Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/01/2025, 11:24
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe
Resource
win7-20240729-en
General
-
Target
JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe
-
Size
187KB
-
MD5
289c05bfe6833f103e96cc733057fd34
-
SHA1
eda3d3c71cabfc946f5335e3cd48d9fb7ff5ff8e
-
SHA256
4e6119e5932aac7d72e61bde7a4f2dd3f0b2ad1cb3a4f7de34a7adaa83f63787
-
SHA512
d36ee68e53ff89c6ce2bdfba54cf962d7f47d872fe618036904ba38c615b2b81ae3c8a8e7ad59811584331a1cbf2fb82c40b2dab4941dc777e2da37afbe01b83
-
SSDEEP
3072:l2vjHdaoHP8+5uzYbHmpBnAE4rVktA8RPfBETe:SjRk4uz02BnA2NR3
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 4 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral2/memory/2796-12-0x0000000000400000-0x0000000000453000-memory.dmp family_cycbot behavioral2/memory/224-13-0x0000000000400000-0x0000000000453000-memory.dmp family_cycbot behavioral2/memory/3988-80-0x0000000000400000-0x0000000000453000-memory.dmp family_cycbot behavioral2/memory/224-174-0x0000000000400000-0x0000000000453000-memory.dmp family_cycbot -
resource yara_rule behavioral2/memory/224-2-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/2796-11-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/2796-12-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/224-13-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/3988-78-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/3988-80-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/224-174-0x0000000000400000-0x0000000000453000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 224 wrote to memory of 2796 224 JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe 83 PID 224 wrote to memory of 2796 224 JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe 83 PID 224 wrote to memory of 2796 224 JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe 83 PID 224 wrote to memory of 3988 224 JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe 91 PID 224 wrote to memory of 3988 224 JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe 91 PID 224 wrote to memory of 3988 224 JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe startC:\Program Files (x86)\Internet Explorer\D3A0\9C3.exe%C:\Program Files (x86)\Internet Explorer\D3A02⤵PID:2796
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe startC:\Users\Admin\AppData\Roaming\0CAFF\49ED3.exe%C:\Users\Admin\AppData\Roaming\0CAFF2⤵PID:3988
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59b8ba62fbc5c47b75edc7797b9f8be8b
SHA143117e98e7eadaefc59a2d2a4f48dc63d2388939
SHA2563bb4ad29a5b1456007b4049320c62b51d808278c90b7b3ceadcf97d125126e6f
SHA51283dc5d7535d000d5d1eca15a91535b9f5419888d7801d130491b34468e4670187adc139382142b5776a788b4c2a4deec662024f01de91db61afc0e827a0d630e
-
Filesize
600B
MD55d83229cbee46a630ed989070b14c3c7
SHA16df0f749bc85c14301890a4ce52c7f6b887ad7fc
SHA256e9dead399e21143efe69d67d068a2402b3d950cba41fc1aca04463174978239e
SHA512824605e736d630506ae8410deda26509e0501e43308b42952ae77f17452b695999b7cbbe220e89aa3da2ecc3dfadc60e8dcc5d9d34a9ddfa47cf355690d44e2c
-
Filesize
996B
MD529859dc9d48b64c237ded99cd4a57a42
SHA12de1b651c483fa84e32383d5b6678bfb4e1b4154
SHA2569f0a7495d28576c1ac482a9dfdbf503a6a2b8e9af1596396ff86080bd462d683
SHA512a6e20ffb83737f8df7311051c48a4001cce4efc93ebfce970c488ef63790ddf3e8b3879a4501bfe21e16326b98d300d22c0552a427f9d9f4138dede556e4e3a6