Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...0c.exe

windows7-x64

10

JaffaCakes...0c.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    140s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17/01/2025, 17:32 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_92c384942f313fc9592f5b2df23fba0c.exe

  • Size

    186KB

  • MD5

    92c384942f313fc9592f5b2df23fba0c

  • SHA1

    71a12737efabc4a0d8f362b8b80f662688c8e486

  • SHA256

    76a0dae152f5eec6987d087c1172443ceb192accb82cde7555e8129f607c7e1c

  • SHA512

    a70aebf9d1d65b71d9703699a24136a7d6ad9bf4dbe312027bf71b352928d964c83a9fe4ede220f917c34ea251b70e99276a271403772f55deb0d24347ed2a90

  • SSDEEP

    3072:kvuQN2WHNAdOAWhq0C6DT3mN3vhVhrezLua28PrMZVtswSz+41sCm:k5NJ+dM0cn6hevu84ZLs/1sCm

Score
10/10
cycbotbackdoordiscoveryratspywarestealerupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 5 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_92c384942f313fc9592f5b2df23fba0c.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_92c384942f313fc9592f5b2df23fba0c.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_92c384942f313fc9592f5b2df23fba0c.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_92c384942f313fc9592f5b2df23fba0c.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
      2⤵
      • System Location Discovery: System Language Discovery
      PID:836
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_92c384942f313fc9592f5b2df23fba0c.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_92c384942f313fc9592f5b2df23fba0c.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
      2⤵
      • System Location Discovery: System Language Discovery
      PID:676

Network

  • flag-us
    DNS
    willsglaucoma.org
    JaffaCakes118_92c384942f313fc9592f5b2df23fba0c.exe
    Remote address:
    8.8.8.8:53
    Request
    willsglaucoma.org
    IN A
    Response
    willsglaucoma.org
    IN A
    157.245.184.25
  • flag-us
    GET
    http://willsglaucoma.org/images/lhous3.gif?v73=65&tq=gKZEtzyfv3oqU0trmDvSgEggUPKEC1GEpJufdgUxaU1WYPoSfGbxdDAq2oEJbxBOe50QF%2FxldrVGQM9v6k1F5m07D%2BG29SJwJIcafIVFfDyCl0TIelmXb1ibka4TPiGyR%2BOGTAoXJkzS%2FNRn0SUvs5zSBCCo6oheejzbLxRkCWA9FihSkyoVU5PnBBM8lsA6aAxjsi60ziBNg4qRVNKQ6%2BfkNc%2BY53MQrcxkhcKPDPeI3ZUuwsjpGOJPMdAEeQum5%2FcoPmp8bmA3zMHvcWZohz3wnL6I7%2FMEtyY1hI%2FFjtNh7areBTWVz1PRFuVs4NQ0u8PT9K0wCuuQ4JoBJsA4ja75PP33%2BB
    JaffaCakes118_92c384942f313fc9592f5b2df23fba0c.exe
    Remote address:
    157.245.184.25:80
    Request
    GET /images/lhous3.gif?v73=65&tq=gKZEtzyfv3oqU0trmDvSgEggUPKEC1GEpJufdgUxaU1WYPoSfGbxdDAq2oEJbxBOe50QF%2FxldrVGQM9v6k1F5m07D%2BG29SJwJIcafIVFfDyCl0TIelmXb1ibka4TPiGyR%2BOGTAoXJkzS%2FNRn0SUvs5zSBCCo6oheejzbLxRkCWA9FihSkyoVU5PnBBM8lsA6aAxjsi60ziBNg4qRVNKQ6%2BfkNc%2BY53MQrcxkhcKPDPeI3ZUuwsjpGOJPMdAEeQum5%2FcoPmp8bmA3zMHvcWZohz3wnL6I7%2FMEtyY1hI%2FFjtNh7areBTWVz1PRFuVs4NQ0u8PT9K0wCuuQ4JoBJsA4ja75PP33%2BB HTTP/1.0
    Connection: close
    Host: willsglaucoma.org
    Accept: */*
    User-Agent: mozilla/2.0
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx
    Date: Fri, 17 Jan 2025 17:32:12 GMT
    Content-Type: text/html
    Content-Length: 162
    Connection: close
    Location: https://willsglaucoma.org/images/lhous3.gif?v73=65&tq=gKZEtzyfv3oqU0trmDvSgEggUPKEC1GEpJufdgUxaU1WYPoSfGbxdDAq2oEJbxBOe50QF%2FxldrVGQM9v6k1F5m07D%2BG29SJwJIcafIVFfDyCl0TIelmXb1ibka4TPiGyR%2BOGTAoXJkzS%2FNRn0SUvs5zSBCCo6oheejzbLxRkCWA9FihSkyoVU5PnBBM8lsA6aAxjsi60ziBNg4qRVNKQ6%2BfkNc%2BY53MQrcxkhcKPDPeI3ZUuwsjpGOJPMdAEeQum5%2FcoPmp8bmA3zMHvcWZohz3wnL6I7%2FMEtyY1hI%2FFjtNh7areBTWVz1PRFuVs4NQ0u8PT9K0wCuuQ4JoBJsA4ja75PP33%2BB
    Cache-Control: public, max-age=0
  • flag-us
    DNS
    hardsystemtwo.com
    JaffaCakes118_92c384942f313fc9592f5b2df23fba0c.exe
    Remote address:
    8.8.8.8:53
    Request
    hardsystemtwo.com
    IN A
    Response
  • flag-us
    DNS
    www.google.com
    JaffaCakes118_92c384942f313fc9592f5b2df23fba0c.exe
    Remote address:
    8.8.8.8:53
    Request
    www.google.com
    IN A
    Response
    www.google.com
    IN A
    142.250.187.196
  • flag-gb
    GET
    http://www.google.com/
    JaffaCakes118_92c384942f313fc9592f5b2df23fba0c.exe
    Remote address:
    142.250.187.196:80
    Request
    GET / HTTP/1.0
    Connection: close
    Host: www.google.com
    Accept: */*
    Response
    HTTP/1.0 302 Found
    Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGNioqrwGIjDvous2lLJWV06eAojHGw92mFWnMRHpdm5YFjaLEbwkJLWIS4_ngC_ahGP6Nk3HU6EyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    x-hallmonitor-challenge: CgwI2KiqvAYQjbHl3wISBLXXsFM
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-pbgg_DREz685_2rYISGSeg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
    Date: Fri, 17 Jan 2025 17:33:12 GMT
    Server: gws
    Content-Length: 396
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: AEC=AZ6Zc-Uy54Y-JnqFtTLLrcynfNYxU-9inkok8yVh18_JxqGRS_feAfbdWMc; expires=Wed, 16-Jul-2025 17:33:12 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
  • flag-us
    DNS
    catalogminidevice.com
    JaffaCakes118_92c384942f313fc9592f5b2df23fba0c.exe
    Remote address:
    8.8.8.8:53
    Request
    catalogminidevice.com
    IN A
    Response
  • flag-gb
    GET
    http://www.google.com/
    JaffaCakes118_92c384942f313fc9592f5b2df23fba0c.exe
    Remote address:
    142.250.187.196:80
    Request
    GET / HTTP/1.1
    Connection: close
    Pragma: no-cache
    Host: www.google.com
    Response
    HTTP/1.1 302 Found
    Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGNioqrwGIjDvous2lLJWV06eAojHGw92mFWnMRHpdm5YFjaLEbwkJLWIS4_ngC_ahGP6Nk3HU6EyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    x-hallmonitor-challenge: CgwI2aiqvAYQr8f-ugESBLXXsFM
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-iFmEhfyED6ElBCQrZh0Thg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
    Date: Fri, 17 Jan 2025 17:33:13 GMT
    Server: gws
    Content-Length: 396
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: AEC=AZ6Zc-XBgzIAkCExPXUThtRDuTloQOtWaYAWI08QxtcnkP9ZdlI_LgAKrA; expires=Wed, 16-Jul-2025 17:33:13 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
    Connection: close
  • flag-gb
    GET
    http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGNioqrwGIjDvous2lLJWV06eAojHGw92mFWnMRHpdm5YFjaLEbwkJLWIS4_ngC_ahGP6Nk3HU6EyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    JaffaCakes118_92c384942f313fc9592f5b2df23fba0c.exe
    Remote address:
    142.250.187.196:80
    Request
    GET /sorry/index?continue=http://www.google.com/&q=EgS117BTGNioqrwGIjDvous2lLJWV06eAojHGw92mFWnMRHpdm5YFjaLEbwkJLWIS4_ngC_ahGP6Nk3HU6EyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
    Connection: close
    Pragma: no-cache
    Host: www.google.com
    Response
    HTTP/1.1 429 Too Many Requests
    Date: Fri, 17 Jan 2025 17:33:13 GMT
    Pragma: no-cache
    Expires: Fri, 01 Jan 1990 00:00:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Content-Type: text/html
    Server: HTTP server (unknown)
    Content-Length: 3086
    X-XSS-Protection: 0
    Connection: close
  • 157.245.184.25:80
    http://willsglaucoma.org/images/lhous3.gif?v73=65&tq=gKZEtzyfv3oqU0trmDvSgEggUPKEC1GEpJufdgUxaU1WYPoSfGbxdDAq2oEJbxBOe50QF%2FxldrVGQM9v6k1F5m07D%2BG29SJwJIcafIVFfDyCl0TIelmXb1ibka4TPiGyR%2BOGTAoXJkzS%2FNRn0SUvs5zSBCCo6oheejzbLxRkCWA9FihSkyoVU5PnBBM8lsA6aAxjsi60ziBNg4qRVNKQ6%2BfkNc%2BY53MQrcxkhcKPDPeI3ZUuwsjpGOJPMdAEeQum5%2FcoPmp8bmA3zMHvcWZohz3wnL6I7%2FMEtyY1hI%2FFjtNh7areBTWVz1PRFuVs4NQ0u8PT9K0wCuuQ4JoBJsA4ja75PP33%2BB
    http
    JaffaCakes118_92c384942f313fc9592f5b2df23fba0c.exe
    728 B
     995 B
     5
    5

    HTTP Request

    GET http://willsglaucoma.org/images/lhous3.gif?v73=65&tq=gKZEtzyfv3oqU0trmDvSgEggUPKEC1GEpJufdgUxaU1WYPoSfGbxdDAq2oEJbxBOe50QF%2FxldrVGQM9v6k1F5m07D%2BG29SJwJIcafIVFfDyCl0TIelmXb1ibka4TPiGyR%2BOGTAoXJkzS%2FNRn0SUvs5zSBCCo6oheejzbLxRkCWA9FihSkyoVU5PnBBM8lsA6aAxjsi60ziBNg4qRVNKQ6%2BfkNc%2BY53MQrcxkhcKPDPeI3ZUuwsjpGOJPMdAEeQum5%2FcoPmp8bmA3zMHvcWZohz3wnL6I7%2FMEtyY1hI%2FFjtNh7areBTWVz1PRFuVs4NQ0u8PT9K0wCuuQ4JoBJsA4ja75PP33%2BB

    HTTP Response

    301
  • 142.250.187.196:80
    http://www.google.com/
    http
    JaffaCakes118_92c384942f313fc9592f5b2df23fba0c.exe
    302 B
     1.5kB
     5
    5

    HTTP Request

    GET http://www.google.com/

    HTTP Response

    302
  • 142.250.187.196:80
    http://www.google.com/
    http
    JaffaCakes118_92c384942f313fc9592f5b2df23fba0c.exe
    307 B
     1.5kB
     5
    5

    HTTP Request

    GET http://www.google.com/

    HTTP Response

    302
  • 142.250.187.196:80
    http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGNioqrwGIjDvous2lLJWV06eAojHGw92mFWnMRHpdm5YFjaLEbwkJLWIS4_ngC_ahGP6Nk3HU6EyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    http
    JaffaCakes118_92c384942f313fc9592f5b2df23fba0c.exe
    526 B
     3.7kB
     6
    7

    HTTP Request

    GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGNioqrwGIjDvous2lLJWV06eAojHGw92mFWnMRHpdm5YFjaLEbwkJLWIS4_ngC_ahGP6Nk3HU6EyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

    HTTP Response

    429
  • 127.0.0.1:57535
    JaffaCakes118_92c384942f313fc9592f5b2df23fba0c.exe
  • 127.0.0.1:57535
    JaffaCakes118_92c384942f313fc9592f5b2df23fba0c.exe
  • 8.8.8.8:53
    willsglaucoma.org
    dns
    JaffaCakes118_92c384942f313fc9592f5b2df23fba0c.exe
    63 B
     79 B
     1
    1

    DNS Request

    willsglaucoma.org

    DNS Response

    157.245.184.25

  • 8.8.8.8:53
    hardsystemtwo.com
    dns
    JaffaCakes118_92c384942f313fc9592f5b2df23fba0c.exe
    63 B
     136 B
     1
    1

    DNS Request

    hardsystemtwo.com

  • 8.8.8.8:53
    www.google.com
    dns
    JaffaCakes118_92c384942f313fc9592f5b2df23fba0c.exe
    60 B
     76 B
     1
    1

    DNS Request

    www.google.com

    DNS Response

    142.250.187.196

  • 8.8.8.8:53
    catalogminidevice.com
    dns
    JaffaCakes118_92c384942f313fc9592f5b2df23fba0c.exe
    67 B
     140 B
     1
    1

    DNS Request

    catalogminidevice.com

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\0A57.426
    Filesize

    1KB

    MD5

    9373ce63416ff3124ff9165db453fa8a

    SHA1

    826a80830ed694cad0c52f1478adecf55728895f

    SHA256

    458177b2b59123fd52a5584cbea7b82a1ed37abac2fe17043d72c9a5ba4d4aa4

    SHA512

    accfba3fb2206ff498780faf330d4bf8bfd84ab2b8b88e09f19475cad911aa360f92a7c151d4e36308bb68fa01f170c839da1300bcdfb6f55cf58df88af7cb64

    Download Submit

  • C:\Users\Admin\AppData\Roaming\0A57.426
    Filesize

    600B

    MD5

    7217e678b386784da51bc3770e342f58

    SHA1

    2215ceb29fd054e49eb44ad172debf1750336787

    SHA256

    cdfa22e7cd1d97c1bfce6ff5a1272d0d8fb5cec4f72bd0a96c959816c3f7004f

    SHA512

    44dfe1db756288490e9d54df897ed9f6cfc3744c04cc1acb2c0692f8aa91b769cfa18d533dff7cedc0f9f6273692ed80882e83cc2925e5a6cffd6db5156e27bc

    Download Submit

  • C:\Users\Admin\AppData\Roaming\0A57.426
    Filesize

    996B

    MD5

    0b363171a203087157e0fc41556d0431

    SHA1

    a1ac36a7289687e11c844e12851afea6d42bdde7

    SHA256

    52809ed0c94a978e2f05d781509e9b1daca85e72be67d694a8a9e302a198574e

    SHA512

    f80cb0c050ddc802d2563845ed0e175d77f1f3fdab16c604964649c4209cbb3c6185d2fe37aff0fede138ad669089266edadd2f5c36908746f79fbf8895092dc

    Download Submit

  • memory/676-86-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/676-87-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/836-15-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/836-14-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/836-12-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2516-1-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2516-2-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2516-16-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2516-196-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.