Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/01/2025, 17:31
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe
-
Size
180KB
-
MD5
7d54f09d2cd3220d3794dc738fbde3ae
-
SHA1
130a3e621f60338da373d8dc2b812a4bd938113d
-
SHA256
278f84565d879538acce3295e0257515ec856ebba85cc5aade3ec6b8c4f09230
-
SHA512
0132849efe2008610130ff75258661f6a10b5babdb796558c309a215cb2b61467efd7dc672e9b1d4925d37bb3305e2cd6215bef39000c58dd0823c825a5f8b35
-
SSDEEP
3072:e/oHwqvsl1URuMthYIM2EfqsftIYkGJIurF0eTuVSPChNUmt+QYCZ5RsuT/:e/C0l14uS3ofJIurF0VVSKzUmt+hikur
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral2/memory/3728-19-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot behavioral2/memory/4116-20-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot behavioral2/memory/4116-21-0x0000000000400000-0x0000000000452000-memory.dmp family_cycbot behavioral2/memory/2584-128-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot behavioral2/memory/4116-291-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot -
resource yara_rule behavioral2/memory/4116-3-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/3728-18-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/3728-19-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/4116-20-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/4116-21-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral2/memory/2584-127-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2584-128-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/4116-291-0x0000000000400000-0x0000000000455000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4116 wrote to memory of 3728 4116 JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe 84 PID 4116 wrote to memory of 3728 4116 JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe 84 PID 4116 wrote to memory of 3728 4116 JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe 84 PID 4116 wrote to memory of 2584 4116 JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe 95 PID 4116 wrote to memory of 2584 4116 JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe 95 PID 4116 wrote to memory of 2584 4116 JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe startC:\Program Files (x86)\LP\504C\11E.exe%C:\Program Files (x86)\LP\504C2⤵PID:3728
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe startC:\Users\Admin\AppData\Roaming\CB6B4\73050.exe%C:\Users\Admin\AppData\Roaming\CB6B42⤵PID:2584
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
597B
MD5e32f784d9b41057aac447b431744ce07
SHA1ee1aaa34f0c0a117900523725262c6512fd1d658
SHA256cd49381fc7cdf5b8ef6cc5b45b1c97e2cb015e77ef210dc41c70ac71fb94d173
SHA512c08d917f84d8bb26255e0f5ec6278f3081923430174df5f7ab3c5df4be1b278b276a37abe7836ebabf37160dfaffc49ce3a2dfe7118faa8a0e4f4dfedff6b3d0
-
Filesize
1KB
MD52cd653cdd88a1cfcee095f9f0fc856c3
SHA110b9b859e8373fb91c0644f9d0619c4a186d4cc0
SHA256aad4feef7c44dcd735a915fb99426103ec074c4dc59820fd0c427b616fbc7e94
SHA512928e4b6fc9117ef6340a898adec6834bf14b5ccda5f4a2290ffa72455aaa3cbf94e72f014f0079e490e352898e5a39b73b496eaa318afde322fedd2e481ddc13
-
Filesize
1KB
MD55cf625d69d06b91a0fb0b9b187543e4d
SHA14dcd316f2c3f110447e3d4fba88836bb79a24132
SHA2565e4688de50fa6004710fcfa3cb51bf677d9556b4db08bd142683662b355f0c84
SHA51264c92662d42d3725e0baa0d169bf5b4b397de0a80e2672e62e80d6a04afc075fec0bbf87fdf039b0c3cf39c4efb17b4919c26a12aa9d26a2ed21bfbf9e859259
-
Filesize
897B
MD5407002d68db47efdef406b720cc73df4
SHA12135d7cbc129573d5b7085ba0739dcd275eb07de
SHA256990fceb1220db40749b9d4369c439ba1c647a9c8e1c9353cc2c1302c46e55778
SHA51230ee91d95f8fb62fc9b2d655c6a2c7b7db732d9f050b4233de01dd1ceab923ea1e514491f6c83bd6cd00ee1c1a819cd7cbee5e4635949124cc40855a75dea98b