Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
29/01/2025, 14:58 UTC
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe
Resource
win7-20241010-en
General
-
Target
JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe
-
Size
160KB
-
MD5
583263a359b914b176d69a88b3646dbf
-
SHA1
d89e452870806ce5b381c0383bcc21fdca21f2b3
-
SHA256
615c81c523e0d149c6028933b738ce73cac4635c89c628abf5bb3dd9ea7b0acd
-
SHA512
d89e6dad243b0d6be37f98405070ac67283ce517a6f9d9e47697fbbf8a63cd24d38671baa26ce8b9f91419775f1697f64e9648b522da4571f3af3c0720fbc354
-
SSDEEP
3072:XZos/wh/aG0cV/2EfaSV6UjZkbPhcslzQKzH7lre:ms/wh/ayVBJVGF5QKv
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 6 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral2/memory/2988-15-0x0000000000400000-0x0000000000491000-memory.dmp family_cycbot behavioral2/memory/1772-16-0x0000000000400000-0x000000000048E000-memory.dmp family_cycbot behavioral2/memory/1772-17-0x0000000000400000-0x0000000000491000-memory.dmp family_cycbot behavioral2/memory/3716-121-0x0000000000400000-0x0000000000491000-memory.dmp family_cycbot behavioral2/memory/1772-122-0x0000000000400000-0x0000000000491000-memory.dmp family_cycbot behavioral2/memory/1772-300-0x0000000000400000-0x0000000000491000-memory.dmp family_cycbot -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\868DC\\F98B7.exe" JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe -
resource yara_rule behavioral2/memory/1772-3-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/2988-14-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/2988-15-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/1772-16-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral2/memory/1772-17-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/3716-119-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/3716-121-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/1772-122-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/1772-300-0x0000000000400000-0x0000000000491000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1772 wrote to memory of 2988 1772 JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe 85 PID 1772 wrote to memory of 2988 1772 JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe 85 PID 1772 wrote to memory of 2988 1772 JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe 85 PID 1772 wrote to memory of 3716 1772 JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe 86 PID 1772 wrote to memory of 3716 1772 JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe 86 PID 1772 wrote to memory of 3716 1772 JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe"1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_583263a359b914b176d69a88b3646dbf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe startC:\Program Files (x86)\LP\B758\83B.exe%C:\Program Files (x86)\LP\B7582⤵PID:2988
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_583263a359b914b176d69a88b3646dbf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe startC:\Program Files (x86)\DC289\lvvm.exe%C:\Program Files (x86)\DC2892⤵PID:3716
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request136.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request13.153.16.2.in-addr.arpaIN PTRResponse13.153.16.2.in-addr.arpaIN PTRa2-16-153-13deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request26.35.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestistockanalyst.comIN AResponseistockanalyst.comIN A104.21.96.1istockanalyst.comIN A104.21.112.1istockanalyst.comIN A104.21.48.1istockanalyst.comIN A104.21.16.1istockanalyst.comIN A104.21.80.1istockanalyst.comIN A104.21.64.1istockanalyst.comIN A104.21.32.1
-
GEThttp://istockanalyst.com/png/intel.gif?sv=773&tq=gwY92w4Amr8cy8rnO1YXXQmVjcybSIGameQZUOSfataUU91jKvgiNm%2F1C%2BRw9Nk7SpF7nq7uOw1XSoAcQM9sJpTk0lh0ZA3%2BbaF%2BW2Twp9zuVG0ZIUZ7zgJriZIwNqmpq73sG6DtUb%2BhFd6kZQbY0ULQ0jwsCSbFnTCLh%2Fxs3S84J44DrHrL0MAbRK%2FvfA9Z6rQkPMG25rX7KcX%2FnBxcaQQWiWfDN80vJKI%2B4prTCt1xvTAg1GUTOojHOQ3u0PoN%2F4SjDfGL7gAjhkau8f%2F36dh4%2B%2Fv57AB8C9WZY1BmMNfZHXMxJaffaCakes118_583263a359b914b176d69a88b3646dbf.exeRemote address:104.21.96.1:80RequestGET /png/intel.gif?sv=773&tq=gwY92w4Amr8cy8rnO1YXXQmVjcybSIGameQZUOSfataUU91jKvgiNm%2F1C%2BRw9Nk7SpF7nq7uOw1XSoAcQM9sJpTk0lh0ZA3%2BbaF%2BW2Twp9zuVG0ZIUZ7zgJriZIwNqmpq73sG6DtUb%2BhFd6kZQbY0ULQ0jwsCSbFnTCLh%2Fxs3S84J44DrHrL0MAbRK%2FvfA9Z6rQkPMG25rX7KcX%2FnBxcaQQWiWfDN80vJKI%2B4prTCt1xvTAg1GUTOojHOQ3u0PoN%2F4SjDfGL7gAjhkau8f%2F36dh4%2B%2Fv57AB8C9WZY1BmMNfZHXMx HTTP/1.0
Connection: close
Host: istockanalyst.com
Accept: */*
User-Agent: chrome/9.0
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-Length: 167
Connection: close
Cache-Control: max-age=3600
Expires: Thu, 30 Jan 2025 16:35:52 GMT
Location: https://istockanalyst.com/png/intel.gif?sv=773&tq=gwY92w4Amr8cy8rnO1YXXQmVjcybSIGameQZUOSfataUU91jKvgiNm%2F1C%2BRw9Nk7SpF7nq7uOw1XSoAcQM9sJpTk0lh0ZA3%2BbaF%2BW2Twp9zuVG0ZIUZ7zgJriZIwNqmpq73sG6DtUb%2BhFd6kZQbY0ULQ0jwsCSbFnTCLh%2Fxs3S84J44DrHrL0MAbRK%2FvfA9Z6rQkPMG25rX7KcX%2FnBxcaQQWiWfDN80vJKI%2B4prTCt1xvTAg1GUTOojHOQ3u0PoN%2F4SjDfGL7gAjhkau8f%2F36dh4%2B%2Fv57AB8C9WZY1BmMNfZHXMx
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BI1MAtwONjrmzIzjnJZvysUwH%2FV2arq9L4B1uAaSE1fvflquLhPzoshTywg8l9WmQosgDtSWlKYsX5cybSkhK0g4pEwHiBElZrXtxP2ikrGq%2B8n9F7YvsFzvSN9eycGcvyrC5g%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90a288cb1e32ef25-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=26023&min_rtt=26023&rtt_var=13011&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=453&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
-
Remote address:8.8.8.8:53Request1.96.21.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestm0tz8.extremeshools.comIN AResponse
-
Remote address:8.8.8.8:53Request0hai5yzc.datamediaarchive.comIN AResponse
-
Remote address:8.8.8.8:53Request212.20.149.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requests95fd.mediastoreplus.comIN AResponse
-
Remote address:8.8.8.8:53Request85.49.80.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestwww.google.comIN AResponsewww.google.comIN A172.217.16.228
-
Remote address:172.217.16.228:80RequestGET / HTTP/1.0
Connection: close
Host: www.google.com
Accept: */*
ResponseHTTP/1.0 302 Found
x-hallmonitor-challenge: CgwIlbnuvAYQ75vIigESBLXXsFM
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-FhHomiu5qQ6hrxQVWnV90g' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Thu, 30 Jan 2025 15:36:53 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AVcja2evyYZnEcbFgpcs3P69wyAn_6eqYAxDiFKMCuzioK7HDu7gNwzGkg; expires=Tue, 29-Jul-2025 15:36:53 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
-
Remote address:172.217.16.228:80RequestGET / HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com
ResponseHTTP/1.1 302 Found
x-hallmonitor-challenge: CgwIlbnuvAYQ-t7jgAMSBLXXsFM
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-nsUau5KoZo7LTdv3jthBxw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Thu, 30 Jan 2025 15:36:53 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AVcja2cTuJpppcXP3Z5_g0FCe91k5Hgx-9OPs42G-U85kpJFSeTW_HiM3gA; expires=Tue, 29-Jul-2025 15:36:53 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Connection: close
-
Remote address:8.8.8.8:53Request228.16.217.172.in-addr.arpaIN PTRResponse228.16.217.172.in-addr.arpaIN PTRlhr48s28-in-f41e100net228.16.217.172.in-addr.arpaIN PTRmad08s04-in-f4�H
-
GEThttp://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGJW57rwGIjBWvWWT3I3PsxCGYFwwbS5OTh-NARqrlfOZogjMZRY_IfMrbhl72kgsC4LPNG3aJs4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMJaffaCakes118_583263a359b914b176d69a88b3646dbf.exeRemote address:172.217.16.228:80RequestGET /sorry/index?continue=http://www.google.com/&q=EgS117BTGJW57rwGIjBWvWWT3I3PsxCGYFwwbS5OTh-NARqrlfOZogjMZRY_IfMrbhl72kgsC4LPNG3aJs4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com
ResponseHTTP/1.1 429 Too Many Requests
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/html
Server: HTTP server (unknown)
Content-Length: 3075
X-XSS-Protection: 0
Connection: close
-
Remote address:8.8.8.8:53Request11.153.16.2.in-addr.arpaIN PTRResponse11.153.16.2.in-addr.arpaIN PTRa2-16-153-11deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request21.236.111.52.in-addr.arpaIN PTRResponse
-
104.21.96.1:80http://istockanalyst.com/png/intel.gif?sv=773&tq=gwY92w4Amr8cy8rnO1YXXQmVjcybSIGameQZUOSfataUU91jKvgiNm%2F1C%2BRw9Nk7SpF7nq7uOw1XSoAcQM9sJpTk0lh0ZA3%2BbaF%2BW2Twp9zuVG0ZIUZ7zgJriZIwNqmpq73sG6DtUb%2BhFd6kZQbY0ULQ0jwsCSbFnTCLh%2Fxs3S84J44DrHrL0MAbRK%2FvfA9Z6rQkPMG25rX7KcX%2FnBxcaQQWiWfDN80vJKI%2B4prTCt1xvTAg1GUTOojHOQ3u0PoN%2F4SjDfGL7gAjhkau8f%2F36dh4%2B%2Fv57AB8C9WZY1BmMNfZHXMxhttpJaffaCakes118_583263a359b914b176d69a88b3646dbf.exe729 B 1.6kB 6 6
HTTP Request
GET http://istockanalyst.com/png/intel.gif?sv=773&tq=gwY92w4Amr8cy8rnO1YXXQmVjcybSIGameQZUOSfataUU91jKvgiNm%2F1C%2BRw9Nk7SpF7nq7uOw1XSoAcQM9sJpTk0lh0ZA3%2BbaF%2BW2Twp9zuVG0ZIUZ7zgJriZIwNqmpq73sG6DtUb%2BhFd6kZQbY0ULQ0jwsCSbFnTCLh%2Fxs3S84J44DrHrL0MAbRK%2FvfA9Z6rQkPMG25rX7KcX%2FnBxcaQQWiWfDN80vJKI%2B4prTCt1xvTAg1GUTOojHOQ3u0PoN%2F4SjDfGL7gAjhkau8f%2F36dh4%2B%2Fv57AB8C9WZY1BmMNfZHXMxHTTP Response
301 -
-
-
-
-
302 B 1.5kB 5 5
HTTP Request
GET http://www.google.com/HTTP Response
302 -
307 B 1.5kB 5 5
HTTP Request
GET http://www.google.com/HTTP Response
302 -
172.217.16.228:80http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGJW57rwGIjBWvWWT3I3PsxCGYFwwbS5OTh-NARqrlfOZogjMZRY_IfMrbhl72kgsC4LPNG3aJs4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMhttpJaffaCakes118_583263a359b914b176d69a88b3646dbf.exe526 B 3.7kB 6 7
HTTP Request
GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGJW57rwGIjBWvWWT3I3PsxCGYFwwbS5OTh-NARqrlfOZogjMZRY_IfMrbhl72kgsC4LPNG3aJs4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMHTTP Response
429 -
-
-
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
136.32.126.40.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
13.153.16.2.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
26.35.223.20.in-addr.arpa
-
63 B 175 B 1 1
DNS Request
istockanalyst.com
DNS Response
104.21.96.1104.21.112.1104.21.48.1104.21.16.1104.21.80.1104.21.64.1104.21.32.1
-
70 B 132 B 1 1
DNS Request
1.96.21.104.in-addr.arpa
-
168 B 3
-
69 B 142 B 1 1
DNS Request
m0tz8.extremeshools.com
-
75 B 148 B 1 1
DNS Request
0hai5yzc.datamediaarchive.com
-
72 B 146 B 1 1
DNS Request
212.20.149.52.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
70 B 143 B 1 1
DNS Request
s95fd.mediastoreplus.com
-
70 B 145 B 1 1
DNS Request
85.49.80.91.in-addr.arpa
-
60 B 76 B 1 1
DNS Request
www.google.com
DNS Response
172.217.16.228
-
73 B 140 B 1 1
DNS Request
228.16.217.172.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
11.153.16.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
21.236.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD548e1b2f1bf39bb626a3651b64095f024
SHA148dbea60c10c3b17c4daba915cfdf5336abb9466
SHA256e6736b612b2c69448f1823f98fe601ae2c4be740feb4c15c26de625aa72bc92d
SHA51270e29b05331df56999491f19f498ae2a6a4d372562e0afa5cc60b507c627db1c94a8d995f619c949c59af8b444ca9e61381c24c988862b2f7aac13584d7d555e
-
Filesize
600B
MD5dc88d9090d4414233e689e9b1650dac0
SHA1b61584a493058b7a55e0afed285b0be8a6dc9842
SHA256b00c0a054a13aff7059a8c6e167335d7f7d8284d41f872eb88b1dbfd7478727a
SHA512f0fab6289d3104d93e99f53dc3a5e67b990eec8e05446ad3316561ffb829fe2a1f51211f5e66ccfcc5642f0a8ffaa3bb1dba2ce1955f850243deae815d235fb5
-
Filesize
1KB
MD5aa7acb89b375688e330d8ab52f0e9076
SHA126c05967716e3d0f2f4e9334270d68499775321b
SHA256789c38d0dbcc5d44c185b49280f511106659bae533abade8b32501e1474f1aeb
SHA5124003a99d90e519bff3119ece1dc1b4e59f5664843a6e08158b9fc8d94a43d6240a9a0bc71dfc24ad3c630006d770ac500b4fc63f61738ed3d20abbed7835578c