Overview

overview

10

Static

static

3

e3b819b822...18.exe

windows7-x64

10

e3b819b822...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-12-2024 23:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e3b819b82243a8eb75673a9bb77a2aaa_JaffaCakes118.exe

  • Size

    168KB

  • MD5

    e3b819b82243a8eb75673a9bb77a2aaa

  • SHA1

    b62167d96bdb6437ec3fec596d95f5c7ce91b731

  • SHA256

    9d0eebe40aeedb7a33d6c93e1370a4b3a0d2c1ff7868b33f87672f4248f2d0c3

  • SHA512

    c4f2b5e467205406a0a4fb35f346152ea11972a2ade8f793b47a4e07600775fc6e80804b384d08354ee4cccd14c8cf41d0f639e241beab8ae96006b490592372

  • SSDEEP

    3072:3w0kxfJr+HMTthTtsOkmeD0wVoCin2c2mRO0edWnecPEH/dpQji+:ExV+sT6keD7obLFne+4H/8jN

Score
10/10
cycbotbackdoordiscoverypersistenceratupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 5 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e3b819b82243a8eb75673a9bb77a2aaa_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e3b819b82243a8eb75673a9bb77a2aaa_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3116
    • C:\Users\Admin\AppData\Local\Temp\e3b819b82243a8eb75673a9bb77a2aaa_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\e3b819b82243a8eb75673a9bb77a2aaa_JaffaCakes118.exe startC:\Program Files (x86)\LP\24B8\C25.exe%C:\Program Files (x86)\LP\24B8
      2⤵
        PID:4164
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 496
          3⤵
          • Program crash
          PID:4728
      • C:\Users\Admin\AppData\Local\Temp\e3b819b82243a8eb75673a9bb77a2aaa_JaffaCakes118.exe
        C:\Users\Admin\AppData\Local\Temp\e3b819b82243a8eb75673a9bb77a2aaa_JaffaCakes118.exe startC:\Program Files (x86)\98B52\lvvm.exe%C:\Program Files (x86)\98B52
        2⤵
          PID:4120
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4164 -ip 4164
        1⤵
          PID:1400

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\8D398\8B52.D39
          Filesize

          600B

          MD5

          ecc62f7367b506b10a0aaac8d4ba45be

          SHA1

          fef90d1a3632b7061eb1ddf9bab5fb811553c771

          SHA256

          2f6e3dc5ca4412f9fb9f7500d59dadd290c7fc616f9b10a967cd3c72f05b02d1

          SHA512

          cf74ec81a44ec8b13f91fdf891472a8098ec3348529e3752745d880ce8609b898c60c4e16356266399199982c485de01d5d50ee23adfdec6e6d8adc6a3030d85

          Download Submit

        • C:\Users\Admin\AppData\Roaming\8D398\8B52.D39
          Filesize

          1KB

          MD5

          645a11d3f5eb5d54f50371ec3d6f8bad

          SHA1

          9790bb5e16e5eeb11751182dabb45af1c613e2f5

          SHA256

          4b253437f0c52319aebacfcb7e3502138872c41ca8a325f696f410c7ffcb5a46

          SHA512

          9989e3743687bd5e71704038c155fa8214f30eecbe85ecd97e41951befda66c62974d9494d11413b0b3458144775c52c857a4129a0cabafc577fb0a7c80806fa

          Download Submit

        • C:\Users\Admin\AppData\Roaming\8D398\8B52.D39
          Filesize

          996B

          MD5

          c5d1997f02faea1b1956934622f74520

          SHA1

          13b7e4a4a3db439d71f8e83eab608d229f588fb2

          SHA256

          122fd44ea43de7d81bab4dce86c0914bb661269a7ef9a18a3f56cff33dfbde2d

          SHA512

          b140cd9d723180e1b20f2d4b8f8fcc1d8259843ba37a55ea6ecff076f457caaf1717dcf2213ebc3a10c1bfe8943171187ffaeacef62cc2b50ea9e521f8715a11

          Download Submit

        • memory/3116-1-0x0000000000400000-0x000000000048D000-memory.dmp

          Filesize

          564KB

          Download

        • memory/3116-2-0x0000000000400000-0x0000000000490000-memory.dmp

          Filesize

          576KB

          Download

        • memory/3116-13-0x0000000000400000-0x000000000048D000-memory.dmp

          Filesize

          564KB

          Download

        • memory/3116-14-0x0000000000400000-0x0000000000490000-memory.dmp

          Filesize

          576KB

          Download

        • memory/3116-79-0x0000000000400000-0x0000000000490000-memory.dmp

          Filesize

          576KB

          Download

        • memory/3116-188-0x0000000000400000-0x0000000000490000-memory.dmp

          Filesize

          576KB

          Download

        • memory/4120-81-0x0000000000400000-0x0000000000490000-memory.dmp

          Filesize

          576KB

          Download

        • memory/4120-83-0x0000000000400000-0x0000000000490000-memory.dmp

          Filesize

          576KB

          Download

        • memory/4164-12-0x0000000000400000-0x0000000000490000-memory.dmp

          Filesize

          576KB

          Download