Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15-12-2024 03:04
Static task
static1
Behavioral task
behavioral1
Sample
f1fd577f429914f70f4038ee16d07b8a_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
f1fd577f429914f70f4038ee16d07b8a_JaffaCakes118.exe
-
Size
171KB
-
MD5
f1fd577f429914f70f4038ee16d07b8a
-
SHA1
2831f0e60bd34e6afc2ed46b57134b84ca0077ea
-
SHA256
c0ae6270f99056daf0f98ae5a411f8a70b008c81a027903003d3fac37d16f56b
-
SHA512
7639a226b57d9ac94543586bc5e5d1a288acdded7eb089894b6f566c6ffd0bf9d860c366eacae5f8e4a42e3f4949d4aead0c572cc5cccf1f01065e905923af2b
-
SSDEEP
3072:sTGJH2PdRnIOKQHrlcMl7lSF00/pmbX559MgUhfP9/YQYh/bfkkP/:FWY4HrJ7lr0/pmbX5fIP9/Yrh/bfk
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 7 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2872-8-0x0000000000400000-0x0000000000444000-memory.dmp family_cycbot behavioral1/memory/2872-9-0x0000000000400000-0x0000000000444000-memory.dmp family_cycbot behavioral1/memory/2872-15-0x0000000000400000-0x0000000000444000-memory.dmp family_cycbot behavioral1/memory/2800-16-0x0000000000400000-0x0000000000444000-memory.dmp family_cycbot behavioral1/memory/2800-77-0x0000000000400000-0x0000000000444000-memory.dmp family_cycbot behavioral1/memory/1880-81-0x0000000000400000-0x0000000000444000-memory.dmp family_cycbot behavioral1/memory/2800-191-0x0000000000400000-0x0000000000444000-memory.dmp family_cycbot -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe" f1fd577f429914f70f4038ee16d07b8a_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2800-2-0x0000000000400000-0x0000000000444000-memory.dmp upx behavioral1/memory/2872-8-0x0000000000400000-0x0000000000444000-memory.dmp upx behavioral1/memory/2872-9-0x0000000000400000-0x0000000000444000-memory.dmp upx behavioral1/memory/2872-15-0x0000000000400000-0x0000000000444000-memory.dmp upx behavioral1/memory/2800-16-0x0000000000400000-0x0000000000444000-memory.dmp upx behavioral1/memory/2800-77-0x0000000000400000-0x0000000000444000-memory.dmp upx behavioral1/memory/1880-79-0x0000000000400000-0x0000000000444000-memory.dmp upx behavioral1/memory/1880-81-0x0000000000400000-0x0000000000444000-memory.dmp upx behavioral1/memory/2800-191-0x0000000000400000-0x0000000000444000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f1fd577f429914f70f4038ee16d07b8a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f1fd577f429914f70f4038ee16d07b8a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f1fd577f429914f70f4038ee16d07b8a_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2800 wrote to memory of 2872 2800 f1fd577f429914f70f4038ee16d07b8a_JaffaCakes118.exe 30 PID 2800 wrote to memory of 2872 2800 f1fd577f429914f70f4038ee16d07b8a_JaffaCakes118.exe 30 PID 2800 wrote to memory of 2872 2800 f1fd577f429914f70f4038ee16d07b8a_JaffaCakes118.exe 30 PID 2800 wrote to memory of 2872 2800 f1fd577f429914f70f4038ee16d07b8a_JaffaCakes118.exe 30 PID 2800 wrote to memory of 1880 2800 f1fd577f429914f70f4038ee16d07b8a_JaffaCakes118.exe 32 PID 2800 wrote to memory of 1880 2800 f1fd577f429914f70f4038ee16d07b8a_JaffaCakes118.exe 32 PID 2800 wrote to memory of 1880 2800 f1fd577f429914f70f4038ee16d07b8a_JaffaCakes118.exe 32 PID 2800 wrote to memory of 1880 2800 f1fd577f429914f70f4038ee16d07b8a_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1fd577f429914f70f4038ee16d07b8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f1fd577f429914f70f4038ee16d07b8a_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\f1fd577f429914f70f4038ee16d07b8a_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\f1fd577f429914f70f4038ee16d07b8a_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵
- System Location Discovery: System Language Discovery
PID:2872
-
-
C:\Users\Admin\AppData\Local\Temp\f1fd577f429914f70f4038ee16d07b8a_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\f1fd577f429914f70f4038ee16d07b8a_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵
- System Location Discovery: System Language Discovery
PID:1880
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f4c0569f1a6de35dd520978dbafc07de
SHA1fddd7cc16078636ff082b49e7d2b75a61d857a51
SHA256b4b9e8b853a94bd2b184e547da16ff78d1cc237ead586a25e4abe3f0aa3142ae
SHA512435e492ebabe35fc8ef5400a2cdcae5daab4b34878a1f39ed6d414a277bd64f518f3547ae73144a31afdeeb2626e0764957825108ed2251338356c4f5216cd54
-
Filesize
600B
MD59397859fb8124d42b86c8b606b2f9519
SHA17ed5eb02e5edc5baf51a2b4f1dc6981cbafc03d3
SHA2566488c2ecc1eec49ec44fe28e838ed58c88d22dc9ad4136d93fb5247e724cd105
SHA5120658399319afd3f8961a3ee3173fc793c2079ca904c3df567ec3cf74252f61c6684e2218d29aa0e4dc9216f74e08c4740dcaf566491082f82bb065aa599a6efe
-
Filesize
996B
MD551a1d216e9aafbd3450533ddb9ec814d
SHA18ef78108c7fd98286f0c49f69aa97569f34fb18f
SHA25616ffcc0d8ec92261da777e683f2a0b2312d7d323efc80c57b6c7172a9b984439
SHA51260ca40ddefb3152a32bde9084462e904d492167aaa01cc473ad42fac35b3355ab67165eafdb877904abd2428f838ba670402e8d1055b8cc50ac923d3ff2c1b46