Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
02/02/2025, 00:21
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exe
-
Size
178KB
-
MD5
771873432a46048391d86de0cf6e6ebb
-
SHA1
5a07c7e3345210329d4d0cc17a6e1d86585b121d
-
SHA256
63130c80578b44d6ba0c7f7c13cfb4e893967a81608d0ec8993dfe6020f268c3
-
SHA512
30ee54e452069c52253d92360a5cd94fb33747319f7263de4d3383477601b47ccc41a7038162a104763238b663f0a50ee76f9cd0ddc0d384b558a945af6dabd8
-
SSDEEP
3072:/L/wyNqKMLufKePcPRD5kFR+rUr1YdDrgXvftX48yr2goxiX:/L/wfLufDwIR6d/gXHtXJm5R
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral2/memory/3892-13-0x0000000000400000-0x0000000000454000-memory.dmp family_cycbot behavioral2/memory/3140-14-0x0000000000400000-0x0000000000454000-memory.dmp family_cycbot behavioral2/memory/3140-15-0x0000000000400000-0x0000000000452000-memory.dmp family_cycbot behavioral2/memory/4476-127-0x0000000000400000-0x0000000000454000-memory.dmp family_cycbot behavioral2/memory/3140-298-0x0000000000400000-0x0000000000454000-memory.dmp family_cycbot -
resource yara_rule behavioral2/memory/3140-2-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/3892-12-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/3892-13-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/3140-14-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/3140-15-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral2/memory/4476-125-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/4476-127-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/3140-298-0x0000000000400000-0x0000000000454000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3140 wrote to memory of 3892 3140 JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exe 86 PID 3140 wrote to memory of 3892 3140 JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exe 86 PID 3140 wrote to memory of 3892 3140 JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exe 86 PID 3140 wrote to memory of 4476 3140 JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exe 87 PID 3140 wrote to memory of 4476 3140 JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exe 87 PID 3140 wrote to memory of 4476 3140 JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exe startC:\Program Files (x86)\LP\108D\733.exe%C:\Program Files (x86)\LP\108D2⤵PID:3892
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exe startC:\Users\Admin\AppData\Roaming\D77E1\E6810.exe%C:\Users\Admin\AppData\Roaming\D77E12⤵PID:4476
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD5c6a509f38e318aa6d7d0c4b7e67a2a7e
SHA18427e3e21387fd4fe33c7e8e18047e337fa882b5
SHA2563636a56aa6b33b12f019e8ab90b49ed161608fec2bca0857a6f06aa285f47dfd
SHA512d91bf065579cfedc82634a155ce247fdb1474a62f837e9a01a953651cfa2bb6608cad0416750c3f1df09782ab43383bcae10d70df5b3ff500313d78c9eb07db3
-
Filesize
1KB
MD5c723051289d2a19e9d9077e4609bc2d0
SHA159848181c912baeab9a10d5935643d27ee343f96
SHA256f555dce010a0b155da11331c73fef2e439f52c2fec7ea61fa7fd5c25bff75590
SHA51260b505cd33b61972b01e40f704bfebaddfba74542585e5327152a4507ea2f0568249d3aa441f1ff2d3d6f1541c5399e27dd7838887c9c69feb45a0ae6bbdbbda
-
Filesize
600B
MD5cb865d1cbe8a5c35e975cadb5ecca251
SHA17136fad9128ca5a718914446f931d4d3ec821b75
SHA256afd093a6e9af2aa3355f1afd3c9cf845feac2f1d1c394eea3dc2e76a0c459f0e
SHA5125c84d6aa596fc1dc358fec1a70d28e5b40331aee646631037e6e90c8c8b5d9905801af292ce1cbd080122df2c2325fa919d7b466f680f3dfeef28079be5908e0