Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
11-12-2024 01:27
Static task
static1
Behavioral task
behavioral1
Sample
df5b21faa535c3d6663e17ba0a5409ba_JaffaCakes118.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
df5b21faa535c3d6663e17ba0a5409ba_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
df5b21faa535c3d6663e17ba0a5409ba_JaffaCakes118.exe
-
Size
177KB
-
MD5
df5b21faa535c3d6663e17ba0a5409ba
-
SHA1
fd7c17f967a807baa7ff809a89547aff277eccd1
-
SHA256
35a024cdfb0532596c86b3bbd3a5a5ed71d9fc9d11ec4235489fcf8bbc7cd687
-
SHA512
80d8a316a7d61ea59ca782c7aa11371dcc5acf6ea75bce2f567f8c44615d524ebb46b3d25a3619e9def6ed8917c550cc300709c6d11717c1b51d719d17bfb4a9
-
SSDEEP
3072:nSYI8ZfkVsgiKTYHDlP7E0RvxBEHWhCx9MEyh3AWRMPrGNPy3sSh9zQjnlEB:nSN8ZMV3i5P7VFnGZyh39qDGRwsY9zMl
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2980-20-0x0000000000400000-0x0000000000445000-memory.dmp family_cycbot behavioral1/memory/2824-21-0x0000000000400000-0x0000000000445000-memory.dmp family_cycbot behavioral1/memory/2824-86-0x0000000000400000-0x0000000000445000-memory.dmp family_cycbot behavioral1/memory/2764-90-0x0000000000400000-0x0000000000445000-memory.dmp family_cycbot behavioral1/memory/2824-161-0x0000000000400000-0x0000000000445000-memory.dmp family_cycbot -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe" df5b21faa535c3d6663e17ba0a5409ba_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2824-2-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/2980-18-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/2980-20-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/2824-21-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/2824-86-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/2764-88-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/2764-90-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/2824-161-0x0000000000400000-0x0000000000445000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language df5b21faa535c3d6663e17ba0a5409ba_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language df5b21faa535c3d6663e17ba0a5409ba_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language df5b21faa535c3d6663e17ba0a5409ba_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2824 wrote to memory of 2980 2824 df5b21faa535c3d6663e17ba0a5409ba_JaffaCakes118.exe 30 PID 2824 wrote to memory of 2980 2824 df5b21faa535c3d6663e17ba0a5409ba_JaffaCakes118.exe 30 PID 2824 wrote to memory of 2980 2824 df5b21faa535c3d6663e17ba0a5409ba_JaffaCakes118.exe 30 PID 2824 wrote to memory of 2980 2824 df5b21faa535c3d6663e17ba0a5409ba_JaffaCakes118.exe 30 PID 2824 wrote to memory of 2764 2824 df5b21faa535c3d6663e17ba0a5409ba_JaffaCakes118.exe 32 PID 2824 wrote to memory of 2764 2824 df5b21faa535c3d6663e17ba0a5409ba_JaffaCakes118.exe 32 PID 2824 wrote to memory of 2764 2824 df5b21faa535c3d6663e17ba0a5409ba_JaffaCakes118.exe 32 PID 2824 wrote to memory of 2764 2824 df5b21faa535c3d6663e17ba0a5409ba_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\df5b21faa535c3d6663e17ba0a5409ba_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\df5b21faa535c3d6663e17ba0a5409ba_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\df5b21faa535c3d6663e17ba0a5409ba_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\df5b21faa535c3d6663e17ba0a5409ba_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵
- System Location Discovery: System Language Discovery
PID:2980
-
-
C:\Users\Admin\AppData\Local\Temp\df5b21faa535c3d6663e17ba0a5409ba_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\df5b21faa535c3d6663e17ba0a5409ba_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵
- System Location Discovery: System Language Discovery
PID:2764
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
597B
MD50c93bc1901ab2f6f0bf0a4ff806dbee6
SHA1dcd3bbb346c1f1af411b4d092e9574e29c73d661
SHA256dab24f54dbd0ad192240b6f15d5ec5dddc834247e08b377f90a962031a17cd8a
SHA5126b032254ceb31452ae9cbaa1b5d1f014761834d0c213bb9208ee69de1f07dd7e6bd50fd43d280a1c47cbcc0ed541f89bb52e9a8aa4d79b419c898c609d4c4847
-
Filesize
1KB
MD534296a1761d93b7f40f6bd9422840e7e
SHA1e8d00e402c0c8fce9775e558a1dfd181139a71d3
SHA2560f12062d988c03e598d2f0c229bc4c2cc09650560cdbee945542a9e76021e6c1
SHA5129bd8400b34f9178cf364c99afd4c3289df24d651881aa8ed7062eb2d0808d5dded60b3d23d5f9247811f9feb7488e154b733313abf4ec51b23a51a55c7423c1b
-
Filesize
897B
MD5273e6bab5fa14ad7e374825752d509fe
SHA154acca1ba95a93b731943fb64edd449d22d543cf
SHA256d1b29e00d4884864921df2dd5f02066b16ba8f03e267e9634e4d9b7e24f6fdb7
SHA512d7362694fcec85505a63704de52942bd7c862cd2ec1de915fa9282c12e5d77f3e3c8f26507d995c15d7c72ba728480f344d097396bdd6c67ab3d80bec3674528
-
Filesize
1KB
MD5a01aa0886cabdc87e64866adadf9b2df
SHA18bd55b088c3a9e5b57413b027dee17d8e639e4c8
SHA256aa62e09124f79d9e9a49065cbae6800251ae308771e3bb3c4913debfd8c8c0dd
SHA512ddbd9cb89ecd97259f193c3b019444fd569c24e8a062b917fc8503de240abe15f905e246b6ad45b9357dfc5da5dcc58205754002a10b57a4d35ca8c54cb31192