Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14/01/2025, 16:12
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_402a247a67d38ddff6e5807b5156e541.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_402a247a67d38ddff6e5807b5156e541.exe
-
Size
183KB
-
MD5
402a247a67d38ddff6e5807b5156e541
-
SHA1
64d0df4d0da57678e65e7c6ce32c5900f68052ac
-
SHA256
239a9ba253899e7b2850d8a85580ad1702f74ab9c63e21cb8bce9cfa487c9ad1
-
SHA512
fbfc4c9b6a81a4cf440c8fb797e7ae8ceb0659ba1e6db10a5bdc377931aa42057314b6458e80e5f1b1fd4f864a4b3abf07818ab100250b1325353ccc949b2031
-
SSDEEP
3072:VJ0PLdHSf2yB7H5KpVHTF1aMNOTavgzxXzS/nCR7dG7KkO6+9GcUuTcVltIi9:VJ0PlSf2C47zF1HgcvCrGmku9PU/ntI
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral2/memory/3204-14-0x0000000000400000-0x0000000000490000-memory.dmp family_cycbot behavioral2/memory/4656-15-0x0000000000400000-0x0000000000490000-memory.dmp family_cycbot behavioral2/memory/4656-82-0x0000000000400000-0x0000000000490000-memory.dmp family_cycbot behavioral2/memory/1360-86-0x0000000000400000-0x0000000000490000-memory.dmp family_cycbot behavioral2/memory/4656-198-0x0000000000400000-0x0000000000490000-memory.dmp family_cycbot -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe" JaffaCakes118_402a247a67d38ddff6e5807b5156e541.exe -
resource yara_rule behavioral2/memory/4656-2-0x0000000000400000-0x0000000000490000-memory.dmp upx behavioral2/memory/3204-12-0x0000000000400000-0x0000000000490000-memory.dmp upx behavioral2/memory/3204-13-0x0000000000400000-0x0000000000490000-memory.dmp upx behavioral2/memory/3204-14-0x0000000000400000-0x0000000000490000-memory.dmp upx behavioral2/memory/4656-15-0x0000000000400000-0x0000000000490000-memory.dmp upx behavioral2/memory/4656-82-0x0000000000400000-0x0000000000490000-memory.dmp upx behavioral2/memory/1360-85-0x0000000000400000-0x0000000000490000-memory.dmp upx behavioral2/memory/1360-86-0x0000000000400000-0x0000000000490000-memory.dmp upx behavioral2/memory/4656-198-0x0000000000400000-0x0000000000490000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_402a247a67d38ddff6e5807b5156e541.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4656 wrote to memory of 3204 4656 JaffaCakes118_402a247a67d38ddff6e5807b5156e541.exe 83 PID 4656 wrote to memory of 3204 4656 JaffaCakes118_402a247a67d38ddff6e5807b5156e541.exe 83 PID 4656 wrote to memory of 3204 4656 JaffaCakes118_402a247a67d38ddff6e5807b5156e541.exe 83 PID 4656 wrote to memory of 1360 4656 JaffaCakes118_402a247a67d38ddff6e5807b5156e541.exe 92 PID 4656 wrote to memory of 1360 4656 JaffaCakes118_402a247a67d38ddff6e5807b5156e541.exe 92 PID 4656 wrote to memory of 1360 4656 JaffaCakes118_402a247a67d38ddff6e5807b5156e541.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_402a247a67d38ddff6e5807b5156e541.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_402a247a67d38ddff6e5807b5156e541.exe"1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_402a247a67d38ddff6e5807b5156e541.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_402a247a67d38ddff6e5807b5156e541.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft2⤵PID:3204
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_402a247a67d38ddff6e5807b5156e541.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_402a247a67d38ddff6e5807b5156e541.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵PID:1360
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD510f743844a7c06e1195a3c275d91824b
SHA181e4863af55f1747088e6b215928dca029bff9e4
SHA256f106e02a2b88f6d7f5b82817a1846f9fb9a91bd4a0a247172f9d0d1a752199e4
SHA51263dfd4d751888d48e4030b4bd9018faa7b799499000a8020d1092f3de9082e11afef2eba3d50526b110e000c4b14e17b799968d04b6836c142d47bcf93bca02b
-
Filesize
600B
MD53d82a49ccb10f9d92e4bab9ba427d101
SHA1b06836acada133c54b293f2a9159ffe55c55845a
SHA25617bac82b963d5cecb35650d968074d03ca87cc06a17fc8b910ee85d932efd567
SHA5120152eb84c026eeea87cee92e2dd0689c7e708210c9f6e1172e244cacadf74bc4a305e9b3904a5b50afa5d74980c664a0d7a4c7e225d9a66d655ad374f3d3e8ad
-
Filesize
996B
MD51a673a8b7ef52980e1e9074ea4964d65
SHA1987dc2a8489e9a381f13d99f37aa3d3727c9eb2c
SHA256b88dea3b6aa09045d14a9088034e849add54a55859af5786bc9db1a0b461e44d
SHA51221f34346b87ff63b540ec798c84dcf15874c24be0730d721d5cc9e4bac68c4df263741571ee4cda81ddd89c8e28c17b06486d9a55abb91c910226beef73eb916