Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/01/2025, 17:31

General

  • Target

    JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe

  • Size

    180KB

  • MD5

    7d54f09d2cd3220d3794dc738fbde3ae

  • SHA1

    130a3e621f60338da373d8dc2b812a4bd938113d

  • SHA256

    278f84565d879538acce3295e0257515ec856ebba85cc5aade3ec6b8c4f09230

  • SHA512

    0132849efe2008610130ff75258661f6a10b5babdb796558c309a215cb2b61467efd7dc672e9b1d4925d37bb3305e2cd6215bef39000c58dd0823c825a5f8b35

  • SSDEEP

    3072:e/oHwqvsl1URuMthYIM2EfqsftIYkGJIurF0eTuVSPChNUmt+QYCZ5RsuT/:e/C0l14uS3ofJIurF0VVSKzUmt+hikur

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 5 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4116
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe startC:\Program Files (x86)\LP\504C\11E.exe%C:\Program Files (x86)\LP\504C
      2⤵
        PID:3728
      • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe startC:\Users\Admin\AppData\Roaming\CB6B4\73050.exe%C:\Users\Admin\AppData\Roaming\CB6B4
        2⤵
          PID:2584

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\CB6B4\4431.B6B

        Filesize

        597B

        MD5

        e32f784d9b41057aac447b431744ce07

        SHA1

        ee1aaa34f0c0a117900523725262c6512fd1d658

        SHA256

        cd49381fc7cdf5b8ef6cc5b45b1c97e2cb015e77ef210dc41c70ac71fb94d173

        SHA512

        c08d917f84d8bb26255e0f5ec6278f3081923430174df5f7ab3c5df4be1b278b276a37abe7836ebabf37160dfaffc49ce3a2dfe7118faa8a0e4f4dfedff6b3d0

      • C:\Users\Admin\AppData\Roaming\CB6B4\4431.B6B

        Filesize

        1KB

        MD5

        2cd653cdd88a1cfcee095f9f0fc856c3

        SHA1

        10b9b859e8373fb91c0644f9d0619c4a186d4cc0

        SHA256

        aad4feef7c44dcd735a915fb99426103ec074c4dc59820fd0c427b616fbc7e94

        SHA512

        928e4b6fc9117ef6340a898adec6834bf14b5ccda5f4a2290ffa72455aaa3cbf94e72f014f0079e490e352898e5a39b73b496eaa318afde322fedd2e481ddc13

      • C:\Users\Admin\AppData\Roaming\CB6B4\4431.B6B

        Filesize

        1KB

        MD5

        5cf625d69d06b91a0fb0b9b187543e4d

        SHA1

        4dcd316f2c3f110447e3d4fba88836bb79a24132

        SHA256

        5e4688de50fa6004710fcfa3cb51bf677d9556b4db08bd142683662b355f0c84

        SHA512

        64c92662d42d3725e0baa0d169bf5b4b397de0a80e2672e62e80d6a04afc075fec0bbf87fdf039b0c3cf39c4efb17b4919c26a12aa9d26a2ed21bfbf9e859259

      • C:\Users\Admin\AppData\Roaming\CB6B4\4431.B6B

        Filesize

        897B

        MD5

        407002d68db47efdef406b720cc73df4

        SHA1

        2135d7cbc129573d5b7085ba0739dcd275eb07de

        SHA256

        990fceb1220db40749b9d4369c439ba1c647a9c8e1c9353cc2c1302c46e55778

        SHA512

        30ee91d95f8fb62fc9b2d655c6a2c7b7db732d9f050b4233de01dd1ceab923ea1e514491f6c83bd6cd00ee1c1a819cd7cbee5e4635949124cc40855a75dea98b

      • memory/2584-127-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

      • memory/2584-128-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

      • memory/3728-19-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

      • memory/3728-18-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

      • memory/4116-20-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

      • memory/4116-21-0x0000000000400000-0x0000000000452000-memory.dmp

        Filesize

        328KB

      • memory/4116-0-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

      • memory/4116-3-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

      • memory/4116-2-0x0000000000400000-0x0000000000452000-memory.dmp

        Filesize

        328KB

      • memory/4116-291-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB