Analysis
-
max time kernel
140s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
15-12-2024 09:43
Static task
static1
Behavioral task
behavioral1
Sample
f36988e4e6bc154cd7c50bd676fd9367_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
f36988e4e6bc154cd7c50bd676fd9367_JaffaCakes118.exe
-
Size
182KB
-
MD5
f36988e4e6bc154cd7c50bd676fd9367
-
SHA1
62451b9e26c6726f4a195a957db8cedbf3fbc24c
-
SHA256
4ac1b05fb39c6287a4052cd50b395be75daac09c1521fa9906ba9e2836a983aa
-
SHA512
0f55c1118b19dcea353aee53c950a68c0c0a9254ff1b57f50af8cdfb98da5517257652f4aacb7c08299432094370a3c8b50a71b2a28abcc59090498348d0ebf9
-
SSDEEP
3072:u18M5zt8ciNzA8iCKKNBkU/L/SR2DnoYc/Uv0ekN+bzbva:u1RENz7nAKa+noYcBxsz
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/1032-10-0x0000000000400000-0x000000000044E000-memory.dmp family_cycbot behavioral1/memory/1032-8-0x0000000000400000-0x000000000044E000-memory.dmp family_cycbot behavioral1/memory/1304-15-0x0000000000400000-0x000000000044E000-memory.dmp family_cycbot behavioral1/memory/584-84-0x0000000000400000-0x000000000044E000-memory.dmp family_cycbot behavioral1/memory/1304-159-0x0000000000400000-0x000000000044E000-memory.dmp family_cycbot -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/1304-2-0x0000000000400000-0x000000000044E000-memory.dmp upx behavioral1/memory/1032-10-0x0000000000400000-0x000000000044E000-memory.dmp upx behavioral1/memory/1032-8-0x0000000000400000-0x000000000044E000-memory.dmp upx behavioral1/memory/1304-15-0x0000000000400000-0x000000000044E000-memory.dmp upx behavioral1/memory/584-82-0x0000000000400000-0x000000000044E000-memory.dmp upx behavioral1/memory/584-84-0x0000000000400000-0x000000000044E000-memory.dmp upx behavioral1/memory/1304-159-0x0000000000400000-0x000000000044E000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f36988e4e6bc154cd7c50bd676fd9367_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f36988e4e6bc154cd7c50bd676fd9367_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f36988e4e6bc154cd7c50bd676fd9367_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1304 wrote to memory of 1032 1304 f36988e4e6bc154cd7c50bd676fd9367_JaffaCakes118.exe 30 PID 1304 wrote to memory of 1032 1304 f36988e4e6bc154cd7c50bd676fd9367_JaffaCakes118.exe 30 PID 1304 wrote to memory of 1032 1304 f36988e4e6bc154cd7c50bd676fd9367_JaffaCakes118.exe 30 PID 1304 wrote to memory of 1032 1304 f36988e4e6bc154cd7c50bd676fd9367_JaffaCakes118.exe 30 PID 1304 wrote to memory of 584 1304 f36988e4e6bc154cd7c50bd676fd9367_JaffaCakes118.exe 33 PID 1304 wrote to memory of 584 1304 f36988e4e6bc154cd7c50bd676fd9367_JaffaCakes118.exe 33 PID 1304 wrote to memory of 584 1304 f36988e4e6bc154cd7c50bd676fd9367_JaffaCakes118.exe 33 PID 1304 wrote to memory of 584 1304 f36988e4e6bc154cd7c50bd676fd9367_JaffaCakes118.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\f36988e4e6bc154cd7c50bd676fd9367_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f36988e4e6bc154cd7c50bd676fd9367_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Users\Admin\AppData\Local\Temp\f36988e4e6bc154cd7c50bd676fd9367_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\f36988e4e6bc154cd7c50bd676fd9367_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft2⤵
- System Location Discovery: System Language Discovery
PID:1032
-
-
C:\Users\Admin\AppData\Local\Temp\f36988e4e6bc154cd7c50bd676fd9367_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\f36988e4e6bc154cd7c50bd676fd9367_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵
- System Location Discovery: System Language Discovery
PID:584
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
600B
MD5a9804a7fea5b78c247442fb1e8359fee
SHA1b0be0279fc4998be2940b2e743263ffa3d5edf42
SHA2562381316c6a8ddff33bf89dff85ee6bd5b52c8e580158302ecc70b530bedb9b42
SHA51229660e537ffefbc9c82f97c6a93b4a5690155269a4423f40f417bddcd430d16e7a50a5b2cd844bf75565c1b1861ca3a34e48a7ba62f8c05b5433d8d0e01f8f14
-
Filesize
1KB
MD562bfba44c85c7d4b3bbb65253e057789
SHA1cf4f13166aa2fc895b5a1201e813b293ff581bc5
SHA25615ebe18935cf8a2b981f4ff62de27e26671de5a5f2df56e638483544a05cb615
SHA5121b1fd212e26349bdac448268a42aaa149ca500e0d8ed2a5458a4f8721b314a2dd28c633a5687b26bde0a31437c530b228c58a5845f92c2ef291d0a24ea4996f2
-
Filesize
996B
MD50b979e8b57eb012363be438a793139ba
SHA1ba7a78617404f56c7ae8b173c9f207cc943a3a08
SHA2561624ccbdfa34ad7308336637012b0a3b1fc73840aa4f330e0c2670c540c40f2f
SHA51221c5456860ceeea5664fddc6152633c70d41de6e2d89a4bbdff596958f537d00630a3f5547f95e5b814a7bed09c424655ab573d010de9acf4e4df9ff56a03510