Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/01/2025, 10:11
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_8888145b33aa163e5735260c9ee4059c.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_8888145b33aa163e5735260c9ee4059c.exe
-
Size
172KB
-
MD5
8888145b33aa163e5735260c9ee4059c
-
SHA1
d9745a72ba82507e6ce9013367aa93a89eec03c9
-
SHA256
aed03500ea174b94cd4382ddf03af3fdbf45df423f3099c9be69cf76abb588c2
-
SHA512
7bd1c54dc88eece2bd6c3f3b5cdf9c985a531d1429714d7b533cfc0b5b2a57beb71d00a5c865536bee7847e0abee61107ee31c5acb3cc09f3f15142682738273
-
SSDEEP
3072:boqDGUf0RRfoJLDw76Ixeki38ETjMqcE:boqY0LO6IxekisEa
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral2/memory/1496-13-0x0000000000400000-0x0000000000445000-memory.dmp family_cycbot behavioral2/memory/4344-14-0x0000000000400000-0x0000000000445000-memory.dmp family_cycbot behavioral2/memory/4344-79-0x0000000000400000-0x0000000000445000-memory.dmp family_cycbot behavioral2/memory/2584-81-0x0000000000400000-0x0000000000445000-memory.dmp family_cycbot behavioral2/memory/4344-194-0x0000000000400000-0x0000000000445000-memory.dmp family_cycbot -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe" JaffaCakes118_8888145b33aa163e5735260c9ee4059c.exe -
resource yara_rule behavioral2/memory/4344-2-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral2/memory/1496-12-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral2/memory/1496-13-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral2/memory/4344-14-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral2/memory/4344-79-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral2/memory/2584-81-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral2/memory/4344-194-0x0000000000400000-0x0000000000445000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_8888145b33aa163e5735260c9ee4059c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_8888145b33aa163e5735260c9ee4059c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_8888145b33aa163e5735260c9ee4059c.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4344 wrote to memory of 1496 4344 JaffaCakes118_8888145b33aa163e5735260c9ee4059c.exe 82 PID 4344 wrote to memory of 1496 4344 JaffaCakes118_8888145b33aa163e5735260c9ee4059c.exe 82 PID 4344 wrote to memory of 1496 4344 JaffaCakes118_8888145b33aa163e5735260c9ee4059c.exe 82 PID 4344 wrote to memory of 2584 4344 JaffaCakes118_8888145b33aa163e5735260c9ee4059c.exe 83 PID 4344 wrote to memory of 2584 4344 JaffaCakes118_8888145b33aa163e5735260c9ee4059c.exe 83 PID 4344 wrote to memory of 2584 4344 JaffaCakes118_8888145b33aa163e5735260c9ee4059c.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8888145b33aa163e5735260c9ee4059c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8888145b33aa163e5735260c9ee4059c.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8888145b33aa163e5735260c9ee4059c.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8888145b33aa163e5735260c9ee4059c.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵
- System Location Discovery: System Language Discovery
PID:1496
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8888145b33aa163e5735260c9ee4059c.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8888145b33aa163e5735260c9ee4059c.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵
- System Location Discovery: System Language Discovery
PID:2584
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5526c0c68b2c8f14cf4d0020d73b78672
SHA10059648ff16e43250a29f54586a49e9e4f61d58b
SHA256e4284e410583c556b49211d0f96f3da036839d5a87442fe6523ab9b94b59313a
SHA512f819dc87873b1dea50fa4810f9b45b135aa6bc4beaf7192d8ec42aa9ac8913297a433a5c6c1c55f58ccc8fcf7e88597a683ced6d33467edd46665074f849a873
-
Filesize
600B
MD5b53c0c76d7e0184db448c79013027ec7
SHA1fca063d176fc6d24c6168d1a4540ccb108f95ce3
SHA25688a840fec65d304a429d771f69a41606de04dd169c38bfa6fd62073e2fda5fec
SHA512c4a5d64e54d8bf6170c519593406f0a620344db562390c191a1f454817a3f32c469e6f5fc4c023c732ff7028014163b1411b20f53dbecbc44820adab10fe719e
-
Filesize
996B
MD5d54262153b4c23a6df2634f6a05a83c1
SHA1347f777aa386e994baee1e47993d6d7753b5d4b9
SHA2566ae6dfa20743fa0a16b8c2a409f843b2023aec4c8e090d2fe44136a95b08f642
SHA5122eafda4918800b1b2401a2d05e146230e23f52d2beaac83d9cb64534af1a72a54a2d9d5de95ede6ad6a44c5462e884702b7f91d5d979ba60677fc132dd720634