Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...48.exe

windows7-x64

10

JaffaCakes...48.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    140s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18/01/2025, 11:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_a8e2cf6a25721f952dda89462fc24f48.exe

  • Size

    168KB

  • MD5

    a8e2cf6a25721f952dda89462fc24f48

  • SHA1

    abb2516094632adec98866e4c747f2e98bd1cd62

  • SHA256

    7647144af87d28b5485c4088a4810eaccdf7863f4aac2a5d25af432fde9514c7

  • SHA512

    9ef15dc5aecb57cc00e1a2d394053ffdb5b25decfe82b9b54e36b551ccb6f4660ed0e03d25576e33f3f0a3f9e81361243b876f1b9fba5f233f69e1684419af53

  • SSDEEP

    3072:BZ5QcpRU9FqIbP9vb15OL4AuvTY5pbmMxnsMZ3ysHZIhAu9/gmYb2afbGwlDl:BZ5QsU9Fd775oGM1Z3pHdk/gmYb2DwlJ

Score
10/10
cycbotbackdoordiscoverypersistenceratspywarestealerupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 6 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a8e2cf6a25721f952dda89462fc24f48.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a8e2cf6a25721f952dda89462fc24f48.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a8e2cf6a25721f952dda89462fc24f48.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a8e2cf6a25721f952dda89462fc24f48.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1488
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a8e2cf6a25721f952dda89462fc24f48.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a8e2cf6a25721f952dda89462fc24f48.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\22DD.983
    Filesize

    1KB

    MD5

    1d5209c09e9375343d37886ff04fa541

    SHA1

    acec5aa8fbf56107434729bad204475e8e058b47

    SHA256

    51a95c08834cddac2873946de3461439867c0cceb3edcb247b6e8c4c829b723c

    SHA512

    15fa546a80104fb029cd172a652daab82c65bf312bf4ebae89e6cfb8f9d110576bf93364e4340dfdbbd04c7aa60cdcb2d4125fe9aeec8a7b5d1dc12cf1d286c8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\22DD.983
    Filesize

    600B

    MD5

    bea2775fde907ebbbab7225a1046c244

    SHA1

    5e23bd84cd5b0fe97f94bd10ee5382d4c5571286

    SHA256

    a3da211e2f972722da1b1925058ed8f40e11581f599358ca4aa4381abe78237b

    SHA512

    21f145db7ab07f99744b9b829084aa3500e294558389703be0b097458fd9d3e233a1e5aa0dd0f3c111e13103d74aad56f66d1f6b5745d7c45418bcf21f4a380b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\22DD.983
    Filesize

    996B

    MD5

    0f391423f9f5a20eea23ea512d6bef1b

    SHA1

    50d6a423b8579e9d50dee2500b39e6e3b2bb92cf

    SHA256

    fab21c84382aaff8dfcd5db17dea8e35915b0decae04e79e808f1e019ecd9422

    SHA512

    77fd6091f88ea7b3fe1c9fabd2f8894c604e644167137702b69a22dbebc5098f2bba214624001da2d9c81029bf7ac1cea7eab2a2771b64d039f8500891cbf22f

    Download Submit

  • memory/1488-5-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/1488-8-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/1488-6-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2396-15-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2396-69-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2396-1-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2396-131-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2396-2-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2396-163-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/3052-71-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download