Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/01/2025, 06:05
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe
-
Size
176KB
-
MD5
22c9a3b3e6f8e0ea86ab8857b55f7382
-
SHA1
1f33b0fbc825ab0a8d24e5de3d0c1dc9f88e2a98
-
SHA256
9dfc1bf1d3663eac731a17fe8d156a26ba17e2aec1f52511caa0ff1d4fcea9d2
-
SHA512
60f95592800c943a0ba7adce12f46fd88cd9eaa3f20e9fc04b7b3a69cb0eb72adfc961f5886b9bb6bc2e0d246ce586583ad960ad99ad4d254b0d2289a3753306
-
SSDEEP
3072:MyQ0ye7pnGvSkMzzC2WKHPN1mPR82UZSOvCb2oc/VHOgW594b9Qf:BQ0yipGvMnChESy2UZSOKIVpWTCGf
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral2/memory/1768-13-0x0000000000400000-0x000000000046F000-memory.dmp family_cycbot behavioral2/memory/4744-14-0x0000000000400000-0x000000000046F000-memory.dmp family_cycbot behavioral2/memory/2964-79-0x0000000000400000-0x000000000046F000-memory.dmp family_cycbot behavioral2/memory/4744-187-0x0000000000400000-0x000000000046F000-memory.dmp family_cycbot behavioral2/memory/4744-188-0x0000000000400000-0x000000000046F000-memory.dmp family_cycbot -
resource yara_rule behavioral2/memory/4744-2-0x0000000000400000-0x000000000046F000-memory.dmp upx behavioral2/memory/1768-11-0x0000000000400000-0x000000000046F000-memory.dmp upx behavioral2/memory/1768-13-0x0000000000400000-0x000000000046F000-memory.dmp upx behavioral2/memory/4744-14-0x0000000000400000-0x000000000046F000-memory.dmp upx behavioral2/memory/2964-79-0x0000000000400000-0x000000000046F000-memory.dmp upx behavioral2/memory/4744-187-0x0000000000400000-0x000000000046F000-memory.dmp upx behavioral2/memory/4744-188-0x0000000000400000-0x000000000046F000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4744 wrote to memory of 1768 4744 JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe 84 PID 4744 wrote to memory of 1768 4744 JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe 84 PID 4744 wrote to memory of 1768 4744 JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe 84 PID 4744 wrote to memory of 2964 4744 JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe 92 PID 4744 wrote to memory of 2964 4744 JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe 92 PID 4744 wrote to memory of 2964 4744 JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe startC:\Program Files (x86)\Internet Explorer\D3A7\47F.exe%C:\Program Files (x86)\Internet Explorer\D3A72⤵PID:1768
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe startC:\Users\Admin\AppData\Roaming\7113E\34ED3.exe%C:\Users\Admin\AppData\Roaming\7113E2⤵PID:2964
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5109e2ff39ba23f06203b6178fac39ab6
SHA19e53ca82df51696c9f02198809543768d49969b6
SHA2568fcb3616efb4fcf21dd4ebd5fc190bd9943e7a48c4ae186e8a82543dc4d73034
SHA5123e91c71688fa4c614d7b8e658515f7ebe99c453ad3b536cd15eb528cea609aca7e84ccbefbd5cc0ba404528cea07a9cfa543e2478597c7b2cb62ccdd16c1b86f
-
Filesize
600B
MD5f9e84bbdc558d9ab894737b6175ff5ee
SHA142d1a0a6bf802afde4dbdad40e5e25771a9f97b5
SHA256ccda1eba78a4d0a0e2135efb90ef760191ce92b773503d9543756cb07069638f
SHA512396e2b13f57ad3c9fff6570f1bf8a6c12e6a35fc4be0ceba47c5b12a41b4ed3221063f18fb4ac12ba39b713ab38a4466e05fbaa16a5adcd808649c4542bf90fd
-
Filesize
996B
MD5295a936cd245afa715c624ce92663cd9
SHA1506f45f155647cf9aabc139299f3e76509fa44f5
SHA2562d572bf29d4f3222a0024e2c6de1b59412ff37c80b6cadfbd1a5654217beac64
SHA5126d7e859f1162f3917b398e9104780a17ff3272d1e101fd2a6726884497f1384d670de8897c8e9d48c87fc59a3a881efa88ee404b0de5311b1d774c833dd26efd