Overview

overview

10

Static

static

3

e917ff9039...18.exe

windows7-x64

10

e917ff9039...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-12-2024 00:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e917ff9039c51d1c64cd37e4a63053d2_JaffaCakes118.exe

  • Size

    280KB

  • MD5

    e917ff9039c51d1c64cd37e4a63053d2

  • SHA1

    fc3bf93a2c1b18f1c49bb59bfd717c0f4e245767

  • SHA256

    b43c5c23508e0343f98d0f134c713798b93be232d6c3b8886f30328529a17ab6

  • SHA512

    58c841e2d848e1f4ca00a7f3c06df07cac9b259a234bc080342f8e406d3f12e52eb6602806186e44473b370ecd31a77ea25a3a5b748432a3d2aab11b3948ecc7

  • SSDEEP

    6144:02c4k+gmIU48vAMOI2lmovX3bUUi4fVsfD6XaCwMfnigmNVes:02c0gmIX8YMOI2lmKiKCDTg0

Score
10/10
cycbotbackdoorcredential_accessdiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 7 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 16 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\e917ff9039c51d1c64cd37e4a63053d2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e917ff9039c51d1c64cd37e4a63053d2_JaffaCakes118.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2148
    • C:\Users\Admin\AppData\Local\Temp\e917ff9039c51d1c64cd37e4a63053d2_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\e917ff9039c51d1c64cd37e4a63053d2_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\55BAF\ACAEA.exe%C:\Users\Admin\AppData\Roaming\55BAF
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1272
    • C:\Users\Admin\AppData\Local\Temp\e917ff9039c51d1c64cd37e4a63053d2_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\e917ff9039c51d1c64cd37e4a63053d2_JaffaCakes118.exe startC:\Program Files (x86)\AF0A6\lvvm.exe%C:\Program Files (x86)\AF0A6
      2⤵
      • System Location Discovery: System Language Discovery
      PID:912
    • C:\Program Files (x86)\LP\EA35\389D.tmp
      "C:\Program Files (x86)\LP\EA35\389D.tmp"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2124
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2544
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Modify Registry

4
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Query Registry

2
T1012

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\55BAF\F0A6.5BA
    Filesize

    1KB

    MD5

    c215e13e01dac038422d436288154c01

    SHA1

    56f38233bc3f41535d069c91abd13e58d4cf3036

    SHA256

    43efb6cd110fdcc01ceeec35e61cd215ab41a871b8faee5fd10af64435afab76

    SHA512

    b5b74dbe65f5bd45b12af46bd2ac7d78be5719294acbe3a0094bd67edbe0b68e4a9411de5d192f70f5d175116b6ccfbbf2df487dedda81c4f210614c9f81dabc

    Download Submit

  • C:\Users\Admin\AppData\Roaming\55BAF\F0A6.5BA
    Filesize

    1KB

    MD5

    bc337d640d30cc53d45047a20711066d

    SHA1

    5b05a3fea4cc67112b4d28c1b42a8ff24960d0de

    SHA256

    562797bb0542203c5875bc1a1a5c511ca261668023b2e394193115a5316bfc9c

    SHA512

    d967ada15a2652bdebd6fcffc5acc03dcb3861abf66dc567faa8bea31fd87fc9dc8dcb322191ea3c2187433a216b3208944e9a933e1d4f56ca9ac586cb167100

    Download Submit

  • C:\Users\Admin\AppData\Roaming\55BAF\F0A6.5BA
    Filesize

    600B

    MD5

    6177d7f8e8b599891031c3dd2c829547

    SHA1

    e95a087a1ef85e7878ace5c0cbffd541c1d1deae

    SHA256

    6c62fccf94a9a81d394e934908501bffef720ad50959750db0f5e1e7a42e2496

    SHA512

    223046c1e2215fb97507cb88a7f6e247c05b30515809e1328cf8ec6f0184e4a9ac4ceda98f885e749054ae2eb8b68657b5d55151b789bace218b1d3edb1fad65

    Download Submit

  • C:\Users\Admin\AppData\Roaming\55BAF\F0A6.5BA
    Filesize

    996B

    MD5

    16836b5de70a0e7ed49f7378959c76e7

    SHA1

    10fe4aba207f9d4239e7384471e157399ef2f6f1

    SHA256

    01752db1bf034ec0059f6f371d3863617d75dfa6916ce4b7eb4cdb667ff562f6

    SHA512

    7c4162b52ce39109df3ba2982f80652483bce4052778a475fb213a7be3e4bb0b65bf306acbb738d9f0f2d3c07cab11013213a74c667199786abdcf3b909aab03

    Download Submit

  • \Program Files (x86)\LP\EA35\389D.tmp
    Filesize

    96KB

    MD5

    240cad81711c7cafd80655c559446c34

    SHA1

    3bb6459eb0810d03baafed29662e2f4e1d842d3a

    SHA256

    84f21e5f79b0f767e4b2ddb5c69881ec8aa268927c7f1a483e530b8ed3dd44bb

    SHA512

    1bd397a7a84793a7bdb8a74940b574c351671ff9edf0df1838de0cde92e0f3254ffe5547af56bd63b63cc15f94b299172b8b60887a85893336bd559343837cdf

    Download Submit

  • memory/912-89-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1272-14-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1272-12-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1272-13-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2124-211-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2148-16-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2148-15-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

    Download

  • memory/2148-1-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

    Download

  • memory/2148-90-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2148-176-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2148-2-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2148-215-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download