Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/01/2025, 05:24
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_4e04ae53c23c85b945326296df72f5bf.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_4e04ae53c23c85b945326296df72f5bf.exe
-
Size
186KB
-
MD5
4e04ae53c23c85b945326296df72f5bf
-
SHA1
30aad14448cc6e4b726965f4903b14f66e81ccbd
-
SHA256
24f498ccacefdc17908286f5a32ece287150d04a86962bfdfcf596f7550454b6
-
SHA512
e564fac511659910e86b497e5a3301fe054cea356b3181d0213224f7fd5ee6d345427977c273310043425c4ee203270ca2c37174a82e107a767a3f48676c041c
-
SSDEEP
3072:y2Gc/zzK8pXIhEjGANCwjwsiXQrApPen4asY5Kb512gJAYMeEa4Wq7vZ6JOkm1P:T3zzKj6/NCwjpiwJsCKZAYMeEa4NZ6X+
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral2/memory/3896-13-0x0000000000400000-0x0000000000454000-memory.dmp family_cycbot behavioral2/memory/4032-14-0x0000000000400000-0x0000000000454000-memory.dmp family_cycbot behavioral2/memory/4032-15-0x0000000000400000-0x0000000000452000-memory.dmp family_cycbot behavioral2/memory/4948-101-0x0000000000400000-0x0000000000454000-memory.dmp family_cycbot behavioral2/memory/4032-260-0x0000000000400000-0x0000000000454000-memory.dmp family_cycbot -
resource yara_rule behavioral2/memory/4032-2-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/3896-12-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/3896-11-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/3896-13-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/4032-14-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/4032-15-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral2/memory/4948-101-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/4032-260-0x0000000000400000-0x0000000000454000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_4e04ae53c23c85b945326296df72f5bf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_4e04ae53c23c85b945326296df72f5bf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_4e04ae53c23c85b945326296df72f5bf.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4032 wrote to memory of 3896 4032 JaffaCakes118_4e04ae53c23c85b945326296df72f5bf.exe 90 PID 4032 wrote to memory of 3896 4032 JaffaCakes118_4e04ae53c23c85b945326296df72f5bf.exe 90 PID 4032 wrote to memory of 3896 4032 JaffaCakes118_4e04ae53c23c85b945326296df72f5bf.exe 90 PID 4032 wrote to memory of 4948 4032 JaffaCakes118_4e04ae53c23c85b945326296df72f5bf.exe 98 PID 4032 wrote to memory of 4948 4032 JaffaCakes118_4e04ae53c23c85b945326296df72f5bf.exe 98 PID 4032 wrote to memory of 4948 4032 JaffaCakes118_4e04ae53c23c85b945326296df72f5bf.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4e04ae53c23c85b945326296df72f5bf.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4e04ae53c23c85b945326296df72f5bf.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4e04ae53c23c85b945326296df72f5bf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4e04ae53c23c85b945326296df72f5bf.exe startC:\Program Files (x86)\LP\49F2\9EA.exe%C:\Program Files (x86)\LP\49F22⤵
- System Location Discovery: System Language Discovery
PID:3896
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4e04ae53c23c85b945326296df72f5bf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4e04ae53c23c85b945326296df72f5bf.exe startC:\Users\Admin\AppData\Roaming\26907\07D49.exe%C:\Users\Admin\AppData\Roaming\269072⤵
- System Location Discovery: System Language Discovery
PID:4948
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD550bdc575b978bcc85f47de50c9c786fc
SHA1feea96f61f32c6fca4c521a7cd6f41f96df4e536
SHA2566d118adf0f5332a01296e525cbb0b643ce393b051fe2cb36e9a29457ba210bba
SHA51225d1b58cae2f928b3cd704007d400b78079486dcfe2360d233c22be6b921df1a5c70dbc6e1eb47bec15a0b0ff763a4c41722141859508792f43b0ae63df4f70c
-
Filesize
600B
MD5534978a93da49467b177e3fed9ee88b5
SHA192aea43253a194dcea4e5ef9386f82a6acd70a45
SHA25665b649bee3c9b0197089d011a104486c92d15ed0d0ff39065a3c86a13c77ff3d
SHA512cc1e8dfebfe8e80f09fb28ccdd9dfe60a7453d19fd30e0aa7dcd1ad468fb2c6b5b41d0757d99a9a47c9478abd332a86be6d2b7c403c3ac657ae11ec7e8e6e2ba
-
Filesize
1KB
MD5fb2eefb2b9d40a0e8f88913f6637a6d0
SHA156c4303b00f26921bcdf60a1f5726f39a46848ac
SHA256c22b7b6b79966965b7414b8218cf6c26dbc8a6152218097f5bff50ab8bc64dc2
SHA512207fd85e2a687d333f7c1d51f84e537a4712e491d13ba5b1795bbc9b2669aa2f6e73f5a438a254eec8ba16a4d3089ccd12c291db473ee811353f5c9c75dabff0