Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/01/2025, 20:29
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_96977cff64d6d4f4d9269f5d876ee8a1.exe
Resource
win7-20241010-en
General
-
Target
JaffaCakes118_96977cff64d6d4f4d9269f5d876ee8a1.exe
-
Size
181KB
-
MD5
96977cff64d6d4f4d9269f5d876ee8a1
-
SHA1
a3342d71ae672c2a6b0e89a5d1ee959a0499f9e1
-
SHA256
1f82895292fd0f9becfb08bcf6ce3a09799a60d0a81f61160152d35798b2c2e7
-
SHA512
69a9938e7a6fd83f2e842298f377af077a0f6274bc248c11f96509aabf47659296353156cd33e0cf03ad52377d928ace442f25a84e639e15addae9462c983ab7
-
SSDEEP
3072:8YZ1KP0tYNpCv5GUS1z/IZ6+rNALY3bflCtGcKg0I57Inpm92yL5CeO:ectYNpW5GxrIZ6xuj7u7IpByty
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral2/memory/2440-14-0x0000000000400000-0x000000000044B000-memory.dmp family_cycbot behavioral2/memory/2964-15-0x0000000000400000-0x000000000044B000-memory.dmp family_cycbot behavioral2/memory/2964-79-0x0000000000400000-0x000000000044B000-memory.dmp family_cycbot behavioral2/memory/2676-83-0x0000000000400000-0x000000000044B000-memory.dmp family_cycbot behavioral2/memory/2964-190-0x0000000000400000-0x000000000044B000-memory.dmp family_cycbot -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe" JaffaCakes118_96977cff64d6d4f4d9269f5d876ee8a1.exe -
resource yara_rule behavioral2/memory/2964-2-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/2440-13-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/2440-12-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/2440-14-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/2964-15-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/2964-79-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/2676-82-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/2676-83-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/2964-190-0x0000000000400000-0x000000000044B000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_96977cff64d6d4f4d9269f5d876ee8a1.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2964 wrote to memory of 2440 2964 JaffaCakes118_96977cff64d6d4f4d9269f5d876ee8a1.exe 83 PID 2964 wrote to memory of 2440 2964 JaffaCakes118_96977cff64d6d4f4d9269f5d876ee8a1.exe 83 PID 2964 wrote to memory of 2440 2964 JaffaCakes118_96977cff64d6d4f4d9269f5d876ee8a1.exe 83 PID 2964 wrote to memory of 2676 2964 JaffaCakes118_96977cff64d6d4f4d9269f5d876ee8a1.exe 91 PID 2964 wrote to memory of 2676 2964 JaffaCakes118_96977cff64d6d4f4d9269f5d876ee8a1.exe 91 PID 2964 wrote to memory of 2676 2964 JaffaCakes118_96977cff64d6d4f4d9269f5d876ee8a1.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_96977cff64d6d4f4d9269f5d876ee8a1.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_96977cff64d6d4f4d9269f5d876ee8a1.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_96977cff64d6d4f4d9269f5d876ee8a1.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_96977cff64d6d4f4d9269f5d876ee8a1.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵PID:2440
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_96977cff64d6d4f4d9269f5d876ee8a1.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_96977cff64d6d4f4d9269f5d876ee8a1.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵PID:2676
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57308fc9a9a81c7395f431a63345a086a
SHA1176c6988d188d3e9607195a69ee349e76818058c
SHA256b1a3979cde31c1ef338c660e81c480ad69cfc322cf9b2c408349bb1d62eddbb7
SHA51228782ca583ba75fc430256fa11e13f64cf972b891cc0dedcc4c2f172523cb5e5b9dbde1d621b384fe9f76a4ffcf1c98468743f849672f418262fc8a721105c91
-
Filesize
1KB
MD5190cc24bbeb8a161e6a93d966bf06a2f
SHA16893423c8ecf4c033478a8b62164481e3502f073
SHA256698b31a0ce7630cf14b458a82ffcea244fa3f1a2b07dd95f9c71035e71e7a449
SHA5122a0c11c1c2511e5ad54206cb86a772ae44878dd9902409ad490a4b1c5ddd3248d9b9130d4283852b1a8eda63e275f9f327c39823ea03cc9188a0047262d5dfea
-
Filesize
600B
MD52af36b03521682ef97475cf5e5ec9b91
SHA17e0251091ee9a7bae29ff0dac5c7996820230800
SHA25653ac9ec216b891837c5b7961eaa36a5ad640c16200de6dbad361a5097d3362eb
SHA5124d84a5c82468d2748fbc9a05bbc07dc8432deadbe29a5083a148c87f212a6dd31ad62282b453e0d250bba659a23acdb99487489e788d947b1e718fd046984412
-
Filesize
996B
MD565fb458088d1171efb83f207eb35223f
SHA1ef4f85a32dae3e965f4b7d5c257e22d7dcb009fe
SHA25679ec9e070b6122e2ab91e6aedababc9e92398f1809dd27601ef7bf6f0419f1c8
SHA512a5925d3834725e02195c90a841b974a4615ba09e3788627d554bbb343ce2d482ccc562ceb071e5f37f256e4b23127aa8c7703583f5e5043ffd76f6d73c8cfc82