Overview

overview

10

Static

static

3

d5de1044a7...18.exe

windows7-x64

10

d5de1044a7...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    08-12-2024 07:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d5de1044a70008f5e602df4851144a42_JaffaCakes118.exe

  • Size

    313KB

  • MD5

    d5de1044a70008f5e602df4851144a42

  • SHA1

    6aa27af2581751af6de41c772428a9273c969176

  • SHA256

    8070e9f6db70ee0d8837a6081ee08531cd90547b6a15737f645b8a09e24cd214

  • SHA512

    e93e2811f69767f0a05e6197d047a639937fa127893f72b8bad74760299c374d7f298130ff6b8e1b8deca45294d4c04023a2d4ae59990200ed1b9cfcf344e0d7

  • SSDEEP

    6144:HBmC+Q+qcXhZ/kTUURcrrlAbVcmrOREkYoUy0EWoUZIAqIzB:HqQkXhgUprrlAIX7hYZ2Iz

Score
10/10
cycbotponybackdoorcredential_accessdiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 7 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony family
    pony
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\d5de1044a70008f5e602df4851144a42_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d5de1044a70008f5e602df4851144a42_JaffaCakes118.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1712
    • C:\Users\Admin\AppData\Local\Temp\d5de1044a70008f5e602df4851144a42_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\d5de1044a70008f5e602df4851144a42_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\69FA0\35A1B.exe%C:\Users\Admin\AppData\Roaming\69FA0
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1776
    • C:\Users\Admin\AppData\Local\Temp\d5de1044a70008f5e602df4851144a42_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\d5de1044a70008f5e602df4851144a42_JaffaCakes118.exe startC:\Program Files (x86)\A0F60\lvvm.exe%C:\Program Files (x86)\A0F60
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1452
    • C:\Program Files (x86)\LP\1B86\3A71.tmp
      "C:\Program Files (x86)\LP\1B86\3A71.tmp"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2592
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2600
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Modify Registry

4
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Query Registry

2
T1012

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\69FA0\0F60.9FA
    Filesize

    996B

    MD5

    25c57163ff940f1fd37acdb987b21a67

    SHA1

    54ca073a98884b15618430893e293eca7c62d67b

    SHA256

    4cf57ec4e8849c95aaa97c96e1426c42b5f38e0880b35fd9b3055e1cb6cc7b54

    SHA512

    5dd5e2b51e990ef82e639a5cc762348f9f0be991e63b67077c7770d2e677a74bd89e55bc9068fd2751880e304d311e09ad04b12a978bcec37b6294e31719cb77

    Download Submit

  • C:\Users\Admin\AppData\Roaming\69FA0\0F60.9FA
    Filesize

    600B

    MD5

    106124e148d9db2c26d48259f837988c

    SHA1

    78b34dd66c139c75d39fae406401f3cd033402fe

    SHA256

    2462d2c5c1be0cf36fae9a9c25f446f36fd79cbe47b0ff464d1e7485ddd8d272

    SHA512

    78e1b1136d77b748d2b840641f6dabfe38754d31f752d0901b0496fd02e89c1fee078ea6b9c96faf0302a165e6d9d2df756f1cd9e16a25e9fafff196503db15a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\69FA0\0F60.9FA
    Filesize

    1KB

    MD5

    0518aa2b8e206b349d934629772b012b

    SHA1

    8b64aa4f8dc9625b7b7c9d368a93733b616c9375

    SHA256

    ae71e6ecd722f5d8c68f1131d8555782233e65c662ab49f8b159f82d6990ca95

    SHA512

    bae71dcecb2768182c3a206583a2ce9789f235436e19ceb971780e8fa53c1a13857f2b7eeab7675368865c392a1e7256fbe18673ad9b344e186453cb0652964c

    Download Submit

  • \Program Files (x86)\LP\1B86\3A71.tmp
    Filesize

    106KB

    MD5

    8764a0f7b6af7a5bdfa1b00335519449

    SHA1

    fdb8134636217e0884990fdd36a2b9b4dc8db460

    SHA256

    606a11653cde47c6d80ae91ccc71bfbf0f0af902e399ef821e27a7de0f4f5b9c

    SHA512

    50f7c96f80ffea843da3f46515a9ad21c551caad950241b1a7c6a52e5b1cf53fc0710266e558e82d3ec1fe193931670d5e17d40021c7a4524caf9f45508b3c32

    Download Submit

  • memory/1452-126-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/1452-125-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/1712-15-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/1712-123-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/1712-0-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/1712-13-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/1712-3-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/1712-2-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/1712-313-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/1712-317-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/1776-18-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/1776-16-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/2592-314-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download