Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2025, 03:50
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe
-
Size
180KB
-
MD5
9ec6fc94432fa78a7585004d03eceabf
-
SHA1
d739dab40b405822b4b89ab2ca208731b354f30a
-
SHA256
292c20d20889ba64ce3cdbdbb5467786f9ae807e2606aa4a14ec0dbf4c741639
-
SHA512
80bef760aba69cf9b81910a2e10cc5deb44d36501877176d1dc23d43f854c89bdee0b19cac2a2c98197eb3306ec5fa5e4b406ea83bf9c1fbb200b89a89114ab6
-
SSDEEP
3072:dklnqbpEekz2+pU1LnJAKd5gG8WrjFP0GBLFO4DTgEhtSKJylxq:dInYpEeg2+q1LnJAufgEcKIf
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral2/memory/2724-14-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot behavioral2/memory/1680-15-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot behavioral2/memory/1680-16-0x0000000000400000-0x0000000000452000-memory.dmp family_cycbot behavioral2/memory/680-122-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot behavioral2/memory/1680-269-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot -
resource yara_rule behavioral2/memory/1680-3-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2724-13-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2724-14-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/1680-15-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/1680-16-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral2/memory/680-122-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/1680-269-0x0000000000400000-0x0000000000455000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1680 wrote to memory of 2724 1680 JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe 82 PID 1680 wrote to memory of 2724 1680 JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe 82 PID 1680 wrote to memory of 2724 1680 JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe 82 PID 1680 wrote to memory of 680 1680 JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe 87 PID 1680 wrote to memory of 680 1680 JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe 87 PID 1680 wrote to memory of 680 1680 JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe startC:\Program Files (x86)\LP\D48F\C69.exe%C:\Program Files (x86)\LP\D48F2⤵PID:2724
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe startC:\Users\Admin\AppData\Roaming\F5FE6\F2ED4.exe%C:\Users\Admin\AppData\Roaming\F5FE62⤵PID:680
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD5001e6a84c067bbc24d68d0aa3b32e9ae
SHA187a41820aaa2af4cd23478e69abff87087b6b976
SHA25673c91f1202efdf67f49f2ad7462929d2f5869f3ad676d47cbe38b36e03f70c24
SHA51211dd936fb1cbe1be98069684e11c907072a3a7cb3bd8e0942db50bd7b5c1dd423c41fe20946156ca8eedafa19ad624991e0feca5b097c4c93f9ba2cf1e37c444
-
Filesize
600B
MD565a9e6fffc2285cf41cc47dc6d5d4e80
SHA108512a85553e4756d4b742028aea73f111f463a6
SHA25610dbeaa778e5f821b865f4eac6232946084a8ef93509095a7d58ad62c623cb2b
SHA512107e4115c0cb71f22417d2c5a3bd9028b96db30c365e07ba2f990dd36815f2dfd2354fc0a47937d89c03639fc4fc1c6da1e66cb2c99dcfe5f8b7afeaf9de00fc
-
Filesize
1KB
MD5a8718dfe24c90f298179a1f52777bf8e
SHA15333955ddb17da5816dd2f8e989017effd196993
SHA256d9d2bbe981c8993fd72f32b6380bcb7453b6e15acb0575614b50a8a3580a50d4
SHA5126ea9c8ae7da32f0306e93917191d3eba52acd87568cb13e881e2b46e2447040a0debce1458621bf9e35f47216c64fb38239f61b8f07a63b907fe56ea4c8aa167