Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...88.exe

windows7-x64

10

JaffaCakes...88.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/01/2025, 17:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_afda4e86aec193264031054ce220a488.exe

  • Size

    164KB

  • MD5

    afda4e86aec193264031054ce220a488

  • SHA1

    e509b45d8262cfc6e2d636c41db4ac02ba85054f

  • SHA256

    1d6ffa1e76aaa12880cf4f35a5ec80234497d75337734635adcf811e2b40fc48

  • SHA512

    e5d9bce8514d28e9fad7ec56cd357d6cf2de177ad60d4445a11f5e6b6c18476cf4685dc5086c3133f608127d1d3bdcff4367b7fff3c4cb5aab954bf3b12c3205

  • SSDEEP

    3072:FdJc5HBhuz3BQgObFi4L2rcbqGJwEm1HxU37RcmOg87F5XG3O65bzwT:HJnbBQg2MrjGJwErVfOg8J5XeP53wT

Score
10/10
cycbotbackdoordiscoverypersistenceratupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 7 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_afda4e86aec193264031054ce220a488.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_afda4e86aec193264031054ce220a488.exe"
    1⤵
    • Modifies WinLogon for persistence
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4952
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_afda4e86aec193264031054ce220a488.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_afda4e86aec193264031054ce220a488.exe startC:\Program Files (x86)\LP\0597\000.exe%C:\Program Files (x86)\LP\0597
      2⤵
        PID:3000
      • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_afda4e86aec193264031054ce220a488.exe
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_afda4e86aec193264031054ce220a488.exe startC:\Program Files (x86)\23BDA\lvvm.exe%C:\Program Files (x86)\23BDA
        2⤵
          PID:3004

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\7D723\3BDA.D72
        Filesize

        996B

        MD5

        7c89f644e59ef0eb57840450d4b6d828

        SHA1

        89ce8f94ed487623a7a037fe288947461fa979e8

        SHA256

        5f6004304a2349682bd34dc236ddc1be744be68e906d91eefca8e8d3bc82f4f5

        SHA512

        002076488cedad67e13e6c034990a78dc40f0e899d5c69efd221f4ddb95dffcafa42514f49ac061ab824fe7b99f6894cd8979dbd587202799ac8dc53e55c50c2

        Download Submit

      • C:\Users\Admin\AppData\Roaming\7D723\3BDA.D72
        Filesize

        600B

        MD5

        4d3b9c4d4aaf04354efef7a168312677

        SHA1

        77590cc1ba2c28cae809bd03d683bb880656213a

        SHA256

        0282acc7d847a7352319f0056003876b982343b4b95646b03162e39f21550f35

        SHA512

        d9aafe1c122867cfb8eb649f0b8d39f1a9e9bd119d8ea27c6b27c2829842054e02f94dc9699cec29eca3156dd9a26b436ae08f6d117b097e177a5c8e86440e84

        Download Submit

      • C:\Users\Admin\AppData\Roaming\7D723\3BDA.D72
        Filesize

        1KB

        MD5

        199781c3f0cb5ca369e432c60164f04e

        SHA1

        168c55724666743a02d01ed685a782893cfafaf6

        SHA256

        8490416f181ff1729d771ffa4bcb17db75b1ae62cf80afe556f0c17ac994638c

        SHA512

        a655ad33ad88629e92e9a6c0de9a86ad8889e1879543fe0866f03129cb47598fa184dea4e6f2079220f972b3aff5aaca297e1ef4f07e4ddd7afa366912613765

        Download Submit

      • memory/3000-14-0x0000000000400000-0x0000000000490000-memory.dmp

        Filesize

        576KB

        Download

      • memory/3000-15-0x0000000000400000-0x0000000000490000-memory.dmp

        Filesize

        576KB

        Download

      • memory/3004-144-0x0000000000400000-0x0000000000490000-memory.dmp

        Filesize

        576KB

        Download

      • memory/3004-143-0x0000000000400000-0x0000000000490000-memory.dmp

        Filesize

        576KB

        Download

      • memory/4952-17-0x0000000000400000-0x000000000048E000-memory.dmp

        Filesize

        568KB

        Download

      • memory/4952-16-0x0000000000400000-0x0000000000490000-memory.dmp

        Filesize

        576KB

        Download

      • memory/4952-0-0x0000000000400000-0x0000000000490000-memory.dmp

        Filesize

        576KB

        Download

      • memory/4952-145-0x0000000000400000-0x0000000000490000-memory.dmp

        Filesize

        576KB

        Download

      • memory/4952-3-0x0000000000400000-0x0000000000490000-memory.dmp

        Filesize

        576KB

        Download

      • memory/4952-2-0x0000000000400000-0x000000000048E000-memory.dmp

        Filesize

        568KB

        Download

      • memory/4952-241-0x0000000000400000-0x0000000000490000-memory.dmp

        Filesize

        576KB

        Download

      • memory/4952-304-0x0000000000400000-0x0000000000490000-memory.dmp

        Filesize

        576KB

        Download