Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...26.exe

windows7-x64

10

JaffaCakes...26.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    140s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18/01/2025, 07:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_a2ce4184eb35004e334fad5eabad7826.exe

  • Size

    175KB

  • MD5

    a2ce4184eb35004e334fad5eabad7826

  • SHA1

    97c0bd356abd87e178f57e2a8c9a294f0fd88617

  • SHA256

    647ae71d21591d86fd94d9e21f70828e85ed45fe1d277e23c04c00107594d6d0

  • SHA512

    2a2043f8e12faf6307aa18730096c3812d0eaa37f5a9ed1bc9b2ce97e382c3eb7f2f7a3a9a8732d9cdaa5f341e15f7cfe552ca7b82607f671a2c7b0ec9dd9084

  • SSDEEP

    3072:ajeJvTHjs3ypJ7ib5tf5wExuijs1n4oCku7CgveTXs1E7/cjo:keJvTY3EiVEaXjs1n4oCkumgGAjo

Score
10/10
cycbotbackdoordiscoverypersistenceratspywarestealerupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 6 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a2ce4184eb35004e334fad5eabad7826.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a2ce4184eb35004e334fad5eabad7826.exe"
    1⤵
    • Modifies WinLogon for persistence
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2940
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a2ce4184eb35004e334fad5eabad7826.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a2ce4184eb35004e334fad5eabad7826.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2716
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a2ce4184eb35004e334fad5eabad7826.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a2ce4184eb35004e334fad5eabad7826.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1080

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\8594.07C
    Filesize

    1KB

    MD5

    d75a581de96c8b9d4a5d152649c74fae

    SHA1

    1f804050cedf2b0502e9c8f8ab304394c203ae2a

    SHA256

    e408813096b79429f4073126b68bf6eeb20ee807bfcdc0e0378d8f7f734c2fa5

    SHA512

    81426d052f9d620f7a72fdf61082ceeac426bfd295201b4d813d9f0d3221e4aaf8762527f594f78c5f19011d90cee6a3937186f5716101b76c972efbed854fa4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\8594.07C
    Filesize

    600B

    MD5

    aa71011c7a0c773a0380c6802494878c

    SHA1

    75f1e29adac3a2edf54765f436ffc51362a2c229

    SHA256

    73b793792fe78b1d4dae52896eab3a0c3d5c1db9c8cf5066046735fe6bd919bf

    SHA512

    5f02c882d22087a1efa2feaec6be6dc632dca7b58ccfe5efe25b1a5258d6002dae3e7a44f1e2992454eb8f2754db9ecb1f0684152cf9a05a00d706064516a73a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\8594.07C
    Filesize

    996B

    MD5

    9575c54fafab13c96559d3236ebace59

    SHA1

    f6d75aab7f609c79cc8b3077c11e8dbaa2b84186

    SHA256

    78dcc44e8c24dd6d0370269d69550ce6b35f146b2ff4b1840966a17866f5e8f6

    SHA512

    d0191eeaff0cfb5b2f0b1055102902b5b431d5713ee6f5cc395a7edad94e43945ae0840b4a8b03cd46f99c1ac3cc49056f45345c4aac966a267d8470db94ee60

    Download Submit

  • memory/1080-78-0x0000000000400000-0x000000000048A000-memory.dmp

    Filesize

    552KB

    Download

  • memory/1080-75-0x0000000000400000-0x000000000048A000-memory.dmp

    Filesize

    552KB

    Download

  • memory/1080-77-0x0000000000400000-0x000000000048A000-memory.dmp

    Filesize

    552KB

    Download

  • memory/2716-7-0x0000000000400000-0x000000000048A000-memory.dmp

    Filesize

    552KB

    Download

  • memory/2716-8-0x0000000000400000-0x000000000048A000-memory.dmp

    Filesize

    552KB

    Download

  • memory/2716-5-0x0000000000400000-0x000000000048A000-memory.dmp

    Filesize

    552KB

    Download

  • memory/2940-16-0x0000000000400000-0x000000000048A000-memory.dmp

    Filesize

    552KB

    Download

  • memory/2940-1-0x0000000000400000-0x000000000048A000-memory.dmp

    Filesize

    552KB

    Download

  • memory/2940-79-0x0000000000400000-0x000000000048A000-memory.dmp

    Filesize

    552KB

    Download

  • memory/2940-2-0x0000000000400000-0x000000000048A000-memory.dmp

    Filesize

    552KB

    Download

  • memory/2940-174-0x0000000000400000-0x000000000048A000-memory.dmp

    Filesize

    552KB

    Download