Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...64.exe

windows7-x64

10

JaffaCakes...64.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    140s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    13/01/2025, 11:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_28a4ff439567acdcb7edf44dfce76b64.exe

  • Size

    167KB

  • MD5

    28a4ff439567acdcb7edf44dfce76b64

  • SHA1

    69efb46b74cee2a413e430040b04381d5dc08596

  • SHA256

    69d353e51b6670af251cd9ae4f63a1562ea1d15c93d87cfb68ec2dc74465ceff

  • SHA512

    1f9dad360f79f47bd638e90f9577e225de081e8dba8479e939636e41cb159c5e630b33057c554c2c0be5edefafcc3d82d4e38c70f7fc5c2c49a3a4a572077cab

  • SSDEEP

    3072:3LMfUkXbpteqoAM8I72E3Pbl5a161RbzbzLvcxXnrOvoz1BALtABzAW6Bl/OZ:7WX1tLIS+Du6zbvchrOvaoiMtBlW

Score
10/10
cycbotbackdoordiscoverypersistenceratspywarestealerupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 5 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_28a4ff439567acdcb7edf44dfce76b64.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_28a4ff439567acdcb7edf44dfce76b64.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1440
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_28a4ff439567acdcb7edf44dfce76b64.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_28a4ff439567acdcb7edf44dfce76b64.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
      2⤵
      • System Location Discovery: System Language Discovery
      PID:740
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_28a4ff439567acdcb7edf44dfce76b64.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_28a4ff439567acdcb7edf44dfce76b64.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1476

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\AC08.890
    Filesize

    597B

    MD5

    46a87d90fb7095d718577f01b5f09abc

    SHA1

    17d42158186f96e39f650f3fffd844569d34126f

    SHA256

    f5b7a720bfbdbc3eae4cd1c7761af3b1600d4e707f24d6641f1752d6c8550ab9

    SHA512

    5505a40fa2990b2fd6c25629c08e0434d843882a00eb1b03617744f750c96fc602fe51d5ec5d9790a86d54dd7ffb7c81badb7489a120397da3609f6c504ff0aa

    Download Submit

  • C:\Users\Admin\AppData\Roaming\AC08.890
    Filesize

    1KB

    MD5

    e64494e92c0a2aeb12062948cc7b85e8

    SHA1

    e95955fb50ddc89a6a5a224f4492ece73bf228dc

    SHA256

    2a6bff2cfd6c0eb27bab1e031d2837e7408ee4e9e32ff89f5ffe1757699cc5ad

    SHA512

    2e4ec1c2624f3ac8e5e76a3d0f51dbe94621cde6f5913c9a356de51d7b092ead478e1064764a757a07dd3fc04886b47f0a1b88293f87c919416f5e1bf6794cff

    Download Submit

  • C:\Users\Admin\AppData\Roaming\AC08.890
    Filesize

    897B

    MD5

    10055bf9fe4478b272087968a23c2f8e

    SHA1

    69a69a74123d4e0767df8fa8ce280ff3819f2d60

    SHA256

    3f58f1b02dbd6a322fc83512d0940df798f5eb21f3df03ffc817c38cb0138d5e

    SHA512

    ac50c1350b8e32c4a2c71137cb4f4313145a2e714bd5a34a14bc027c7af4c350d61b5b06e3dd3468c6c12dc7e579f6e476ad2b6aaedb3d9ec8efa07903e712db

    Download Submit

  • C:\Users\Admin\AppData\Roaming\AC08.890
    Filesize

    1KB

    MD5

    341ce98623f841e618cbda0096f66e51

    SHA1

    9b14189320583ac4c72c7820457fd468b2ff2eb5

    SHA256

    01553c5e0d6c3b172a9d2097a52e0b13f87fd2a3140ef5b2db6898b4a6f2e417

    SHA512

    3818a7555b18fa885972232a0c2e317af8cb82ad28a9b9fee00bce02fef826e2675fd8842ac1745747cbe0e98a0c96f91da17f20e77dd4143e37569fdde255a4

    Download Submit

  • memory/740-7-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/740-6-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1440-17-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1440-1-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1440-91-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1440-2-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1440-184-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1476-89-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1476-90-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download