Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2025, 14:06
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exe
-
Size
165KB
-
MD5
4050f3601ab7931a0f6db2262ecb25a9
-
SHA1
aea77ad2a71dea57b06d824ab8617149e2d1edcc
-
SHA256
cd705b00962c246a2513eebce6e3c6b50aed5b3576569006d362a3f16e5b10ea
-
SHA512
1d1ce6495680eb604873297f515f163e9c9145451552158bd897968eab3094e3b8b8ea46e974a15b28b11e9f82a7f64f8569d2c0720d00f30f5a69e140fe2507
-
SSDEEP
3072:hMMbRiYder+FnuJ2PaCZwXPlbPXHVO2oBvQ6xNDCnz1dShLeA184Uum9xVp:hzb0Yd+3Ehih1PoBI6HDw11A184UTxV
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 7 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral2/memory/1644-19-0x0000000000400000-0x0000000000491000-memory.dmp family_cycbot behavioral2/memory/4468-21-0x0000000000400000-0x000000000048E000-memory.dmp family_cycbot behavioral2/memory/4468-22-0x0000000000400000-0x0000000000491000-memory.dmp family_cycbot behavioral2/memory/2224-121-0x0000000000400000-0x0000000000491000-memory.dmp family_cycbot behavioral2/memory/2224-124-0x0000000000400000-0x0000000000491000-memory.dmp family_cycbot behavioral2/memory/4468-125-0x0000000000400000-0x0000000000491000-memory.dmp family_cycbot behavioral2/memory/4468-307-0x0000000000400000-0x0000000000491000-memory.dmp family_cycbot -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\99E4D\\97B0B.exe" JaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exe -
resource yara_rule behavioral2/memory/4468-4-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/1644-17-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/1644-16-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/1644-19-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/4468-21-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral2/memory/4468-22-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/2224-121-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/2224-124-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/4468-125-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/4468-307-0x0000000000400000-0x0000000000491000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4468 wrote to memory of 1644 4468 JaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exe 85 PID 4468 wrote to memory of 1644 4468 JaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exe 85 PID 4468 wrote to memory of 1644 4468 JaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exe 85 PID 4468 wrote to memory of 2224 4468 JaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exe 87 PID 4468 wrote to memory of 2224 4468 JaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exe 87 PID 4468 wrote to memory of 2224 4468 JaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exe"1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exe startC:\Program Files (x86)\LP\0B09\619.exe%C:\Program Files (x86)\LP\0B092⤵
- System Location Discovery: System Language Discovery
PID:1644
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4050f3601ab7931a0f6db2262ecb25a9.exe startC:\Program Files (x86)\4DB0B\lvvm.exe%C:\Program Files (x86)\4DB0B2⤵
- System Location Discovery: System Language Discovery
PID:2224
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD52674d1714a952a910bdcda1a3aec0e8b
SHA16d2f7b01aaf72b65cbd81e70bf09c2e65ee88af3
SHA256ecb54c8b06958c9134d35fd89b82f112bd1bc5a1683c267cc296877da7f6afe9
SHA512669751e93700740bfb14f6686f02521196e68c1677df2e659fda8b2f1c0bab843509a6ed533c93ec666d5e99ab01726086907d4156865db4fc408bc70a6eb868
-
Filesize
600B
MD5129bcfedcb2c684691f97574d0544335
SHA1bc93427ae5f85b4b5f75cd617ccc427a9db64abe
SHA256e5046c029873478748a69efcfef06e4a391c66a3206717c4911780028d93a304
SHA512039079080463846fcb08f1681e9c527c0e338d6d312dfa0b907ce40414802c855bedbd657f8e6e1f3174a3e5a3d3aeece81eb535496c7c75e317296480499186
-
Filesize
1KB
MD5f294e79f1544ac1efaa68fe00cbbecb4
SHA15fc41f4a7835321399da90075f51378a35b2e478
SHA2569414793d74da7d4a2951f0691ea7a29dd398102c97672121f6dee03e6fedacf4
SHA512ad89c744e2d9112fb7aa649de6697bdc072d8b1706755e6773de2b06620266eaa910ce7072c65e1fa8f3b09ae1a8b09439e80a8bd7fecaa28d83e89432696e74