Analysis
-
max time kernel
140s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
03-12-2024 03:05
General
-
Target
bb70a05349e9cc1ed724b25ad2254002_JaffaCakes118.exe
-
Size
307KB
-
MD5
bb70a05349e9cc1ed724b25ad2254002
-
SHA1
bf38250d5393797f86428a68e74082cbb93ce3f4
-
SHA256
3ca919091b0eabc0e968e60f78c62d30a9f0ba80770f159d247bf833f92ae6e2
-
SHA512
7f859a6bacf23e729c7b7fd8c79300c036f3c087df1f94b281aafa78379dbe4329cd232b0971a13245829b21c7aaeea0dcf08bbe9e777f5ccf721e3defbe1756
-
SSDEEP
6144:78AF6g/s2H9nyUvOWy9O8fV14/wLbjCFh2O1DMhBA2AtY5rR/WMzZPw:7v6g/BdyaOWywu14/wLbjCFh2oQAC5rW
Malware Config
Signatures
-
Cycbot
Cycbot is a backdoor and trojan written in C++..
-
Cycbot family
-
Detects Cycbot payload 8 IoCs
Cycbot is a backdoor and trojan written in C++.
-
Modifies security service 2 TTPs 1 IoCs
-
Pony family
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
UPX packed file 11 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Control Panel 2 IoCs
-
Modifies Internet Explorer Automatic Crash Recovery 1 TTPs 1 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 38 IoCs
-
Modifies Internet Explorer start page 1 TTPs 1 IoCs
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 16 IoCs
-
Suspicious use of FindShellTrayWindow 30 IoCs
-
Suspicious use of SendNotifyMessage 22 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb70a05349e9cc1ed724b25ad2254002_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bb70a05349e9cc1ed724b25ad2254002_JaffaCakes118.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer Automatic Crash Recovery
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\bb70a05349e9cc1ed724b25ad2254002_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\bb70a05349e9cc1ed724b25ad2254002_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\B1113\21DAE.exe%C:\Users\Admin\AppData\Roaming\B11132⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\bb70a05349e9cc1ed724b25ad2254002_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\bb70a05349e9cc1ed724b25ad2254002_JaffaCakes118.exe startC:\Program Files (x86)\13231\lvvm.exe%C:\Program Files (x86)\132312⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\LP\AE1B\18BE.tmp"C:\Program Files (x86)\LP\AE1B\18BE.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2144 CREDAT:275457 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
Filesize
252B
MD5d1228aaffc58f92cdc06a4e76d213623
SHA10d6792b61cf6c85d1331943d1de478d12891c4b2
SHA256620de46b7336204d5ccd1379a58d46babffddf4c868c36a5f6802c88da0ff0ad
SHA512d7b02db0e3d0097f5907f5b8f203a3e3af4728c53a8ff988041503cdd8243fc6914535e26df944e8278f10ea962514f532853bfe593f1c94d90b0d30230da92a
-
Filesize
342B
MD5b5c12b36324f4501109059c1e7dccc63
SHA1c946117a9038d877ee52d598e4ccd2c89f778be6
SHA256a86e5f6dc8d430574c655999365d06b16b6ec146c09f81635f9338bba7182338
SHA5120af5d6809dddff5195bd484cca2e96ccf95f684330e682ae71995d04302aaff98a8d263d68d9df44d0430148e14bb8428c3e41150223f34dc8ae3079a6409817
-
Filesize
342B
MD55f6be570ee2b71716075a489e87468a4
SHA1ad20009b53f8d2f48a0be002a92b1cee1c7b898c
SHA256743a616ca55e8e9c04c5ceb2a77ef28223eeb9404bda88af18b09f7dcdc562e4
SHA5127c316b17a20c515b8867e3ad927fc385a19727d9830d338af245504dfcec60496792406c0f83ff3647d929b73e9a118fdb8f23fe602461d1eddac515e8afd706
-
Filesize
342B
MD555552994d292d4d4c3620e4b486d7a87
SHA1c26468b7b38d6fb4daedbd95efbbdb1a018e360b
SHA25647ed8f586a721b7711e551cca39dd12ba6d7a0b2a2001e5eee3ea83d04f4dfe8
SHA51276440400991d20effd7755c5a631ef37c13cdf4ecfc2a7323aa441d479c9ed21cf038570cb98d19b209a77f1e95faddb36a6004941104ed8f6c1784365cbac88
-
Filesize
342B
MD5d0e73a99e3071407418ea1a91d3bafa7
SHA1be6e2b519d62d54b713478ea282a0a65dc2a02a9
SHA2566c48743376f8f763c46e7a38f9c4542bf69b3669a844403f2a87792af949abab
SHA5122c9468946ceef4046355e095d41157e0583b45f2ea1f8c973d65ef11fea23a0f6bb56cbfda1580ba47ba9b2d78c26ef6f49f3d0d671b3970792ec766389603f4
-
Filesize
342B
MD55cff9536a7549b5378adbbe35bd59f4c
SHA135358e0711d4e3f747fd1adfc0f082b2cbc27a0e
SHA256f750ea6dfb03d1b327dc79d4fe6c8ea61493778100c989fa7615fd85d88c7f47
SHA512f29f7ae3895853123aba362927b1aa4d36cd60103c55219a0aff46b721e9f5c529d2f7a9c119aea930a20e55a1f7c2a317d5c8976e0d41ab4f0ae483a401d095
-
Filesize
342B
MD5a886751a457b352b321297677f498ad1
SHA13284ad38813202431eb68856791a2adf2886ab22
SHA2562372c83fe7bc7de7b39846c7dccb5dd8c57b3ff11fc5bf67292076ccfd75efd9
SHA512b42339be3a56861c05b8070bec4f92b087588bea2d1a8ded4b699ff0d1cd989bb4c94c763168f2667e29db8b3cf7bdc07efd2e947f1c7480599105aadc001ab1
-
Filesize
342B
MD581be827adb08980808bdb08d05ab7941
SHA156ca1bfe40fe87f81918c8adb1429789ea3eb853
SHA256735625c46c7492ef1e95ae9eb1e1d439eb2d29ce889e623dfada517ed1e43ee6
SHA51228e30b48d490c7d846e25775b9c31cd6c58909f512af83d2241bf178835834a19d19702b87e3f8f1fb52cf593b18ef7ee1e8a301592238ddffc200481fd1afe8
-
Filesize
342B
MD594d5309eef40ff75f7bea3bc80cc0ee7
SHA1ed33995a5e5ffcd54c5a06551288cac8b01fbb36
SHA256fa2ba2de90fbb7937dba6a5db67cc03c5fdc05db9336390eade6b8e03a15bc60
SHA51203f7a7cfc0abf10d02af424fff9b8c8ad1b78ca13f6f4a0f9184736ad7bbb97eba758a738af3f21a0574c9bc23a6e7280c578aaebbf17e363ea5fabe3c8c1278
-
Filesize
342B
MD51fb211d5e7b3dd5af849b5c9c9a8cd17
SHA15fcf0993f394b173c66a91f0ceb25d7a1cf0b45a
SHA256d87eb08df0a3b27718ef482cbcea6b5fdb2b544b1d6e67ac6037d8a3e1c1e5aa
SHA51277b55c421818f5fc46ba30f9d88f384a25b827f845850db5992ee81d8fae24fbb720276441d0980cf6e78ee5392c8d01a63895a812e4b55669609399299c3e6a
-
Filesize
342B
MD5381e8bca17b94ed682ad6595cf58994e
SHA124f8dc65c2c4df64b884c62aa12d068db5db9c8d
SHA256a040e9f2ccb73ac4b5a9b2bdaeb9508ab335d047750d42c858db44ee8998f265
SHA5129aeae7b864c5ebe8b15010629aaa6d91d00c7b5a8b4297a20ed5bae476740bb9a663b034c7d801547098c1b9f7224cedaecc21bd24f29c2281c60ead275ef657
-
Filesize
342B
MD5f0edc92183cb82579af8d81a0f3d7ba6
SHA17af32371eb709307b510ac1eb08bc810cfeb4805
SHA256e3fa94b81d8b1ed98d721fa66cc1437227ddcff38246ca59045c394d8d26700c
SHA5125ea32f530c2c2991e676d002d490a4124246782dd8c51375afe5627c6dd87a899911b1557b950bc9a91bf40be533605279df98e98e2360425e2f225e2d73cf04
-
Filesize
342B
MD57ad764824fe83e17960dd3a0aa1376da
SHA10217521207acdf73afab0142b8f1b50b579453d9
SHA256ff5adbae102d08d7937bb71893678e60b167fba5da85ea056fa79b6d778839b3
SHA5126078f142d2e5e41218765658197c245ddeb12baa118a119642e5ce3addffc73c437236032cc6630e882e49f779effa249877de5c3fd5d42c2f653f8aee5f1fc6
-
Filesize
342B
MD55728d2345680c6bdce6ae3eb71fb1495
SHA187ad7105d0c64bf1130dcb77cb61deb1e7d6484d
SHA2560903eee38f6f522832dcb6fcfc1421b559c0036d53a1717ca21b2499e1a5783b
SHA512a11d39bb4a3919f5463e25336ce1308898a212dc8ffe76e6e590b344132745f1eb5117f78f27f77f8e06e25183ee5678b43719dfc5b64db3c423ef2337f87286
-
Filesize
342B
MD58b3279e2f04a815e1c6eae766422a26f
SHA19524e30f67f1033d70e98ca4ecb809635e4f9d34
SHA2568544dac4290228d6b7b5080f8873e8023a1ddec7ccb556ba3bee22a308a9b988
SHA5123184d3033d51f3d413f926cde79ea0f1b1ba5ff402e22d8fe92a63831e24ef46f8056975d6bdece4c5d0a7be44cdc2690d6dba054e0ea6a93c78e025044d95e3
-
Filesize
342B
MD569dfd7a8e1d1f9079db0c33049452a34
SHA127de068c8d0c0d469cd982c38a909587c6d31d50
SHA256d0db08d8be935ea97baca603986a69e01136457ab9b56bd8afc362e38d707f8d
SHA5123029b84f86b9401c1f6281a8e4fb4ec25d89fee23992b22648b957e94845690322790357cc4bc16d176397fabcd49741338470b681c9f499c3f25d3b33a358aa
-
Filesize
342B
MD54c21a99f5bb82dc0979e72f11be46625
SHA1221435956b39ed5a22dc485d20b27ede3c07c160
SHA256c96da0824d9b75d2bfb84a0d6263b00c573b8f905e65eec8b11d78cf79520d54
SHA51200585fadd4ae980ba66ee5e5385948d60ed751cf3379a81b6c0bb78d450b38d06578a14d1dae41438bf877969e5a4d0d9f77debb6b9b3e5c44fb5e09a6ec61d3
-
Filesize
342B
MD549cc7e2c740952654726848bba72b44a
SHA15dbe45b3ed3a084e5499ed37d1033eabadc061a1
SHA256f96762a44f3fcc1dff081ed90f138f78293af7c1e9c94a57859e6ceefffe2181
SHA512958df772aebdea3152a76775aef26d62af7ca7ecb0534709cd56d11198dc2da9d5a234e07d48f1d73959f95a2496d152d065ba69ed5759c51c930baf633c278f
-
Filesize
342B
MD5fe7f405f721eb513b6b32b245f89b34c
SHA13b2b804a428340f90a48cf9143867e3030ab5028
SHA256916e2f96d6bf701a5b31de70f1ba187aff4c37ae9227f60fd031c20ef2ffd906
SHA512c4f1db32abeff3a329de09ac8275450355d44265fcf22052dcebc3d10ca1ebed4416e856303a8eca2af1d25dbb2d6c45080cf460474260b7e5a9dfd5b0e56965
-
Filesize
342B
MD52b60ff0cc1d3cda47a580c33ae65f272
SHA1df7d5c61b421b130c0b62acb6162325c3e00cc82
SHA256e66de10cddee02a6b091d26876d2e8d998f682326c290c8896a935537f9858ce
SHA512f488d8782e184aea26bf92ef9a34d526b8ba2b71caa6d68202c2497d766c56250b2c4d6f3e629f0261c57b15c21adad34b1516be2b5bff3a08f984c5b3435e1a
-
Filesize
242B
MD5b260f17c0af0cf689ad014168a204115
SHA142a1e63587e2d7dc06ffbf60e9507b64a7154349
SHA2563f098b583cb5c8191ec54a78e968e9403d31162805ec0e2902e327ea7e82a6c2
SHA5127cd1960536d7046e78ef476e1910197b4c632218f8d891210cde19966893431f1e1a5ad7c878acbaee84cec3c6772a4b5afe29ef6165da7956e70e09a3024d81
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
600B
MD536dafe670c9c01ba84d5a7a232e08349
SHA15c99702c8ce77d2a10a4cef5c7fcb3049c076ecc
SHA256f23386f3ade7c5d531afc4837d0a17de936f41b0b83c0a23e9278cade78c42c6
SHA512daa67492f63119f686c01f5606819eee38820baad4ae112d64a4fdaa84d8229e5d039c8011c4987e389c26e95e0b3ed38ff1eac9803c0acbfa5b08103f382865
-
Filesize
300B
MD523f0ddebe08cddd4b1d9ef30d03ffebf
SHA1362c765b401cd21ce75dab6aa066e0662c910095
SHA25649245102e34cabf3133b177db0bcfc17c38fb0532f704dcc44a523b0b2ae9cc0
SHA5120b3d3de1f7c0ded9c29918770972f05b48bb2e33434e38453ce8b3c31282cec370c00d7e85a00af97192f559adfadaaef7c04a70637b89ef4c80c4eab99d6b5a
-
Filesize
996B
MD5b0c092f0b88aecf8dec2704be372c721
SHA1441ca39b252bcd1d43a6b3922e89c2d62832bede
SHA25678c624c6ad385697ab2c0a7ef8eb0ea63e50c24d9ecedb0c868c2bff06cf0281
SHA51232783fe8db3664bd5cc5e31af9ea84a764340c3d64861319970eb164eea9294e5f4aa605d8a5371a055312ffaf9a18ec4f27136f61b8808e9490d1d84cff9c63
-
Filesize
1KB
MD54b5b45ec0ce6b2365d06eb9c9372b55c
SHA1d2c785ac28ad653ed1cfc740f0f930e7129f8b4f
SHA2562d283004d836fc40860571024d5e25ea7c17305dab59c688015c43b7a197b05e
SHA512cd71c82ce514c74ae9ef2c7a2a4dfe1680c2fb2384b362d6d327f3745d2c694e7fd348de88fe18984c5da37ff7a8774cd0d357d3d0fefee31c9f66b17055b3ad
-
Filesize
101KB
MD56e32a83f88c3f7451bbcc0da23219fb5
SHA1dc462732e400a99b88cb4f9204e7541dd929b00a
SHA256932318cb8016c148cc6326b76184e1834b5135347b5d54782bad361e4e0950c5
SHA512e9597f623ea7541a17473cf19f164dec7925347ed04de724e69e766f5b5439e871b915bda953daaf58f7fa14e3c0145bac638a6d4404ffcf2f86a60620771b1e
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
320KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
112KB
-
Filesize
484KB
-
Filesize
472KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
472KB
-
Filesize
484KB
-
Filesize
8KB
-
Filesize
484KB
-
Filesize
484KB