A
    Response
  • flag-us
    DNS
    resetmymemory.com
    JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe
    Remote address:
    8.8.8.8:53
    Request
    resetmymemory.com
    IN A
    Response
  • flag-us
    DNS
    www.google.com
    JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe
    Remote address:
    8.8.8.8:53
    Request
    www.google.com
    IN A
    Response
    www.google.com
    IN A
    142.250.187.196
  • flag-gb
    GET
    http://www.google.com/
    JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe
    Remote address:
    142.250.187.196:80
    Request
    GET / HTTP/1.0
    Connection: close
    Host: www.google.com
    Accept: */*
    Response
    HTTP/1.0 302 Found
    Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGIjPlrwGIjDJ166VPKoHdkl3Qdtzl2oc5c6Bb8OWk_kINhzDFcJKtReP7P-1YszkuWiHn0LmhOIyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    x-hallmonitor-challenge: CgsIic-WvAYQ-42ALRIEtdewUw
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-mKScDDGJeGCsWJ76GNaZkw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
    Date: Mon, 13 Jan 2025 23:53:45 GMT
    Server: gws
    Content-Length: 396
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: AEC=AZ6Zc-UEgqaL-7YkpHbs2aHNxMFRR_QCPfN9TjcxYCbUT3Q60vjRUc21srs; expires=Sat, 12-Jul-2025 23:53:45 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
  • flag-us
    DNS
    zonedg.com
    JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe
    Remote address:
    8.8.8.8:53
    Request
    zonedg.com
    IN A
    Response
    zonedg.com
    IN A
    103.224.212.214
  • flag-gb
    GET
    http://www.google.com/
    JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe
    Remote address:
    142.250.187.196:80
    Request
    GET / HTTP/1.1
    Connection: close
    Pragma: no-cache
    Host: www.google.com
    Response
    HTTP/1.1 302 Found
    Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGInPlrwGIjAJbGuNyxwEBiLb3y2k2RmwVccbrCsqFJcODaQ3hUMivXEOIqOmN0wQDfeGmVWTQIMyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    x-hallmonitor-challenge: CgwIic-WvAYQm-LjiQISBLXXsFM
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-BjIsTfy_E1dMNmGAKM-uww' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
    Date: Mon, 13 Jan 2025 23:53:45 GMT
    Server: gws
    Content-Length: 396
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: AEC=AZ6Zc-VLElRR4JllY1hI2bZxJ0_7_UefS1VeTsKBfcPrrXpK1_iYLFhmVQ; expires=Sat, 12-Jul-2025 23:53:45 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
    Connection: close
  • flag-us
    POST
    http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H337hbj%2Fg%2BtGpAv1qSuHuw9hx4W4%2F4O7G3nDybEv0%2FLeqd%2FdvX%2BP9nf9i9xhD5%2F%2FErgOCaz%2BV%2BLXZdfdtTJLzzL518i8OsL%2BB6GL3GB%2BjucSidOFpPOX40a4B9W1K4f9Sr%2Fe%2BV5ZuRg%3D%3D
    JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe
    Remote address:
    103.224.212.214:80
    Request
    POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H337hbj%2Fg%2BtGpAv1qSuHuw9hx4W4%2F4O7G3nDybEv0%2FLeqd%2FdvX%2BP9nf9i9xhD5%2F%2FErgOCaz%2BV%2BLXZdfdtTJLzzL518i8OsL%2BB6GL3GB%2BjucSidOFpPOX40a4B9W1K4f9Sr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
    Host: zonedg.com
    User-Agent: mozilla/2.0
    Content-Length: 0
    Connection: close
    Response
    HTTP/1.1 302 Found
    date: Mon, 13 Jan 2025 23:53:45 GMT
    server: Apache
    set-cookie: __tad=1736812425.3402663; expires=Thu, 11-Jan-2035 23:53:45 GMT; Max-Age=315360000
    location: http://ww25.zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H337hbj%2Fg%2BtGpAv1qSuHuw9hx4W4%2F4O7G3nDybEv0%2FLeqd%2FdvX%2BP9nf9i9xhD5%2F%2FErgOCaz%2BV%2BLXZdfdtTJLzzL518i8OsL%2BB6GL3GB%2BjucSidOFpPOX40a4B9W1K4f9Sr%2Fe%2BV5ZuRg%3D%3D&subid1=20250114-1053-4546-baa6-40618689cf4c
    content-length: 2
    content-type: text/html; charset=UTF-8
    connection: close
  • flag-gb
    GET
    http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGInPlrwGIjAJbGuNyxwEBiLb3y2k2RmwVccbrCsqFJcODaQ3hUMivXEOIqOmN0wQDfeGmVWTQIMyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe
    Remote address:
    142.250.187.196:80
    Request
    GET /sorry/index?continue=http://www.google.com/&q=EgS117BTGInPlrwGIjAJbGuNyxwEBiLb3y2k2RmwVccbrCsqFJcODaQ3hUMivXEOIqOmN0wQDfeGmVWTQIMyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
    Connection: close
    Pragma: no-cache
    Host: www.google.com
    Response
    HTTP/1.1 429 Too Many Requests
    Date: Mon, 13 Jan 2025 23:53:45 GMT
    Pragma: no-cache
    Expires: Fri, 01 Jan 1990 00:00:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Content-Type: text/html
    Server: HTTP server (unknown)
    Content-Length: 3075
    X-XSS-Protection: 0
    Connection: close
  • 68.178.225.178:80
    http://onlinebizdirectory.com/images/PowerShowBanner.gif?v12=12&tq=gHZutDyMv5rJfyG1J8K%2B1MWCJbP4lltXIA%3D%3D
    http
    JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe
    1.5kB
     66.0kB
     29
    53

    HTTP Request

    GET http://onlinebizdirectory.com/images/PowerShowBanner.gif?v12=12&tq=gHZutDyMv5rJfyG1J8K%2B1MWCJbP4lltXIA%3D%3D

    HTTP Response

    404
  • 142.250.187.196:80
    http://www.google.com/
    http
    JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe
    302 B
     1.5kB
     5
    5

    HTTP Request

    GET http://www.google.com/

    HTTP Response

    302
  • 142.250.187.196:80
    http://www.google.com/
    http
    JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe
    307 B
     1.5kB
     5
    5

    HTTP Request

    GET http://www.google.com/

    HTTP Response

    302
  • 103.224.212.214:80
    http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H337hbj%2Fg%2BtGpAv1qSuHuw9hx4W4%2F4O7G3nDybEv0%2FLeqd%2FdvX%2BP9nf9i9xhD5%2F%2FErgOCaz%2BV%2BLXZdfdtTJLzzL518i8OsL%2BB6GL3GB%2BjucSidOFpPOX40a4B9W1K4f9Sr%2Fe%2BV5ZuRg%3D%3D
    http
    JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe
    566 B
     738 B
     5
    4

    HTTP Request

    POST http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H337hbj%2Fg%2BtGpAv1qSuHuw9hx4W4%2F4O7G3nDybEv0%2FLeqd%2FdvX%2BP9nf9i9xhD5%2F%2FErgOCaz%2BV%2BLXZdfdtTJLzzL518i8OsL%2BB6GL3GB%2BjucSidOFpPOX40a4B9W1K4f9Sr%2Fe%2BV5ZuRg%3D%3D

    HTTP Response

    302
  • 142.250.187.196:80
    http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGInPlrwGIjAJbGuNyxwEBiLb3y2k2RmwVccbrCsqFJcODaQ3hUMivXEOIqOmN0wQDfeGmVWTQIMyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    http
    JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe
    526 B
     3.7kB
     6
    7

    HTTP Request

    GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGInPlrwGIjAJbGuNyxwEBiLb3y2k2RmwVccbrCsqFJcODaQ3hUMivXEOIqOmN0wQDfeGmVWTQIMyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

    HTTP Response

    429
  • 127.0.0.1:64909
    JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe
  • 127.0.0.1:64909
    JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe
  • 8.8.8.8:53
    onlinebizdirectory.com
    dns
    JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe
    68 B
     84 B
     1
    1

    DNS Request

    onlinebizdirectory.com

    DNS Response

    68.178.225.178

  • 8.8.8.8:53
    worldmotoblo.com
    dns
    JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe
    62 B
     135 B
     1
    1

    DNS Request

    worldmotoblo.com

  • 8.8.8.8:53
    resetmymemory.com
    dns
    JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe
    63 B
     136 B
     1
    1

    DNS Request

    resetmymemory.com

  • 8.8.8.8:53
    www.google.com
    dns
    JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe
    60 B
     76 B
     1
    1

    DNS Request

    www.google.com

    DNS Response

    142.250.187.196

  • 8.8.8.8:53
    zonedg.com
    dns
    JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe
    56 B
     72 B
     1
    1

    DNS Request

    zonedg.com

    DNS Response

    103.224.212.214

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\6C88.231
    Filesize

    1KB

    MD5

    52f935e3b6e653c7435898c48083d543

    SHA1

    facea52b40cebc86d8a775f64e53b96203b330fc

    SHA256

    79248d74a38ee2980ee59908708821dd6edf184ae1b4417bc733a6fba2e2dad7

    SHA512

    8d02fc58fd746ca46470f20f80d449e95f9fda3205a7c1e56e38ed373f0c8c909a40c6e32c762e09082750a2e93a3ce72af37fdba5066caba123ac7d96984cef

    Download Submit

  • C:\Users\Admin\AppData\Roaming\6C88.231
    Filesize

    600B

    MD5

    253408204bc543538964106fc44c5aa3

    SHA1

    2d0e375cd0a5c84554dca08e31581caf2df1149b

    SHA256

    70d9a33ab31d75357dd8ca1a7aa6a1ab973988c5243fa20ad434725257cd9ebb

    SHA512

    023669a23f900228efebd7787417de179abbee789f7d747979b16823cf142a1471cf5136f4943a031e27b6a970b12b01b1aeb7ee29bb3c257f17c803af4121c5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\6C88.231
    Filesize

    996B

    MD5

    7b6ea187e2dec71805f2974df5072357

    SHA1

    5fa48f9023043cff2b6b4604126b103d198c42bc

    SHA256

    c925d4c83adf8549fc63ab714f81808b864cdf99782e6c932ed648c26ca5e2ef

    SHA512

    bf42c195fc658dc8a12aefa7d935d7007e84102187344b4ae57e81a548d36e15cf75f305fedddeef5e20b2cbb17bf75c98668760350d240bd5fd7ce21a56a0e0

    Download Submit

  • memory/1600-73-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/1600-71-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/1600-72-0x0000000000917000-0x0000000000934000-memory.dmp

    Filesize

    116KB

    Download

  • memory/1684-16-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/1684-1-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/1684-74-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/1684-2-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/1684-161-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/2880-14-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/2880-15-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/2880-68-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/2880-12-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.