Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2025, 13:09
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_c8af4339c7fb630d478e0241fc27b188.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_c8af4339c7fb630d478e0241fc27b188.exe
-
Size
179KB
-
MD5
c8af4339c7fb630d478e0241fc27b188
-
SHA1
677027b99189af73c3f8faa1966e91a3fbcec2b9
-
SHA256
17c286f1836dc8b964fa46ed2b68721d6ee5dfbb42ad269a759017f2abf955e3
-
SHA512
766c07d7bce3817c917a08041645f984bdbd89096e284faee223c16663f615fbc014b76207956dfc78e53d17890fb2821de7c2e03e821a1b4227bb688377b05b
-
SSDEEP
3072:nBvzh6VV1JGGmHyq6WlSjDOW99HSuVVMcuohLegBWKdf4EE1zjJnqQdq2/Og1QPS:5t0rJG/qPOYHSqMcfhKVVEQndRGOV
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral2/memory/2892-19-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot behavioral2/memory/4872-20-0x0000000000400000-0x0000000000452000-memory.dmp family_cycbot behavioral2/memory/4872-21-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot behavioral2/memory/3472-135-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot behavioral2/memory/4872-322-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot -
resource yara_rule behavioral2/memory/4872-4-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2892-15-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2892-16-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2892-19-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/4872-20-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral2/memory/4872-21-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/3472-132-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/3472-135-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/4872-322-0x0000000000400000-0x0000000000455000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c8af4339c7fb630d478e0241fc27b188.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c8af4339c7fb630d478e0241fc27b188.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c8af4339c7fb630d478e0241fc27b188.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4872 wrote to memory of 2892 4872 JaffaCakes118_c8af4339c7fb630d478e0241fc27b188.exe 84 PID 4872 wrote to memory of 2892 4872 JaffaCakes118_c8af4339c7fb630d478e0241fc27b188.exe 84 PID 4872 wrote to memory of 2892 4872 JaffaCakes118_c8af4339c7fb630d478e0241fc27b188.exe 84 PID 4872 wrote to memory of 3472 4872 JaffaCakes118_c8af4339c7fb630d478e0241fc27b188.exe 95 PID 4872 wrote to memory of 3472 4872 JaffaCakes118_c8af4339c7fb630d478e0241fc27b188.exe 95 PID 4872 wrote to memory of 3472 4872 JaffaCakes118_c8af4339c7fb630d478e0241fc27b188.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c8af4339c7fb630d478e0241fc27b188.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c8af4339c7fb630d478e0241fc27b188.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c8af4339c7fb630d478e0241fc27b188.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c8af4339c7fb630d478e0241fc27b188.exe startC:\Program Files (x86)\LP\E796\A08.exe%C:\Program Files (x86)\LP\E7962⤵
- System Location Discovery: System Language Discovery
PID:2892
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c8af4339c7fb630d478e0241fc27b188.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c8af4339c7fb630d478e0241fc27b188.exe startC:\Users\Admin\AppData\Roaming\6432A\828E7.exe%C:\Users\Admin\AppData\Roaming\6432A2⤵
- System Location Discovery: System Language Discovery
PID:3472
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD5b6a7a697247ba10b6bedc9d23a87bedc
SHA15c7299f580688972f53a1b021b7d438146511b41
SHA256ae4a76444faece77783cc27f20d74e09670fdd03dc91e0a8ab8224d3d6110045
SHA5125ae9324b5a7637920441e4b3cbbaba7e0ff99daed667d26aa3328c137bcea48637a7ce107c1f9b0e83dc6fe45bb81ae4f90690d9ac06f24771f9cd82ed79563e
-
Filesize
600B
MD56c0c69124211b2ae66090d4bd1e690d1
SHA1483fa842f517e032091de86939a1809e78c8d8f7
SHA25677265a49e98e63621a8015e262d4795e3410dac3f301b1cb526f7291f35eb9d9
SHA512646a6de1ba38331318fe0cf4bb49809f92969c6ec1f03c3e6aadcc508e30181b92d09a2d76bf032258a984a7f67ec32c26baf535d6394585701bddb54206e142
-
Filesize
1KB
MD574619110ba039eba66b9a4faa8b61737
SHA1b99bd06f6c8a3783f29ceac356b34d2298d7318c
SHA256e0d301dd3c946166145223d10c7db811ca7bafd84cd70cdadeba001bd92c9c4d
SHA512b83caae2483c8c720f500233422f475521f85e4a1af985f1bda9160b37dc2baf72b195f5add50e72c9d6e6febbf45015c52fdfb1c9051234a15b802ca06f76bd