Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
13/01/2025, 21:06 UTC
General
-
Target
JaffaCakes118_2f31dde56f29afee636fd32b20a0736b.exe
-
Size
201KB
-
MD5
2f31dde56f29afee636fd32b20a0736b
-
SHA1
682cc264764a083883f79258bb9baca1ba41e51f
-
SHA256
672e0b51f10c39a7ea11648ceb1021f0029d6043107a080ee230165b16afa6f5
-
SHA512
fa3d0b9acb2f8374db1ca85f61b3cac3970d04ff8843c0f2c54b094cecb68fbef4a41b1f7448ba9bd9734069728ba9212c4f8022632b70ecea5e44e662b3e868
-
SSDEEP
6144:r5VGHD1WEItzn+W8fbWtJghxEJhcHqjci1:WHD1tTWTghUhcKjc
Score
10/10
Malware Config
Signatures
-
Cycbot
Cycbot is a backdoor and trojan written in C++..
-
Cycbot family
-
Detects Cycbot payload 7 IoCs
Cycbot is a backdoor and trojan written in C++.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 8 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2f31dde56f29afee636fd32b20a0736b.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2f31dde56f29afee636fd32b20a0736b.exe"1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2f31dde56f29afee636fd32b20a0736b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2f31dde56f29afee636fd32b20a0736b.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2f31dde56f29afee636fd32b20a0736b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2f31dde56f29afee636fd32b20a0736b.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵
- System Location Discovery: System Language Discovery
-
Network
-
DNS4videosoft.comRemote address:8.8.8.8:53Request4videosoft.comIN AResponse4videosoft.comIN A169.47.106.186 -
GEThttp://4videosoft.com/iphone.gif?tq=gJ4WK%2FSUh6zGkER8oY%2BQrMWTUj26kJHjyZVVK%2B%2FbxWq1SfkIYVhXRemote address:169.47.106.186:80RequestGET /iphone.gif?tq=gJ4WK%2FSUh6zGkER8oY%2BQrMWTUj26kJHjyZVVK%2B%2FbxWq1SfkIYVhX HTTP/1.0
Connection: close
Host: 4videosoft.com
Accept: */*
User-Agent: opera/8.11
ResponseHTTP/1.1 301 Moved Permanently
Date: Mon, 13 Jan 2025 21:07:08 GMT
Server: Apache
Location: https://www.4videosoft.com/error.html
Cache-Control: max-age=3600
Expires: Mon, 13 Jan 2025 22:07:08 GMT
Content-Length: 245
Connection: close
Content-Type: text/html; charset=iso-8859-1
-
DNSzonetf.comRemote address:8.8.8.8:53Requestzonetf.comIN AResponsezonetf.comIN A76.223.54.146zonetf.comIN A13.248.169.48
-
POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJrX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGg45Ym1rAT9GT7iiszYBIZqTeT%2B0alxtygbpb6HvnSAMRu4pVKv975Xlm5GRemote address:76.223.54.146:80RequestPOST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJrX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGg45Ym1rAT9GT7iiszYBIZqTeT%2B0alxtygbpb6HvnSAMRu4pVKv975Xlm5G HTTP/1.1
Host: zonetf.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close
ResponseHTTP/1.1 405 Method Not Allowed
content-length: 0
connection: close
-
DNSdifferentdata-one.comRemote address:8.8.8.8:53Requestdifferentdata-one.comIN AResponse
-
DNSwww.google.comRemote address:8.8.8.8:53Requestwww.google.comIN AResponsewww.google.comIN A142.250.187.196
-
GEThttp://www.google.com/Remote address:142.250.187.196:80RequestGET / HTTP/1.0
Connection: close
Host: www.google.com
Accept: */*
ResponseHTTP/1.0 302 Found
Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGLmBlrwGIjCb39HYj2ppO1zxtGwBAQ2GF8l25b-Q4yxVlG4jGZwCRMWbvqlGediZMMmBdJSiXqkyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
x-hallmonitor-challenge: CgsIuoGWvAYQw5vxWxIEtdewUw
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-wuXBMTOILDwqVCtqUCbswA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Mon, 13 Jan 2025 21:08:10 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AZ6Zc-X2USCpKbTYY_s4uvRxqf-rPgAwEXTqUYstYtRhvcalw3LosEmFeQ; expires=Sat, 12-Jul-2025 21:08:10 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
-
DNSzoneak.comRemote address:8.8.8.8:53Requestzoneak.comIN AResponsezoneak.comIN A103.224.212.215
-
GEThttp://zoneak.com/images/im133.jpg?tq=gHZutDyMv5rJeyG1J8K%2B1MWCJbP4lltXIA%3D%3DRemote address:103.224.212.215:80RequestGET /images/im133.jpg?tq=gHZutDyMv5rJeyG1J8K%2B1MWCJbP4lltXIA%3D%3D HTTP/1.0
Connection: close
Host: zoneak.com
Accept: */*
User-Agent: opera/8.11
ResponseHTTP/1.0 403 Forbidden
cache-control: no-cache
content-type: text/html
-
POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJrX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGg45Ym1rAT9GT7iiszYBIZqTeT%2B0alxtygbpb6HvnSAOQij%2B82oYvEaT%2Bfuwd13Uq%2F3vleWbkY%3DRemote address:76.223.54.146:80RequestPOST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJrX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGg45Ym1rAT9GT7iiszYBIZqTeT%2B0alxtygbpb6HvnSAOQij%2B82oYvEaT%2Bfuwd13Uq%2F3vleWbkY%3D HTTP/1.1
Host: zonetf.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close
ResponseHTTP/1.1 405 Method Not Allowed
content-length: 0
connection: close
-
GEThttp://www.google.com/Remote address:142.250.187.196:80RequestGET / HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com
ResponseHTTP/1.1 302 Found
Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGLqBlrwGIjA5aSy65UgQpOuVEHmgXT137N7YBqgUW3RzLJ0h9uWRql2wEv8ifabrNkt6SgmoG9gyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
x-hallmonitor-challenge: CgwIu4GWvAYQhLnzrQESBLXXsFM
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-KxvYVCGJv8FyroPhr864wg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Mon, 13 Jan 2025 21:08:11 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AZ6Zc-U_OJLPTguFWU7rT1f9joGJ1F5RWFYjnLHLADz1oMKNP5NrTH4Dkw; expires=Sat, 12-Jul-2025 21:08:11 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Connection: close
-
GEThttp://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGLqBlrwGIjA5aSy65UgQpOuVEHmgXT137N7YBqgUW3RzLJ0h9uWRql2wEv8ifabrNkt6SgmoG9gyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMRemote address:142.250.187.196:80RequestGET /sorry/index?continue=http://www.google.com/&q=EgS117BTGLqBlrwGIjA5aSy65UgQpOuVEHmgXT137N7YBqgUW3RzLJ0h9uWRql2wEv8ifabrNkt6SgmoG9gyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com
ResponseHTTP/1.1 429 Too Many Requests
Date: Mon, 13 Jan 2025 21:08:11 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/html
Server: HTTP server (unknown)
Content-Length: 3075
X-XSS-Protection: 0
Connection: close
-
169.47.106.186:80http://4videosoft.com/iphone.gif?tq=gJ4WK%2FSUh6zGkER8oY%2BQrMWTUj26kJHjyZVVK%2B%2FbxWq1SfkIYVhXhttp
HTTP Request
GET http://4videosoft.com/iphone.gif?tq=gJ4WK%2FSUh6zGkER8oY%2BQrMWTUj26kJHjyZVVK%2B%2FbxWq1SfkIYVhXHTTP Response
301 -
76.223.54.146:80http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJrX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGg45Ym1rAT9GT7iiszYBIZqTeT%2B0alxtygbpb6HvnSAMRu4pVKv975Xlm5Ghttp
HTTP Request
POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJrX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGg45Ym1rAT9GT7iiszYBIZqTeT%2B0alxtygbpb6HvnSAMRu4pVKv975Xlm5GHTTP Response
405 -
142.250.187.196:80http://www.google.com/http
HTTP Request
GET http://www.google.com/HTTP Response
302 -
103.224.212.215:80http://zoneak.com/images/im133.jpg?tq=gHZutDyMv5rJeyG1J8K%2B1MWCJbP4lltXIA%3D%3Dhttp
HTTP Request
GET http://zoneak.com/images/im133.jpg?tq=gHZutDyMv5rJeyG1J8K%2B1MWCJbP4lltXIA%3D%3DHTTP Response
403 -
76.223.54.146:80http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJrX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGg45Ym1rAT9GT7iiszYBIZqTeT%2B0alxtygbpb6HvnSAOQij%2B82oYvEaT%2Bfuwd13Uq%2F3vleWbkY%3Dhttp
HTTP Request
POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJrX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gGg45Ym1rAT9GT7iiszYBIZqTeT%2B0alxtygbpb6HvnSAOQij%2B82oYvEaT%2Bfuwd13Uq%2F3vleWbkY%3DHTTP Response
405 -
142.250.187.196:80http://www.google.com/http
HTTP Request
GET http://www.google.com/HTTP Response
302 -
127.0.0.1:60990 -
142.250.187.196:80http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGLqBlrwGIjA5aSy65UgQpOuVEHmgXT137N7YBqgUW3RzLJ0h9uWRql2wEv8ifabrNkt6SgmoG9gyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMhttp
HTTP Request
GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGLqBlrwGIjA5aSy65UgQpOuVEHmgXT137N7YBqgUW3RzLJ0h9uWRql2wEv8ifabrNkt6SgmoG9gyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMHTTP Response
429 -
127.0.0.1:60990
-
8.8.8.8:534videosoft.comdns
DNS Request
4videosoft.com
DNS Response
169.47.106.186
-
8.8.8.8:53zonetf.comdns
DNS Request
zonetf.com
DNS Response
76.223.54.14613.248.169.48
-
8.8.8.8:53differentdata-one.comdns
DNS Request
differentdata-one.com
-
8.8.8.8:53www.google.comdns
DNS Request
www.google.com
DNS Response
142.250.187.196
-
8.8.8.8:53zoneak.comdns
DNS Request
zoneak.com
DNS Response
103.224.212.215
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d3acbe5014dbfadd635b300f325b2f6e
SHA1efe34e61c54bab0a883b3a660669ef032212bc7d
SHA256a92f1fe706782930498055bcec0881fcb9958d2519974ccf0332723e980a1231
SHA512614085c75d0238414ded3b62d28163b01b1b0b39e17947d5917047ec778a13e9a64ef83446d304adc3c08f200f38438055e478fd1a99003a23dfb7f256f0f40a
-
Filesize
600B
MD575b53901c5219d587eca61a92a5e1510
SHA17092cc2297b4ecef6f0fbf1c2af82c5daf7fc216
SHA256b1a3d46ffa70120318357cd9febca5b299d0a4fa4f8b351219abd0f89cbd92c5
SHA512730170042704e4057bf935982172c286b77ec8c58744710e6643ef52e8bf74a093e0b304fadd9d587207a8d0a3ede63851e8ab179a988d9957c14aa0512ddd04
-
Filesize
996B
MD54f1e51df4e31578b82ccc6bf5d795951
SHA1dec4cbaf507a8ddda474ff4e872e08d23608a50f
SHA2564abf329ec37c7e5810b54bb822bfd4b70b80ca9c1fd574d24ed6d395145467d8
SHA512efd5a059d11bae20355c2118248618cb20d73fd01bd7936dbd1fb02f697af8f27f2708068656e853b27cc4d641d6c2a63d9bef88522cedc431d8e03c38c710fe
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB