Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29/01/2025, 13:44 UTC

General

  • Target

    JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe

  • Size

    187KB

  • MD5

    5787714b5e0d7a8637009e5dd6a91a58

  • SHA1

    549626c9602412bcd27712c44531ced2ed443200

  • SHA256

    0d6bfde6fd87862c17ec21189950d9bf07b51793c704023f717129ec65b367e6

  • SHA512

    0445fdfcc8a5c4963c7fd63f4b145bb55cdcc74f9972340b548b9b4cda51807724d9898e3846a1d300ef59be776dab71c14466e24b8a6dd6c770f5c66e7c03b4

  • SSDEEP

    3072:is04FXKn40nNqekDdjvb9Eo7JjMe6i6V68fh0bSaJQtBZ2FoAEzuFKjVf1SF1KxB:isfFSqekDdVEo7Jj76lfOQtDYEq98x/5

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 6 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2376
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2916
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3024

Network

  • flag-us
    DNS
    rossroadbags.com
    JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe
    Remote address:
    8.8.8.8:53
    Request
    rossroadbags.com
    IN A
    Response
  • flag-us
    DNS
    zonetf.com
    JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe
    Remote address:
    8.8.8.8:53
    Request
    zonetf.com
    IN A
    Response
    zonetf.com
    IN A
    76.223.54.146
    zonetf.com
    IN A
    13.248.169.48
  • flag-us
    DNS
    zonetf.com
    JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe
    Remote address:
    8.8.8.8:53
    Request
    zonetf.com
    IN A
  • flag-us
    DNS
    freemaildotaccess.com
    JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe
    Remote address:
    8.8.8.8:53
    Request
    freemaildotaccess.com
    IN A
    Response
  • flag-us
    DNS
    differentdata-one.com
    JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe
    Remote address:
    8.8.8.8:53
    Request
    differentdata-one.com
    IN A
    Response
  • flag-us
    DNS
    www.google.com
    JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe
    Remote address:
    8.8.8.8:53
    Request
    www.google.com
    IN A
    Response
    www.google.com
    IN A
    172.217.16.228
  • flag-gb
    GET
    http://www.google.com/
    JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe
    Remote address:
    172.217.16.228:80
    Request
    GET / HTTP/1.0
    Connection: close
    Host: www.google.com
    Accept: */*
    Response
    HTTP/1.0 302 Found
    Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGPzh6LwGIjDFfhUOtvCMXB-3CxyAGHvYKmEExWrgm0MFgOBS6K5SrJhBxuC8BZJ9Qzxc2D2oD3AyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    x-hallmonitor-challenge: CgwI_OHovAYQ8azcjgMSBLXXsFM
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-7oypwNmXr_2R0u-Rw54gtQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
    Date: Wed, 29 Jan 2025 13:45:32 GMT
    Server: gws
    Content-Length: 396
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: AEC=AVcja2eDdyNM7JxtsZfnLGaUv1yfZnRGCS2Rvmgp4GswvPKoPQlxI_aVK4E; expires=Mon, 28-Jul-2025 13:45:32 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
  • flag-us
    DNS
    zoneom.com
    JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe
    Remote address:
    8.8.8.8:53
    Request
    zoneom.com
    IN A
    Response
    zoneom.com
    IN A
    76.223.67.189
    zoneom.com
    IN A
    13.248.213.45
  • flag-us
    GET
    http://zoneom.com/images/im133.jpg?tq=gHZutDyMv5rJeyG1J8K%2B1MWCJbP4lltXIA%3D%3D
    JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe
    Remote address:
    76.223.67.189:80
    Request
    GET /images/im133.jpg?tq=gHZutDyMv5rJeyG1J8K%2B1MWCJbP4lltXIA%3D%3D HTTP/1.0
    Connection: close
    Host: zoneom.com
    Accept: */*
    User-Agent: opera/8.11
    Response
    HTTP/1.0 200 OK
    content-type: text/html
    date: Wed, 29 Jan 2025 13:45:33 GMT
    content-length: 160
  • flag-gb
    GET
    http://www.google.com/
    JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe
    Remote address:
    172.217.16.228:80
    Request
    GET / HTTP/1.1
    Connection: close
    Pragma: no-cache
    Host: www.google.com
    Response
    HTTP/1.1 302 Found
    Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGIni6LwGIjBDfaeOMSAL6U94o2d0xOh71FS1IHV7wN4uG6mXOtf-gU-d8BvD8aKdlXXEhkU3o-oyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    x-hallmonitor-challenge: CgwIieLovAYQ_Pr_xQISBLXXsFM
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-KO5WgIxvuaHr7b_0insDeA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
    Date: Wed, 29 Jan 2025 13:45:45 GMT
    Server: gws
    Content-Length: 396
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: AEC=AVcja2dFbXzSpD1op8EAjyqtIzVz23G2g3XW1T8gqDZYnoQqxum3vZuCSw; expires=Mon, 28-Jul-2025 13:45:45 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
    Connection: close
  • flag-gb
    GET
    http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGIni6LwGIjBDfaeOMSAL6U94o2d0xOh71FS1IHV7wN4uG6mXOtf-gU-d8BvD8aKdlXXEhkU3o-oyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe
    Remote address:
    172.217.16.228:80
    Request
    GET /sorry/index?continue=http://www.google.com/&q=EgS117BTGIni6LwGIjBDfaeOMSAL6U94o2d0xOh71FS1IHV7wN4uG6mXOtf-gU-d8BvD8aKdlXXEhkU3o-oyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
    Connection: close
    Pragma: no-cache
    Host: www.google.com
    Response
    HTTP/1.1 429 Too Many Requests
    Date: Wed, 29 Jan 2025 13:45:46 GMT
    Pragma: no-cache
    Expires: Fri, 01 Jan 1990 00:00:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Content-Type: text/html
    Server: HTTP server (unknown)
    Content-Length: 3075
    X-XSS-Protection: 0
    Connection: close
  • 76.223.54.146:80
    zonetf.com
    JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe
    152 B
    3
  • 172.217.16.228:80
    http://www.google.com/
    http
    JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe
    394 B
    1.5kB
    7
    6

    HTTP Request

    GET http://www.google.com/

    HTTP Response

    302
  • 76.223.67.189:80
    http://zoneom.com/images/im133.jpg?tq=gHZutDyMv5rJeyG1J8K%2B1MWCJbP4lltXIA%3D%3D
    http
    JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe
    430 B
    514 B
    6
    6

    HTTP Request

    GET http://zoneom.com/images/im133.jpg?tq=gHZutDyMv5rJeyG1J8K%2B1MWCJbP4lltXIA%3D%3D

    HTTP Response

    200
  • 172.217.16.228:80
    http://www.google.com/
    http
    JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe
    691 B
    1.5kB
    10
    6

    HTTP Request

    GET http://www.google.com/

    HTTP Response

    302
  • 127.0.0.1:56788
    JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe
  • 172.217.16.228:80
    http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGIni6LwGIjBDfaeOMSAL6U94o2d0xOh71FS1IHV7wN4uG6mXOtf-gU-d8BvD8aKdlXXEhkU3o-oyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    http
    JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe
    526 B
    3.7kB
    6
    7

    HTTP Request

    GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGIni6LwGIjBDfaeOMSAL6U94o2d0xOh71FS1IHV7wN4uG6mXOtf-gU-d8BvD8aKdlXXEhkU3o-oyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

    HTTP Response

    429
  • 127.0.0.1:56788
    JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe
  • 8.8.8.8:53
    rossroadbags.com
    dns
    JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe
    62 B
    135 B
    1
    1

    DNS Request

    rossroadbags.com

  • 8.8.8.8:53
    zonetf.com
    dns
    JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe
    112 B
    88 B
    2
    1

    DNS Request

    zonetf.com

    DNS Request

    zonetf.com

    DNS Response

    76.223.54.146
    13.248.169.48

  • 8.8.8.8:53
    freemaildotaccess.com
    dns
    JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe
    67 B
    140 B
    1
    1

    DNS Request

    freemaildotaccess.com

  • 8.8.8.8:53
    differentdata-one.com
    dns
    JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe
    67 B
    140 B
    1
    1

    DNS Request

    differentdata-one.com

  • 8.8.8.8:53
    www.google.com
    dns
    JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe
    60 B
    76 B
    1
    1

    DNS Request

    www.google.com

    DNS Response

    172.217.16.228

  • 8.8.8.8:53
    zoneom.com
    dns
    JaffaCakes118_5787714b5e0d7a8637009e5dd6a91a58.exe
    56 B
    88 B
    1
    1

    DNS Request

    zoneom.com

    DNS Response

    76.223.67.189
    13.248.213.45

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\F399.42A

    Filesize

    1KB

    MD5

    a48817801b6815814ffe0f5b614d881b

    SHA1

    4cd3f805d19f89ca1a602c350f61a8896609d3f9

    SHA256

    ca01657d3d6ffd06588b8b640db273c7d9f3f23904649c4b20e08b3c22563c35

    SHA512

    d07b16e48570c846fc2468cdcfd34523dc6ad98389f7f13f17b4494b9607c7528d999575d9a615863b3b285f57d9279c43712be596461e7949f2c187a11e4024

  • C:\Users\Admin\AppData\Roaming\F399.42A

    Filesize

    600B

    MD5

    4a57e37613aec8c047cf91beedd7691f

    SHA1

    087c654fc2e66c4825970372dea5bea55927544e

    SHA256

    9f3046e64948ea702a2fd0ad7ce94506f467c3f828fe7c33d241589ed81e503c

    SHA512

    ac1f66da02da92bb20f1dbfb3a758f950ad86c0180ee2c828111093f6b3947ad047ef0d885e5d0586fbe5fc651f533f87e0150cc3bbdd4ee3712401a4f8dd66c

  • C:\Users\Admin\AppData\Roaming\F399.42A

    Filesize

    996B

    MD5

    f95d33aeddf02f81def492bb4ec16432

    SHA1

    99e88129786733bcd005fe3663f50dd66d141c11

    SHA256

    0d84fc923d4a130e17eb274a6d065716003654fd22102bbbe41240f6b051f90a

    SHA512

    b5161071041f6588ffd096f4a32c44ef44ffb16ab9dcc3f11c47d790eefc28df4e5eaaf8ad64cb07790689b6adb55e48f38403e332810e6450d277ac4cb643fc

  • memory/2376-1-0x0000000000400000-0x0000000000443000-memory.dmp

    Filesize

    268KB

  • memory/2376-2-0x0000000000400000-0x0000000000443000-memory.dmp

    Filesize

    268KB

  • memory/2376-15-0x0000000000400000-0x0000000000443000-memory.dmp

    Filesize

    268KB

  • memory/2376-75-0x0000000000400000-0x0000000000443000-memory.dmp

    Filesize

    268KB

  • memory/2376-174-0x0000000000400000-0x0000000000443000-memory.dmp

    Filesize

    268KB

  • memory/2376-179-0x0000000000400000-0x0000000000443000-memory.dmp

    Filesize

    268KB

  • memory/2916-5-0x0000000000400000-0x0000000000443000-memory.dmp

    Filesize

    268KB

  • memory/2916-6-0x0000000000400000-0x0000000000443000-memory.dmp

    Filesize

    268KB

  • memory/3024-74-0x0000000000400000-0x0000000000443000-memory.dmp

    Filesize

    268KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.