Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2025, 03:28
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_9e5a18b5e18c283ae49451bc8169bc19.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_9e5a18b5e18c283ae49451bc8169bc19.exe
-
Size
179KB
-
MD5
9e5a18b5e18c283ae49451bc8169bc19
-
SHA1
51a615c40cc1107faa1fc3a908a8a13e248e7248
-
SHA256
1af2ea886f324dcba515df77f70e2a46d567315f17e14bccd40f7372e4de4b50
-
SHA512
c7fda261518c1a1010db513ccb6c1b98d78e12ae8ea2fcfcc153999a53aee8c2585481335929ede33e905902a68666cad7ce686c59e414ae1528d7bcb4d10eaa
-
SSDEEP
3072:0zZPWZbFjm6s7W65dJd5joxFyjdStbD6qBx39w:0zlWDjmBnjd1QFezqr9
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral2/memory/368-17-0x0000000000400000-0x0000000000454000-memory.dmp family_cycbot behavioral2/memory/5004-19-0x0000000000400000-0x0000000000452000-memory.dmp family_cycbot behavioral2/memory/5004-20-0x0000000000400000-0x0000000000454000-memory.dmp family_cycbot behavioral2/memory/4404-131-0x0000000000400000-0x0000000000454000-memory.dmp family_cycbot behavioral2/memory/5004-303-0x0000000000400000-0x0000000000454000-memory.dmp family_cycbot -
resource yara_rule behavioral2/memory/5004-4-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/368-16-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/368-17-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/5004-19-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral2/memory/5004-20-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/4404-131-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/5004-303-0x0000000000400000-0x0000000000454000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_9e5a18b5e18c283ae49451bc8169bc19.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_9e5a18b5e18c283ae49451bc8169bc19.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_9e5a18b5e18c283ae49451bc8169bc19.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5004 wrote to memory of 368 5004 JaffaCakes118_9e5a18b5e18c283ae49451bc8169bc19.exe 84 PID 5004 wrote to memory of 368 5004 JaffaCakes118_9e5a18b5e18c283ae49451bc8169bc19.exe 84 PID 5004 wrote to memory of 368 5004 JaffaCakes118_9e5a18b5e18c283ae49451bc8169bc19.exe 84 PID 5004 wrote to memory of 4404 5004 JaffaCakes118_9e5a18b5e18c283ae49451bc8169bc19.exe 95 PID 5004 wrote to memory of 4404 5004 JaffaCakes118_9e5a18b5e18c283ae49451bc8169bc19.exe 95 PID 5004 wrote to memory of 4404 5004 JaffaCakes118_9e5a18b5e18c283ae49451bc8169bc19.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e5a18b5e18c283ae49451bc8169bc19.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e5a18b5e18c283ae49451bc8169bc19.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e5a18b5e18c283ae49451bc8169bc19.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e5a18b5e18c283ae49451bc8169bc19.exe startC:\Program Files (x86)\LP\42C2\FF2.exe%C:\Program Files (x86)\LP\42C22⤵
- System Location Discovery: System Language Discovery
PID:368
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e5a18b5e18c283ae49451bc8169bc19.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e5a18b5e18c283ae49451bc8169bc19.exe startC:\Users\Admin\AppData\Roaming\24EB4\98442.exe%C:\Users\Admin\AppData\Roaming\24EB42⤵
- System Location Discovery: System Language Discovery
PID:4404
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD5665980e2b4578c10e89fb3a53a6de914
SHA126184738de25315b1714b872b97673bdaa74f9ea
SHA256b3ceb822b3ae98de6d3bbcb15533486e240dcabf802f82654bdb1762e09db397
SHA51213fe7d9504f70cca80294b414aecf66f11755ddca13cb140f0533ce5007e70866acd932e5f718b47426191d0138c75968e0a8a73fdea34fc105a31fc94f300f3
-
Filesize
600B
MD512bdffb7a35581fedaba1b15303e4bda
SHA19c7c9bc340ad9e23a4bb79b41eb9ced82d3340e7
SHA256d714d8949901cdbb40c2fafed4e0b5fbe73bd12bdbb6b79b3141d2f26e7e351f
SHA512ece5b89d34baaea21b031b21643341f590143dd2802c2c08632558a25f1e702a4c7484621d51a7bec223f3e7b2ee70c4d96d17f33f0120db5c08bf705396b3ce
-
Filesize
1KB
MD548bb081114fdb0f1bfc28d2caa3b102a
SHA13be37cee4cdbb43ba7e1def6f1a66b6be84396b1
SHA2562fa3b195017020389acb2d9ebb74bb465717ce30c3ff645d1ce92ee6e5086338
SHA512777b617343756cfd1485b1e918822e92169a1ae2fde42289dda9553eb7dd81c2a7e645a9f1abe337c7e92587cfa7cb2f4b69c53249684350c1708dd693367772