Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
02/02/2025, 00:21 UTC
General
-
Target
JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exe
-
Size
178KB
-
MD5
771873432a46048391d86de0cf6e6ebb
-
SHA1
5a07c7e3345210329d4d0cc17a6e1d86585b121d
-
SHA256
63130c80578b44d6ba0c7f7c13cfb4e893967a81608d0ec8993dfe6020f268c3
-
SHA512
30ee54e452069c52253d92360a5cd94fb33747319f7263de4d3383477601b47ccc41a7038162a104763238b663f0a50ee76f9cd0ddc0d384b558a945af6dabd8
-
SSDEEP
3072:/L/wyNqKMLufKePcPRD5kFR+rUr1YdDrgXvftX48yr2goxiX:/L/wfLufDwIR6d/gXHtXJm5R
Score
10/10
Malware Config
Signatures
-
Cycbot
Cycbot is a backdoor and trojan written in C++..
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 8 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exe startC:\Program Files (x86)\LP\32FF\5C6.exe%C:\Program Files (x86)\LP\32FF2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exe startC:\Users\Admin\AppData\Roaming\F355F\AC432.exe%C:\Users\Admin\AppData\Roaming\F355F2⤵
- System Location Discovery: System Language Discovery
-
Network
-
DNShighspeedinternetlosangeles.webnode.comRemote address:8.8.8.8:53Requesthighspeedinternetlosangeles.webnode.comIN AResponsehighspeedinternetlosangeles.webnode.comIN CNAMEprojects-lb.webnode.ioprojects-lb.webnode.ioIN A18.185.25.67projects-lb.webnode.ioIN A3.79.173.192 -
GEThttp://highspeedinternetlosangeles.webnode.com/news/2.php?sv=88&tq=gwY92w4AkCL0Z9LiK9R%2Fp8AwZhvDAKaTeJXsdsMwpCg6BavAOOC%2B0A%2BRokbgB%2FYCRutc1pCKrJeBkIiyaJ3xkYFWIymkQIaogA8kG90tTgvSpOM%2BW0YggJ9IhT2UWtGNyHqM4uMhIO5151VtpZOSRdOvdQ1763G4wMgbyGwtzbmx8ElH8A%2FQfbgTiwJgltBzBWHadMKb8QcQZDlU2vUjxLb8Y7cK%2BXeEPtFSgJBxK0FY567cRemote address:18.185.25.67:80RequestGET /news/2.php?sv=88&tq=gwY92w4AkCL0Z9LiK9R%2Fp8AwZhvDAKaTeJXsdsMwpCg6BavAOOC%2B0A%2BRokbgB%2FYCRutc1pCKrJeBkIiyaJ3xkYFWIymkQIaogA8kG90tTgvSpOM%2BW0YggJ9IhT2UWtGNyHqM4uMhIO5151VtpZOSRdOvdQ1763G4wMgbyGwtzbmx8ElH8A%2FQfbgTiwJgltBzBWHadMKb8QcQZDlU2vUjxLb8Y7cK%2BXeEPtFSgJBxK0FY567c HTTP/1.0
Connection: close
Host: highspeedinternetlosangeles.webnode.com
Accept: */*
User-Agent: chrome/9.0
ResponseHTTP/1.1 301 Moved Permanently
Server: openresty
Date: Sun, 02 Feb 2025 00:22:08 GMT
Content-Type: text/html
Content-Length: 166
Connection: close
Location: http://highspeedinternetlosangeles.webnode.page/news/2.php?sv=88&tq=gwY92w4AkCL0Z9LiK9R%2Fp8AwZhvDAKaTeJXsdsMwpCg6BavAOOC%2B0A%2BRokbgB%2FYCRutc1pCKrJeBkIiyaJ3xkYFWIymkQIaogA8kG90tTgvSpOM%2BW0YggJ9IhT2UWtGNyHqM4uMhIO5151VtpZOSRdOvdQ1763G4wMgbyGwtzbmx8ElH8A%2FQfbgTiwJgltBzBWHadMKb8QcQZDlU2vUjxLb8Y7cK%2BXeEPtFSgJBxK0FY567c
-
DNSsywerif.remindmeroster.comRemote address:8.8.8.8:53Requestsywerif.remindmeroster.comIN AResponse
-
DNSd59o5bwh.grizlybigtit.comRemote address:8.8.8.8:53Requestd59o5bwh.grizlybigtit.comIN AResponse
-
DNSwww.google.comRemote address:8.8.8.8:53Requestwww.google.comIN AResponsewww.google.comIN A142.250.178.4
-
GEThttp://www.google.com/Remote address:142.250.178.4:80RequestGET / HTTP/1.0
Connection: close
Host: www.google.com
Accept: */*
ResponseHTTP/1.0 302 Found
Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGOz1-rwGIjDVgBVCOTbYGhKeqHoZS_g8lJkhwc_JNhM_jAF5saqHcirKYCwdgtITi97mlQ9kOWYyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
x-hallmonitor-challenge: CgwI7PX6vAYQ1J3DlQMSBLXXsFM
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-ybdRLeI2aO7wzpyRb_GDag' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Sun, 02 Feb 2025 00:23:08 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AVcja2dSDSzvYihQHzvuC5Lk8QDAeX3Dc_d4V-J4cGMXKFNioDrQ-jrL9IA; expires=Fri, 01-Aug-2025 00:23:08 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
-
DNShjmk.cloudstorepro.comRemote address:8.8.8.8:53Requesthjmk.cloudstorepro.comIN AResponse
-
GEThttp://www.google.com/Remote address:142.250.178.4:80RequestGET / HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com
ResponseHTTP/1.1 302 Found
Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGO31-rwGIjAPxWwsG0oLTN6Ln5kcDkxTVc1Sj_UPbko-KK5andEw-xIO9Bmp4D9AMvptbiBQpqMyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
x-hallmonitor-challenge: CgwI7fX6vAYQh8Td7AESBLXXsFM
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-KR_VyMVSE4ypwyKC5lBe3Q' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Sun, 02 Feb 2025 00:23:09 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AVcja2fkJXucStWnkzI65fc3RTlcXSazjCxXvogPWtDlS3wvs_OMU7wfNw; expires=Fri, 01-Aug-2025 00:23:09 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Connection: close
-
GEThttp://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGO31-rwGIjAPxWwsG0oLTN6Ln5kcDkxTVc1Sj_UPbko-KK5andEw-xIO9Bmp4D9AMvptbiBQpqMyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMRemote address:142.250.178.4:80RequestGET /sorry/index?continue=http://www.google.com/&q=EgS117BTGO31-rwGIjAPxWwsG0oLTN6Ln5kcDkxTVc1Sj_UPbko-KK5andEw-xIO9Bmp4D9AMvptbiBQpqMyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com
ResponseHTTP/1.1 429 Too Many Requests
Date: Sun, 02 Feb 2025 00:23:09 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/html
Server: HTTP server (unknown)
Content-Length: 3075
X-XSS-Protection: 0
Connection: close
-
18.185.25.67:80http://highspeedinternetlosangeles.webnode.com/news/2.php?sv=88&tq=gwY92w4AkCL0Z9LiK9R%2Fp8AwZhvDAKaTeJXsdsMwpCg6BavAOOC%2B0A%2BRokbgB%2FYCRutc1pCKrJeBkIiyaJ3xkYFWIymkQIaogA8kG90tTgvSpOM%2BW0YggJ9IhT2UWtGNyHqM4uMhIO5151VtpZOSRdOvdQ1763G4wMgbyGwtzbmx8ElH8A%2FQfbgTiwJgltBzBWHadMKb8QcQZDlU2vUjxLb8Y7cK%2BXeEPtFSgJBxK0FY567chttp
HTTP Request
GET http://highspeedinternetlosangeles.webnode.com/news/2.php?sv=88&tq=gwY92w4AkCL0Z9LiK9R%2Fp8AwZhvDAKaTeJXsdsMwpCg6BavAOOC%2B0A%2BRokbgB%2FYCRutc1pCKrJeBkIiyaJ3xkYFWIymkQIaogA8kG90tTgvSpOM%2BW0YggJ9IhT2UWtGNyHqM4uMhIO5151VtpZOSRdOvdQ1763G4wMgbyGwtzbmx8ElH8A%2FQfbgTiwJgltBzBWHadMKb8QcQZDlU2vUjxLb8Y7cK%2BXeEPtFSgJBxK0FY567cHTTP Response
301 -
142.250.178.4:80http://www.google.com/http
HTTP Request
GET http://www.google.com/HTTP Response
302 -
142.250.178.4:80http://www.google.com/http
HTTP Request
GET http://www.google.com/HTTP Response
302 -
127.0.0.1:58970 -
142.250.178.4:80http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGO31-rwGIjAPxWwsG0oLTN6Ln5kcDkxTVc1Sj_UPbko-KK5andEw-xIO9Bmp4D9AMvptbiBQpqMyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMhttp
HTTP Request
GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGO31-rwGIjAPxWwsG0oLTN6Ln5kcDkxTVc1Sj_UPbko-KK5andEw-xIO9Bmp4D9AMvptbiBQpqMyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMHTTP Response
429 -
127.0.0.1:58970
-
8.8.8.8:53highspeedinternetlosangeles.webnode.comdns
DNS Request
highspeedinternetlosangeles.webnode.com
DNS Response
18.185.25.673.79.173.192
-
8.8.8.8:53sywerif.remindmeroster.comdns
DNS Request
sywerif.remindmeroster.com
-
8.8.8.8:53d59o5bwh.grizlybigtit.comdns
DNS Request
d59o5bwh.grizlybigtit.com
-
8.8.8.8:53www.google.comdns
DNS Request
www.google.com
DNS Response
142.250.178.4
-
8.8.8.8:53hjmk.cloudstorepro.comdns
DNS Request
hjmk.cloudstorepro.com
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD59d41aded6fb1eb4b6f9bc072db569d87
SHA1f5d1b4fff0bcf72adde74cff6bd3ab3e0996291c
SHA2569261810d6145077b0a2415be5c085d42faf18f8e4fc23a841ef7687c6fc41dac
SHA51213d0b662d6eb32db702c10e457a1517c98ae695c7b0aedab5eecf9b8f21495cadbba71dec5d260071dd358b05735be62dd49a5e7a674b2c47008e4f24e2c0a61
-
Filesize
600B
MD585739d4022fbb3a194666aa42ca6277b
SHA1a6919aa4f34bb4baab7b2a314189c42ade175def
SHA256bd703b3fbd72cb885c381815e81e55d53bd8ca70b6548d93ebad9e25857ee91e
SHA5126bf281b11a8466a7b3db63852d0d17c795fc85acc6d03d359d942719c15f7c669412896daa46ea1b89bbe8013e4d52ae17238ea381a843a6f682d5555f47586a
-
Filesize
1KB
MD53992a94893619c0468b83ad572d6ebaa
SHA184a240a37365651be6d7d813946e40318e37eb85
SHA2569bf284acf44d78a5fb8bc882fcc7b27169cef50afbddeafa51cb3b086cfb0752
SHA5129ae7303c19cad4a7a0102975def732a378aaf3a2ce4e194a92723660308b484de48138acab42752e60df466cd237047755418702b535ec56045eb95693b0ee16
-
Filesize
336KB
-
Filesize
336KB
-
Filesize
336KB
-
Filesize
336KB
-
Filesize
336KB
-
Filesize
336KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
336KB
-
Filesize
336KB