Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2025, 07:36
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe
-
Size
198KB
-
MD5
a3a36fec487f44d087bb90f3eb052b6c
-
SHA1
5387df31b2a60d172fd38b198bc3deeef4f59200
-
SHA256
18b8b770461734681869971080662175b78e19a7d888dddcc363536960ef9632
-
SHA512
0b42db3e558cf371161a32454bec0d7a5622543c74d7874fb7c3ae1b5d3a32ca8fddcd9fe3f7c4b2fbb49b01614b9e8fd8af72a4b76b6ca8378867f6e68c8003
-
SSDEEP
3072:RjcQPoihTA7yirtDRuxErDP1QeaR+GYp2whoD2cRRkxbx1B9EjwB:RjcQPF7uduerL14UGA2whoD2gK+
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 4 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral2/memory/964-13-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot behavioral2/memory/928-14-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot behavioral2/memory/2420-81-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot behavioral2/memory/928-187-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot -
resource yara_rule behavioral2/memory/928-2-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/964-8-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/964-13-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/928-14-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2420-81-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/928-187-0x0000000000400000-0x0000000000455000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 928 wrote to memory of 964 928 JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe 82 PID 928 wrote to memory of 964 928 JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe 82 PID 928 wrote to memory of 964 928 JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe 82 PID 928 wrote to memory of 2420 928 JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe 87 PID 928 wrote to memory of 2420 928 JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe 87 PID 928 wrote to memory of 2420 928 JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft2⤵
- System Location Discovery: System Language Discovery
PID:964
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵
- System Location Discovery: System Language Discovery
PID:2420
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD506a6a8ee090fac6804ed6922e1361c31
SHA17fc13276609d5f2beb18b89a20f68aea9f73215c
SHA256ed9c2a8ce17a4260085bc72a35af32d5b0ceb6d755bad1b737fc72dbc6e06ab5
SHA5120ba4ac712a7c785ab832c10712bb79e5bb88695643987ddf33b7c415fafe444d1df54569487ee65cf8cb4473c2adfefd3743011f49316a84934e32f91f47665c
-
Filesize
600B
MD5c0bdfad22a062201d18b3568290c71e5
SHA10a29de4d92ed43d99ad97344bc873d5a86507b48
SHA2567a359c2482da1a713b068917b6d9b57af752ff4f7f749938b6621a5b10fb9480
SHA512a49be9e8150a7a087b4e4112819db2e8c7a3e8c327db7b88b839c4e74f8e713bfddb1f0e6f20e520b3c10b0018d654ac86737753a37febb7bc6bf937611c439e
-
Filesize
1KB
MD5f93b60c7e3e043520bdf64d11131a0b4
SHA191050efb5d7a46db1eef79c75fe340968f98820b
SHA2563cae5900d45a19ca1497683d2cc677a4d00cd8dfee41e282d9236d6ba7776037
SHA51209735f473053f34ad604202fe5a6e4f4fb7e3a0c91b528b7b961d7d213d71927b41f9db4772496087b9533545c941e1d06d8f4b3476a4509c703fc2278bbacf9
-
Filesize
996B
MD57d3d5c9fefa25a8b0c3992c67e4a12da
SHA1df4a8ed14a5acf3a39234a9c79425f7f630ae4a1
SHA256b206232e5fca9d482b25f91784676d671509e4db9fe96c5eaa7813d856f5085b
SHA512d78aa84a01c71f0e8a679f1288ce0aad0bfcf004745206c093d768b5b1a0b768457297999aad8350f7b7cf9ad595a811670fb21cec4e335cf39b9f6399b0eab2