Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...10.exe

windows7-x64

10

JaffaCakes...10.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    140s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    18/01/2025, 13:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_ab1511354f5335345c749c1fdae82c10.exe

  • Size

    171KB

  • MD5

    ab1511354f5335345c749c1fdae82c10

  • SHA1

    c537e09103702ef7721ead2ee3cccfa114f23a92

  • SHA256

    7c9bbd2f437323203827b635edce5270ccc1d725540bf4c0050c38d60cb86486

  • SHA512

    0c5f2541c0cad358f2aabf0294349f9c5c01af9e8586bb63cc12096ab181ac41827de5f49cc641ac4eeccedf1815798765b448509b7d51854d9869ce05e70500

  • SSDEEP

    3072:/9ocr+PgxoG7R/T4Js8o1xlPU6GYYdNeYT/vYRwxR7QCBZwPPB9RfRn/FDyJ6:/VyGvt20vl6YYdNeWYRwzEXPpjGJ6

Score
10/10
cycbotbackdoordiscoverypersistenceratspywarestealerupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 6 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ab1511354f5335345c749c1fdae82c10.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ab1511354f5335345c749c1fdae82c10.exe"
    1⤵
    • Modifies WinLogon for persistence
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2408
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ab1511354f5335345c749c1fdae82c10.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ab1511354f5335345c749c1fdae82c10.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2284
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ab1511354f5335345c749c1fdae82c10.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ab1511354f5335345c749c1fdae82c10.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
      2⤵
      • System Location Discovery: System Language Discovery
      PID:840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\D1F3.A63
    Filesize

    1KB

    MD5

    589e1aa36c577e272c5cbc6807965807

    SHA1

    573579a955fa6d43f7ed14730dadea5b551a471b

    SHA256

    f0aabbc83177d1074c05a1755f8a42d147c80fddd172b15e0ca27e4eacbf2273

    SHA512

    7d45d9c673ce6bb7315948bee33281e76fac399d5a14685fb76477113ec1d3447145696f4e8e2f92e3240a1a7797085eebf6a56030aec813ac541212846ada00

    Download Submit

  • C:\Users\Admin\AppData\Roaming\D1F3.A63
    Filesize

    600B

    MD5

    aa542b4acc3329b8d257bea636501790

    SHA1

    77bd224fd9e13dd5227b6ae2b778312cd66f6495

    SHA256

    b8fb839b6a0fe326f03d37e5b10776093eabc86201fd4412d4bac7e1094406d2

    SHA512

    1092809ca7ed277c5a3171a38acba4f907c45e94cd0581627604b1b8c13bb6b8b0c073b64f3e44bda2ed9ea3760554e02ccfdc9f5cb8c388753082cb6f34e381

    Download Submit

  • C:\Users\Admin\AppData\Roaming\D1F3.A63
    Filesize

    996B

    MD5

    16fe494591f59b13e67a86c6519c0f32

    SHA1

    1bfbbc8d7f6c4042b19c09adb733bd8f77121060

    SHA256

    1abcccb83ce151f8fd05619771e60a09237760ec7b327b0713409a4af861c18d

    SHA512

    dcc36e8048f01892d2ab8a7a5845cc8a210f90b8dafe57631b077b79852121985f74aeabfeb7a78ba6447036fdb48cd7eaf039c112277919f801a64a5400e3e8

    Download Submit

  • memory/840-75-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/840-77-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2284-5-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2284-6-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2284-8-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2408-16-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2408-73-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2408-2-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2408-1-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2408-187-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download