Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/01/2025, 04:21
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe
-
Size
185KB
-
MD5
20cbec00156786bbb8f3505ec451c712
-
SHA1
13a4677960eb7011c4549b1747375658047e94e6
-
SHA256
647a18f570d05bf304a2f752aa3e46bac57a3b1aa05605976a630ec542b6680d
-
SHA512
24a4262aec82fd45736c62944d30097ea8a65cafb47155053a4606afadf6d9578a487811a5735e2d6ae7df81a39a2156f0984cb4f2907d9212f3a265da16a92c
-
SSDEEP
3072:PiWikRz6onQKh4NvWwqNoFrjpb3gh1gbuPBbi7sQVyugC9lZvRiSNy15cg+3g2LX:PXJ6iQ6KWsx2SuPBbi7lOC9fZiSq5m3f
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral2/memory/2160-13-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot behavioral2/memory/4364-14-0x0000000000400000-0x0000000000452000-memory.dmp family_cycbot behavioral2/memory/4364-15-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot behavioral2/memory/524-80-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot behavioral2/memory/4364-177-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot -
resource yara_rule behavioral2/memory/4364-2-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2160-12-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2160-13-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/4364-14-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral2/memory/4364-15-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/524-78-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/524-80-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/4364-177-0x0000000000400000-0x0000000000455000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4364 wrote to memory of 2160 4364 JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe 82 PID 4364 wrote to memory of 2160 4364 JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe 82 PID 4364 wrote to memory of 2160 4364 JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe 82 PID 4364 wrote to memory of 524 4364 JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe 85 PID 4364 wrote to memory of 524 4364 JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe 85 PID 4364 wrote to memory of 524 4364 JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe startC:\Program Files (x86)\LP\2D96\E1B.exe%C:\Program Files (x86)\LP\2D962⤵PID:2160
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe startC:\Users\Admin\AppData\Roaming\6277B\2743D.exe%C:\Users\Admin\AppData\Roaming\6277B2⤵PID:524
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD565ad2d32da48a918dc3d47f0a113a0fe
SHA13acfc755fdb16314e70f1ac97d99855f29d58db9
SHA2562558f40cf4992c7064a344741d2863113a42ac17d54065f114ecd47a26890815
SHA512d1bb0a55261ba106ed825b927710cc1bda41da849013e04ccfff686388595ae771f4a628d8ba0e75c1a3ccb761a6ead7aced80a5c41db7a2b3c5d68f1e576c6a
-
Filesize
600B
MD57c5257957e99ebed353f5abcd27e0e61
SHA1d58b3c7511494ffe151fc2efaee2e2358f1fbc08
SHA2569560a1368e681326d9306f010f30c80e1009c4f70a61c93882169bfbc1347ecf
SHA51267294848412aaa558183cfc3f65589cef068a2893bdbf26c312b45a7d2122ae1be99c32d55939469761bfae07ab440ce8c9e1bdd00f2418a4493c5e8e4f14d2b
-
Filesize
996B
MD5f05dfe590e4bd8d3531c8922cda51dea
SHA1ef33c0706c3d89105ad162bba6782697e754e53b
SHA256f87ed7913cc45bb1f0a6ab3d066fc769208bd8b1aa34c44c996b89f16f00bdef
SHA5122fab614d06b007b8564e8b0c8e210f6fc796ff9cd5943bdb4c4ef503d8d7d9eb7fcdb16f7590c36bc193abebc7a56e001dad439ac685e54e213c0658582f9a15