Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...fc.exe

windows7-x64

10

JaffaCakes...fc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16/01/2025, 20:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_81af0fe78842a1f601cddfb6dda09dfc.exe

  • Size

    165KB

  • MD5

    81af0fe78842a1f601cddfb6dda09dfc

  • SHA1

    f674df8566d9f5722c553d95cc05183603830cc7

  • SHA256

    1553881425fa895cb6dfa1de4410fbdd3363f117c64cefec69764651caa71d99

  • SHA512

    92992b9c055ae990dad4e96babd98f09895ea660b873f6d6a8a0b8966ec8954e0c57c59b0aa5dce306f3b8eeedb49bc8c638b139ec775c9e57e151a9e199f20e

  • SSDEEP

    3072:snouwXfQPvUubHKBT3D8kH4/xA02cRHwneYifp5rMARkygyNbVGPzYtKrU:EouwXfQPvUuSDH4Jp2OaIRCJtHU

Score
10/10
cycbotbackdoordiscoverypersistenceratspywarestealerupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 7 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81af0fe78842a1f601cddfb6dda09dfc.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81af0fe78842a1f601cddfb6dda09dfc.exe"
    1⤵
    • Modifies WinLogon for persistence
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1872
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81af0fe78842a1f601cddfb6dda09dfc.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81af0fe78842a1f601cddfb6dda09dfc.exe startC:\Program Files (x86)\LP\073C\01B.exe%C:\Program Files (x86)\LP\073C
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1020
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81af0fe78842a1f601cddfb6dda09dfc.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81af0fe78842a1f601cddfb6dda09dfc.exe startC:\Program Files (x86)\9FB7B\lvvm.exe%C:\Program Files (x86)\9FB7B
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\C3F9F\FB7B.3F9
    Filesize

    996B

    MD5

    8ee70cfd6617038aa866dfc284e5f8a9

    SHA1

    788bd61e966a0aa660f1d0ce8ce92d9b68d903ac

    SHA256

    e81dbc2c958524345e42ffcd347c386954a0923a467aa11d19e43e114e4b3e9d

    SHA512

    a634139cdeeb68b8d3e258200895b3bbe2bbf486c620e0d71ce4e9c931603a9909e38d40e6d9f568e8372ff101249c8337428e60a3680f9325f890bd4b967e42

    Download Submit

  • C:\Users\Admin\AppData\Roaming\C3F9F\FB7B.3F9
    Filesize

    600B

    MD5

    d497dc84ea84f5c03937381c6ccfcbca

    SHA1

    6972fb66325efd80ffd1eb7a67875197ab7bd924

    SHA256

    8b74d65c7dc2739950c3e4238520c716f65b4ae7d37d0fb0302418d84aa9fa87

    SHA512

    330b8b5c7888e343c0a72a7bca21160331b1480eab9696a4296cb8d17599d6b12c84eaecb15d7b66a7085a96b34948e87ce4db0eff6e0f6c5270c865495a59a1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\C3F9F\FB7B.3F9
    Filesize

    1KB

    MD5

    0a20a7bfb89f79c0ca3896437a5fcf14

    SHA1

    dd1184927f00c809b1e4d5482601d027ee958961

    SHA256

    018a32435f6f03e684666a3996a3bfec6052fc3b534a211ac87cd3eb25242bdb

    SHA512

    b446eb569e34b709442c67ba5fc0cb9f1063580b52d73e98dba118c4e1fbf801a5757e9f8dc966b89953f4cd977f3ca3b0a4482af4e5574592d1b13d5f168345

    Download Submit

  • memory/1020-16-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/1020-14-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/1872-18-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

    Download

  • memory/1872-0-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/1872-17-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/1872-122-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/1872-3-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/1872-2-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

    Download

  • memory/1872-296-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/2884-121-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/2884-120-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download