Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/01/2025, 06:24
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_231c813d12836c2870d58d3cc88c7efa.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_231c813d12836c2870d58d3cc88c7efa.exe
-
Size
178KB
-
MD5
231c813d12836c2870d58d3cc88c7efa
-
SHA1
74f3f77519e563513369c6bfd73fd687ebac3ee0
-
SHA256
21a00430dc7b2ecf702b16f52227f7d558e9397b0d0e5f263416502c289ca3a0
-
SHA512
51a42872c84db394dd3ce8ecfe9ea8d68507a0970f0fcc967b35c1c7eb030b81737f60d61ca89ae1550e8ca4d6c4a2b5c28670d27604ffd0426b3ba49885ee30
-
SSDEEP
3072:/L/wyNqSMLufKePcPRD5kFR+rUr1YdDrgXvftX48yr2goxiX:/L/wXLufDwIR6d/gXHtXJm5R
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 6 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral2/memory/2576-13-0x0000000000400000-0x0000000000454000-memory.dmp family_cycbot behavioral2/memory/3040-14-0x0000000000400000-0x0000000000454000-memory.dmp family_cycbot behavioral2/memory/3040-15-0x0000000000400000-0x0000000000452000-memory.dmp family_cycbot behavioral2/memory/4496-124-0x0000000000400000-0x0000000000454000-memory.dmp family_cycbot behavioral2/memory/3040-287-0x0000000000400000-0x0000000000454000-memory.dmp family_cycbot behavioral2/memory/3040-289-0x0000000000400000-0x0000000000454000-memory.dmp family_cycbot -
resource yara_rule behavioral2/memory/3040-2-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/2576-12-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/2576-13-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/3040-14-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/3040-15-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral2/memory/4496-124-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/3040-287-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/3040-289-0x0000000000400000-0x0000000000454000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_231c813d12836c2870d58d3cc88c7efa.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3040 wrote to memory of 2576 3040 JaffaCakes118_231c813d12836c2870d58d3cc88c7efa.exe 84 PID 3040 wrote to memory of 2576 3040 JaffaCakes118_231c813d12836c2870d58d3cc88c7efa.exe 84 PID 3040 wrote to memory of 2576 3040 JaffaCakes118_231c813d12836c2870d58d3cc88c7efa.exe 84 PID 3040 wrote to memory of 4496 3040 JaffaCakes118_231c813d12836c2870d58d3cc88c7efa.exe 99 PID 3040 wrote to memory of 4496 3040 JaffaCakes118_231c813d12836c2870d58d3cc88c7efa.exe 99 PID 3040 wrote to memory of 4496 3040 JaffaCakes118_231c813d12836c2870d58d3cc88c7efa.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_231c813d12836c2870d58d3cc88c7efa.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_231c813d12836c2870d58d3cc88c7efa.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_231c813d12836c2870d58d3cc88c7efa.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_231c813d12836c2870d58d3cc88c7efa.exe startC:\Program Files (x86)\LP\5043\11E.exe%C:\Program Files (x86)\LP\50432⤵PID:2576
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_231c813d12836c2870d58d3cc88c7efa.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_231c813d12836c2870d58d3cc88c7efa.exe startC:\Users\Admin\AppData\Roaming\3B837\73050.exe%C:\Users\Admin\AppData\Roaming\3B8372⤵PID:4496
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD5eb3c36dec2b8aa0cdc3a07928893ecc3
SHA1f21d77ff48227f32b5cfa8be6700e969404b6efa
SHA2569526811ce067317c7e4d5fe85e342f7ea6625f919e75c52fd5ca44de77272021
SHA5129d6ed65f6a8263f778f477a03fb76b014d5d45294191ba8b27341a89d8d0c20cdc08dbc19ce4e1636845cb42a04d456c07a363cb5faff49685c7a7211a1aa600
-
Filesize
600B
MD58b3fb428ac4120298995b0020e3588e3
SHA1caf56aabdf16eb083b0c1ba44775b49e83bf4e6b
SHA256f490e9e8dfa5dd78e9e279a9e478f4cf5fe43b0a7dd438b41a5130c83033fb2d
SHA512743ec558d7dfa72304c31e780933adb0504b55aac1edcfd9f2bcb21436f330bf31cd6438bd81fc284d1e37eb27fee2310ea1ef94ab50f812964cc9081617344f
-
Filesize
1KB
MD5e6249a42badf0c04f4b4c5d949e57c7d
SHA160cde088acfa23a81302c1ec38fce1916feea0b5
SHA256e80e3cad34976f4bb22df16b4df0c61778377436c06ed12bf2330cd820157ea5
SHA5129a42165db0dc36ef07e20bf37ff4d528abd613b936e3b39b0794300e735cef7f2ffa3b2c122d133e06decb3eb4e9519b5938437afbbae36109b314a06fa70c73