Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2025, 17:21
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_afda4e86aec193264031054ce220a488.exe
Resource
win7-20240729-en
General
-
Target
JaffaCakes118_afda4e86aec193264031054ce220a488.exe
-
Size
164KB
-
MD5
afda4e86aec193264031054ce220a488
-
SHA1
e509b45d8262cfc6e2d636c41db4ac02ba85054f
-
SHA256
1d6ffa1e76aaa12880cf4f35a5ec80234497d75337734635adcf811e2b40fc48
-
SHA512
e5d9bce8514d28e9fad7ec56cd357d6cf2de177ad60d4445a11f5e6b6c18476cf4685dc5086c3133f608127d1d3bdcff4367b7fff3c4cb5aab954bf3b12c3205
-
SSDEEP
3072:FdJc5HBhuz3BQgObFi4L2rcbqGJwEm1HxU37RcmOg87F5XG3O65bzwT:HJnbBQg2MrjGJwErVfOg8J5XeP53wT
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 7 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral2/memory/3000-15-0x0000000000400000-0x0000000000490000-memory.dmp family_cycbot behavioral2/memory/4952-16-0x0000000000400000-0x0000000000490000-memory.dmp family_cycbot behavioral2/memory/4952-17-0x0000000000400000-0x000000000048E000-memory.dmp family_cycbot behavioral2/memory/3004-144-0x0000000000400000-0x0000000000490000-memory.dmp family_cycbot behavioral2/memory/4952-145-0x0000000000400000-0x0000000000490000-memory.dmp family_cycbot behavioral2/memory/4952-241-0x0000000000400000-0x0000000000490000-memory.dmp family_cycbot behavioral2/memory/4952-304-0x0000000000400000-0x0000000000490000-memory.dmp family_cycbot -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\7D723\\77105.exe" JaffaCakes118_afda4e86aec193264031054ce220a488.exe -
resource yara_rule behavioral2/memory/4952-3-0x0000000000400000-0x0000000000490000-memory.dmp upx behavioral2/memory/3000-14-0x0000000000400000-0x0000000000490000-memory.dmp upx behavioral2/memory/3000-15-0x0000000000400000-0x0000000000490000-memory.dmp upx behavioral2/memory/4952-16-0x0000000000400000-0x0000000000490000-memory.dmp upx behavioral2/memory/4952-17-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral2/memory/3004-143-0x0000000000400000-0x0000000000490000-memory.dmp upx behavioral2/memory/3004-144-0x0000000000400000-0x0000000000490000-memory.dmp upx behavioral2/memory/4952-145-0x0000000000400000-0x0000000000490000-memory.dmp upx behavioral2/memory/4952-241-0x0000000000400000-0x0000000000490000-memory.dmp upx behavioral2/memory/4952-304-0x0000000000400000-0x0000000000490000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_afda4e86aec193264031054ce220a488.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4952 wrote to memory of 3000 4952 JaffaCakes118_afda4e86aec193264031054ce220a488.exe 82 PID 4952 wrote to memory of 3000 4952 JaffaCakes118_afda4e86aec193264031054ce220a488.exe 82 PID 4952 wrote to memory of 3000 4952 JaffaCakes118_afda4e86aec193264031054ce220a488.exe 82 PID 4952 wrote to memory of 3004 4952 JaffaCakes118_afda4e86aec193264031054ce220a488.exe 83 PID 4952 wrote to memory of 3004 4952 JaffaCakes118_afda4e86aec193264031054ce220a488.exe 83 PID 4952 wrote to memory of 3004 4952 JaffaCakes118_afda4e86aec193264031054ce220a488.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_afda4e86aec193264031054ce220a488.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_afda4e86aec193264031054ce220a488.exe"1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_afda4e86aec193264031054ce220a488.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_afda4e86aec193264031054ce220a488.exe startC:\Program Files (x86)\LP\0597\000.exe%C:\Program Files (x86)\LP\05972⤵PID:3000
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_afda4e86aec193264031054ce220a488.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_afda4e86aec193264031054ce220a488.exe startC:\Program Files (x86)\23BDA\lvvm.exe%C:\Program Files (x86)\23BDA2⤵PID:3004
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD57c89f644e59ef0eb57840450d4b6d828
SHA189ce8f94ed487623a7a037fe288947461fa979e8
SHA2565f6004304a2349682bd34dc236ddc1be744be68e906d91eefca8e8d3bc82f4f5
SHA512002076488cedad67e13e6c034990a78dc40f0e899d5c69efd221f4ddb95dffcafa42514f49ac061ab824fe7b99f6894cd8979dbd587202799ac8dc53e55c50c2
-
Filesize
600B
MD54d3b9c4d4aaf04354efef7a168312677
SHA177590cc1ba2c28cae809bd03d683bb880656213a
SHA2560282acc7d847a7352319f0056003876b982343b4b95646b03162e39f21550f35
SHA512d9aafe1c122867cfb8eb649f0b8d39f1a9e9bd119d8ea27c6b27c2829842054e02f94dc9699cec29eca3156dd9a26b436ae08f6d117b097e177a5c8e86440e84
-
Filesize
1KB
MD5199781c3f0cb5ca369e432c60164f04e
SHA1168c55724666743a02d01ed685a782893cfafaf6
SHA2568490416f181ff1729d771ffa4bcb17db75b1ae62cf80afe556f0c17ac994638c
SHA512a655ad33ad88629e92e9a6c0de9a86ad8889e1879543fe0866f03129cb47598fa184dea4e6f2079220f972b3aff5aaca297e1ef4f07e4ddd7afa366912613765