Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...dc.exe

windows7-x64

10

JaffaCakes...dc.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    141s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    13/01/2025, 08:18 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_25865e7d35e0b4518b95071c887f00dc.exe

  • Size

    172KB

  • MD5

    25865e7d35e0b4518b95071c887f00dc

  • SHA1

    67d0e05d6aa014b1a5d6ed1ba74362c012249e4f

  • SHA256

    ae8894582479d445288c34d4fe8571f5ff4f064c5c5a0044f6f63244631ee3b4

  • SHA512

    e9f29d35a64204c342684134fde7e6b0f2d0ba9a9db973d2806eaa07bdf28fba6478119bca2edcb53075cce4950689166fd9d294d3ec4c89109f993c01c58680

  • SSDEEP

    3072:bvTDGdtRjfZOsgrJQSwFvSa5XPY+N/u0rKlu+1dMIkDs0QN3lA:SdLhO3JQ1FxXPnDeu+XMI0Qg

Score
10/10
cycbotbackdoordiscoveryratspywarestealerupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 5 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_25865e7d35e0b4518b95071c887f00dc.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_25865e7d35e0b4518b95071c887f00dc.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1064
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_25865e7d35e0b4518b95071c887f00dc.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_25865e7d35e0b4518b95071c887f00dc.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2700
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_25865e7d35e0b4518b95071c887f00dc.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_25865e7d35e0b4518b95071c887f00dc.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1988

Network

  • flag-us
    DNS
    pcdocpro.com
    JaffaCakes118_25865e7d35e0b4518b95071c887f00dc.exe
    Remote address:
    8.8.8.8:53
    Request
    pcdocpro.com
    IN A
    Response
  • flag-us
    DNS
    zonetf.com
    JaffaCakes118_25865e7d35e0b4518b95071c887f00dc.exe
    Remote address:
    8.8.8.8:53
    Request
    zonetf.com
    IN A
    Response
    zonetf.com
    IN A
    13.248.169.48
    zonetf.com
    IN A
    76.223.54.146
  • flag-us
    POST
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBhMlPzDqgL8GT7iirXfdoAfOJLz0alxtygbpb6HvnSAMRu4pVKv975Xlm5G
    JaffaCakes118_25865e7d35e0b4518b95071c887f00dc.exe
    Remote address:
    13.248.169.48:80
    Request
    POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBhMlPzDqgL8GT7iirXfdoAfOJLz0alxtygbpb6HvnSAMRu4pVKv975Xlm5G HTTP/1.1
    Host: zonetf.com
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
    Content-Length: 0
    Connection: close
    Response
    HTTP/1.1 405 Method Not Allowed
    content-length: 0
    connection: close
  • flag-us
    DNS
    zoneij.com
    JaffaCakes118_25865e7d35e0b4518b95071c887f00dc.exe
    Remote address:
    8.8.8.8:53
    Request
    zoneij.com
    IN A
    Response
  • flag-us
    DNS
    zonedg.com
    JaffaCakes118_25865e7d35e0b4518b95071c887f00dc.exe
    Remote address:
    8.8.8.8:53
    Request
    zonedg.com
    IN A
    Response
    zonedg.com
    IN A
    103.224.212.214
  • flag-us
    GET
    http://zonedg.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvQi3OjbwvgS917W65rJqlLfgPiWW1cg
    JaffaCakes118_25865e7d35e0b4518b95071c887f00dc.exe
    Remote address:
    103.224.212.214:80
    Request
    GET /images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvQi3OjbwvgS917W65rJqlLfgPiWW1cg HTTP/1.0
    Connection: close
    Host: zonedg.com
    Accept: */*
    User-Agent: iamx/3.11
    Response
    HTTP/1.0 403 Forbidden
    cache-control: no-cache
    content-type: text/html
  • 13.248.169.48:80
    http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBhMlPzDqgL8GT7iirXfdoAfOJLz0alxtygbpb6HvnSAMRu4pVKv975Xlm5G
    http
    JaffaCakes118_25865e7d35e0b4518b95071c887f00dc.exe
    551 B
     245 B
     5
    4

    HTTP Request

    POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gBhMlPzDqgL8GT7iirXfdoAfOJLz0alxtygbpb6HvnSAMRu4pVKv975Xlm5G

    HTTP Response

    405
  • 103.224.212.214:80
    http://zonedg.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvQi3OjbwvgS917W65rJqlLfgPiWW1cg
    http
    JaffaCakes118_25865e7d35e0b4518b95071c887f00dc.exe
    397 B
     342 B
     5
    4

    HTTP Request

    GET http://zonedg.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvQi3OjbwvgS917W65rJqlLfgPiWW1cg

    HTTP Response

    403
  • 8.8.8.8:53
    pcdocpro.com
    dns
    JaffaCakes118_25865e7d35e0b4518b95071c887f00dc.exe
    58 B
     58 B
     1
    1

    DNS Request

    pcdocpro.com

  • 8.8.8.8:53
    zonetf.com
    dns
    JaffaCakes118_25865e7d35e0b4518b95071c887f00dc.exe
    56 B
     88 B
     1
    1

    DNS Request

    zonetf.com

    DNS Response

    13.248.169.48
    76.223.54.146

  • 8.8.8.8:53
    zoneij.com
    dns
    JaffaCakes118_25865e7d35e0b4518b95071c887f00dc.exe
    56 B
     129 B
     1
    1

    DNS Request

    zoneij.com

  • 8.8.8.8:53
    zonedg.com
    dns
    JaffaCakes118_25865e7d35e0b4518b95071c887f00dc.exe
    56 B
     72 B
     1
    1

    DNS Request

    zonedg.com

    DNS Response

    103.224.212.214

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\CBC8.D1D
    Filesize

    1KB

    MD5

    365adffb8a28d5a7cd2712ee7cff4954

    SHA1

    9a91da13945ffeb67417eff5669a49e77f18b017

    SHA256

    b7a62b8a47d006cb605cf1896fe9b1f74d9a4abffae1eadbfa78f188f161de71

    SHA512

    496660e91bc1f71cbab25979bd7b3f2f70fb1be8c4db413f80f1f38fbb3f674445bc426e810dcdd14c6a7da0393c1f06327514f8c8d5b77cd700f073151228e9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\CBC8.D1D
    Filesize

    600B

    MD5

    cbbf05fc94de6ebc6387611ee3f61e80

    SHA1

    a51a5e15784dac56d0510a77312b6bcc2855da4a

    SHA256

    b6e4d943f4d7c86390dcb138b6060edb2c5b1ae87edd53bf5ed0cfef0996bc43

    SHA512

    d51b6eceaf90b8594a89cf5bafa0b0cda36eaa6b7f93160b7a003e5171a291215f57f259a2279fc089d9e65d95506f579988bd6bdb53e1988b9d0726008cb0ac

    Download Submit

  • C:\Users\Admin\AppData\Roaming\CBC8.D1D
    Filesize

    996B

    MD5

    2a0876fca16124cf13076ac480e47443

    SHA1

    0e5e94c9a43ebffa4dd6c037dc4d7653143ec2ca

    SHA256

    3df18d4825cf6e1051012a0bc8a050755036ec1a0f58dc062ea26ffb7db49b94

    SHA512

    ede7f8a2521ac128b8cf90a67ec4ec5cd58a07d05400975fa7de2d0d115f5b696be8b1b81d921090434a2446b749bf0f4c09b803093774099d09a5bc4f7bca3d

    Download Submit

  • memory/1064-1-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1064-13-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1988-78-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1988-80-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1988-77-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2700-8-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2700-6-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.