Analysis

  • max time kernel
    140s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    11-12-2024 01:27

General

  • Target

    df5b21faa535c3d6663e17ba0a5409ba_JaffaCakes118.exe

  • Size

    177KB

  • MD5

    df5b21faa535c3d6663e17ba0a5409ba

  • SHA1

    fd7c17f967a807baa7ff809a89547aff277eccd1

  • SHA256

    35a024cdfb0532596c86b3bbd3a5a5ed71d9fc9d11ec4235489fcf8bbc7cd687

  • SHA512

    80d8a316a7d61ea59ca782c7aa11371dcc5acf6ea75bce2f567f8c44615d524ebb46b3d25a3619e9def6ed8917c550cc300709c6d11717c1b51d719d17bfb4a9

  • SSDEEP

    3072:nSYI8ZfkVsgiKTYHDlP7E0RvxBEHWhCx9MEyh3AWRMPrGNPy3sSh9zQjnlEB:nSN8ZMV3i5P7VFnGZyh39qDGRwsY9zMl

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 5 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\df5b21faa535c3d6663e17ba0a5409ba_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\df5b21faa535c3d6663e17ba0a5409ba_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2824
    • C:\Users\Admin\AppData\Local\Temp\df5b21faa535c3d6663e17ba0a5409ba_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\df5b21faa535c3d6663e17ba0a5409ba_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2980
    • C:\Users\Admin\AppData\Local\Temp\df5b21faa535c3d6663e17ba0a5409ba_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\df5b21faa535c3d6663e17ba0a5409ba_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2764

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\E346.7A1

    Filesize

    597B

    MD5

    0c93bc1901ab2f6f0bf0a4ff806dbee6

    SHA1

    dcd3bbb346c1f1af411b4d092e9574e29c73d661

    SHA256

    dab24f54dbd0ad192240b6f15d5ec5dddc834247e08b377f90a962031a17cd8a

    SHA512

    6b032254ceb31452ae9cbaa1b5d1f014761834d0c213bb9208ee69de1f07dd7e6bd50fd43d280a1c47cbcc0ed541f89bb52e9a8aa4d79b419c898c609d4c4847

  • C:\Users\Admin\AppData\Roaming\E346.7A1

    Filesize

    1KB

    MD5

    34296a1761d93b7f40f6bd9422840e7e

    SHA1

    e8d00e402c0c8fce9775e558a1dfd181139a71d3

    SHA256

    0f12062d988c03e598d2f0c229bc4c2cc09650560cdbee945542a9e76021e6c1

    SHA512

    9bd8400b34f9178cf364c99afd4c3289df24d651881aa8ed7062eb2d0808d5dded60b3d23d5f9247811f9feb7488e154b733313abf4ec51b23a51a55c7423c1b

  • C:\Users\Admin\AppData\Roaming\E346.7A1

    Filesize

    897B

    MD5

    273e6bab5fa14ad7e374825752d509fe

    SHA1

    54acca1ba95a93b731943fb64edd449d22d543cf

    SHA256

    d1b29e00d4884864921df2dd5f02066b16ba8f03e267e9634e4d9b7e24f6fdb7

    SHA512

    d7362694fcec85505a63704de52942bd7c862cd2ec1de915fa9282c12e5d77f3e3c8f26507d995c15d7c72ba728480f344d097396bdd6c67ab3d80bec3674528

  • C:\Users\Admin\AppData\Roaming\E346.7A1

    Filesize

    1KB

    MD5

    a01aa0886cabdc87e64866adadf9b2df

    SHA1

    8bd55b088c3a9e5b57413b027dee17d8e639e4c8

    SHA256

    aa62e09124f79d9e9a49065cbae6800251ae308771e3bb3c4913debfd8c8c0dd

    SHA512

    ddbd9cb89ecd97259f193c3b019444fd569c24e8a062b917fc8503de240abe15f905e246b6ad45b9357dfc5da5dcc58205754002a10b57a4d35ca8c54cb31192

  • memory/2764-90-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

  • memory/2764-88-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

  • memory/2824-21-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

  • memory/2824-2-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

  • memory/2824-86-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

  • memory/2824-1-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

  • memory/2824-161-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

  • memory/2980-20-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

  • memory/2980-17-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

  • memory/2980-18-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB