Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/01/2025, 02:05
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_67c31b83e83098964f5f43cb4aeef38c.exe
Resource
win7-20241010-en
General
-
Target
JaffaCakes118_67c31b83e83098964f5f43cb4aeef38c.exe
-
Size
164KB
-
MD5
67c31b83e83098964f5f43cb4aeef38c
-
SHA1
0c48d64fcc5b8d95f9012516f674837b5eb54e78
-
SHA256
14947c5cf10a8cbcc0dedfa7e98d039f7fac473a10e15f771f5da29c33076d1a
-
SHA512
756471651c942ceeb2e80247bbc4b1c3e3a18f00679ae528ea14466cf8a6487df84b6f61c06f9a5c8bf4018a17d048c75b0d4921f134acec2579ca9ae8435db9
-
SSDEEP
3072:Ay11Z4oCZpZ+2/N3jCkwwyqN/GJ2KfJ0xVdUpLughILqY4cuGUXwdJyv:zr4C2/tjCk5yi/02bdUgdzJUXy
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 6 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral2/memory/976-21-0x0000000000400000-0x0000000000491000-memory.dmp family_cycbot behavioral2/memory/2852-22-0x0000000000400000-0x0000000000491000-memory.dmp family_cycbot behavioral2/memory/2852-23-0x0000000000400000-0x000000000048E000-memory.dmp family_cycbot behavioral2/memory/3784-147-0x0000000000400000-0x0000000000491000-memory.dmp family_cycbot behavioral2/memory/2852-148-0x0000000000400000-0x0000000000491000-memory.dmp family_cycbot behavioral2/memory/2852-334-0x0000000000400000-0x0000000000491000-memory.dmp family_cycbot -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\BB08A\\9E42C.exe" JaffaCakes118_67c31b83e83098964f5f43cb4aeef38c.exe -
resource yara_rule behavioral2/memory/2852-3-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/976-20-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/976-19-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/976-21-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/2852-22-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/2852-23-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral2/memory/3784-145-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/3784-147-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/2852-148-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/2852-334-0x0000000000400000-0x0000000000491000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_67c31b83e83098964f5f43cb4aeef38c.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2852 wrote to memory of 976 2852 JaffaCakes118_67c31b83e83098964f5f43cb4aeef38c.exe 85 PID 2852 wrote to memory of 976 2852 JaffaCakes118_67c31b83e83098964f5f43cb4aeef38c.exe 85 PID 2852 wrote to memory of 976 2852 JaffaCakes118_67c31b83e83098964f5f43cb4aeef38c.exe 85 PID 2852 wrote to memory of 3784 2852 JaffaCakes118_67c31b83e83098964f5f43cb4aeef38c.exe 100 PID 2852 wrote to memory of 3784 2852 JaffaCakes118_67c31b83e83098964f5f43cb4aeef38c.exe 100 PID 2852 wrote to memory of 3784 2852 JaffaCakes118_67c31b83e83098964f5f43cb4aeef38c.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_67c31b83e83098964f5f43cb4aeef38c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_67c31b83e83098964f5f43cb4aeef38c.exe"1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_67c31b83e83098964f5f43cb4aeef38c.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_67c31b83e83098964f5f43cb4aeef38c.exe startC:\Program Files (x86)\LP\2CCB\F46.exe%C:\Program Files (x86)\LP\2CCB2⤵PID:976
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_67c31b83e83098964f5f43cb4aeef38c.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_67c31b83e83098964f5f43cb4aeef38c.exe startC:\Program Files (x86)\8A5BC\lvvm.exe%C:\Program Files (x86)\8A5BC2⤵PID:3784
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
597B
MD5785b67d105bcb3d024f6ef5e61620f01
SHA1d4307527ebab1747964f0e3b9b8250bf1b2067dc
SHA256059d7452821d56f58d5bfcb7cb8083d65f94d4f88617cbb504f3a54a85dfe35b
SHA512cef35d260342274a5510774afe2fe79b514cbb8d2e4552ce6ee24f9e567a03570495443149a68e0ba0162c4023b2237a25249826bbbfa6ed8d6782c346864d65
-
Filesize
1KB
MD526c850a58e61c21277b24632f7767b2e
SHA1acf91978e77afbdfc48f805baa566da32b761cee
SHA256360a26cc0b58019fa2eca06e055bfa1c980b39ee04cb387af0506f4a73b739b6
SHA5126cf29ac4dd557ce79cf857953a3bf3f205c294acd812001becf6e4318f973d8e2c608048ccc4e96c70db7dd1da38d741e5512dfd841b3ddb908be3eacee166f4
-
Filesize
897B
MD5cf84175222b898ac0d9d0e3e11b48890
SHA1f5f1f13243b7a6b007e5dcf2984e14ebe7a74264
SHA256fb229c3c46121fd2b58fe8b1c58f0bbb7d5ce40e5f56f391b39c52af3928f68f
SHA512ab6a3a75daa15e74ce945919edbd7374b0e420219de3bce1c1b674293aed37e1859fcf07f0109bf7c3bdd3878cc0ab38baf4f9f64b841f66389f6ed762054e42
-
Filesize
1KB
MD5ac7c4c3c0dd5f7f2f0c5456f491b41c0
SHA1ee299a397cc1ea609029093da1eee3c0dcc53739
SHA2566908046c6d94e63a0a2efffce9b4fd3e4305ab0d7ec4a5f56ab30dac93213d02
SHA512e29b05c0b2283147a5263899af4f6a0242eee0f11d9e0d7eb1fa93fff3c9b2ddabc8c431927851daf3c3f5fdc97cd538dc9dc738716dc4a0b16b5f9511f0722e