Overview

overview

10

Static

static

3

f39faafbb1...18.exe

windows7-x64

10

f39faafbb1...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-12-2024 10:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f39faafbb1da36fab9a5682550d36926_JaffaCakes118.exe

  • Size

    646KB

  • MD5

    f39faafbb1da36fab9a5682550d36926

  • SHA1

    6cca16af9aa9ffb6ffac8eb0df35b21847f8da6a

  • SHA256

    4e307ed1132b7102cefd17dee8f29d5329d84f932001af35214515de7942b4f3

  • SHA512

    232beab7ec854651ee56510f4e7dc954bbd4343dc6d7865a0aed04472e91d1281c293ab83a903b52e22db89d8bf01fc69e95cc06636cc4a231cc4e04e6d73000

  • SSDEEP

    12288:k/dr9yql7Xi+mO0FKUDTtMi1NzW/DaRMvNXx265syu4MrZ:kl8qNSyUdMONUzeosyu4M

Score
10/10
cycbotbackdoordiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 5 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 12 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\csrss.exe
    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    1⤵
    • Executes dropped EXE
    • Drops desktop.ini file(s)
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:332
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    1⤵
      PID:856
    • C:\Users\Admin\AppData\Local\Temp\f39faafbb1da36fab9a5682550d36926_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\f39faafbb1da36fab9a5682550d36926_JaffaCakes118.exe"
      1⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1568
      • C:\Users\Admin\AppData\Local\Temp\f39faafbb1da36fab9a5682550d36926_JaffaCakes118.exe
        f39faafbb1da36fab9a5682550d36926_JaffaCakes118.exe
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2804
        • C:\Users\Admin\g6NuH2.exe
          C:\Users\Admin\g6NuH2.exe
          3⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2384
          • C:\Users\Admin\wiotio.exe
            "C:\Users\Admin\wiotio.exe"
            4⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:2668
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c tasklist&&del g6NuH2.exe
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2796
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              5⤵
              • Enumerates processes with tasklist
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:2808
        • C:\Users\Admin\adhost.exe
          C:\Users\Admin\adhost.exe
          3⤵
          • Executes dropped EXE
          PID:2528
        • C:\Users\Admin\bdhost.exe
          C:\Users\Admin\bdhost.exe
          3⤵
          • Modifies security service
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2320
          • C:\Users\Admin\bdhost.exe
            C:\Users\Admin\bdhost.exe startC:\Users\Admin\AppData\Roaming\DECA3\9BED3.exe%C:\Users\Admin\AppData\Roaming\DECA3
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:1540
          • C:\Users\Admin\bdhost.exe
            C:\Users\Admin\bdhost.exe startC:\Program Files (x86)\A3B29\lvvm.exe%C:\Program Files (x86)\A3B29
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:836
        • C:\Users\Admin\cdhost.exe
          C:\Users\Admin\cdhost.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2712
          • C:\Windows\explorer.exe
            "C:\Windows\explorer.exe"
            4⤵
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2864
        • C:\Users\Admin\ddhost.exe
          C:\Users\Admin\ddhost.exe
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2732
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del f39faafbb1da36fab9a5682550d36926_JaffaCakes118.exe
          3⤵
          • Deletes itself
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1452
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2976
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Modifies registry class
      PID:2552
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x524
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2236

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Active Setup

    1
    T1547.014

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Active Setup

    1
    T1547.014

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Defense Evasion

    Hide Artifacts

    1
    T1564

    Hidden Files and Directories

    1
    T1564.001

    Modify Registry

    5
    T1112

    Credential Access

    Credentials from Password Stores

    1
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Process Discovery

    1
    T1057

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\DECA3\3B29.ECA
      Filesize

      996B

      MD5

      ce305d43e74559a54a8528270aef54eb

      SHA1

      83d69a2d6b3a3c2f460a03a8f47df58ad8edcaf7

      SHA256

      a8f50ffaba57db9297dd70808d76bc0cd5ad66160c24a1899f63842d540ec47d

      SHA512

      7c2ce73dfe963775bab9f7d19d3c7d389b97e0ea3d9d6ed885c36a58597af441207f91dd103d8a624ae311eeb701c09ad6aa4dd905c6dc55b7ac83403cc28bb2

      Download Submit

    • C:\Users\Admin\AppData\Roaming\DECA3\3B29.ECA
      Filesize

      1KB

      MD5

      44e783698690b0e85ba9185049c2b8ae

      SHA1

      2a63a1738ceda65e2b8907e122072f64dfbfead2

      SHA256

      03123ee9acf18584ebca1075f0b31924797814b2e7408d3bce5b36b3a6566de4

      SHA512

      da2161b7eb520e9596acc1e77b9798d2af8f9f23270cd643c3e273b99854da9ea55cd9718c967532674dfece1ca1678fbd84829522584175b25d825c1aef88dd

      Download Submit

    • C:\Users\Admin\AppData\Roaming\DECA3\3B29.ECA
      Filesize

      600B

      MD5

      2bbead6eb9fc888734089be1906827b9

      SHA1

      f67fa9e380417e4f31b9b2a464c338fd60601caa

      SHA256

      8017216b3592fa9ac0eb2b7b8568790441f27a536e7ca27d113684d9706065b8

      SHA512

      8efc0b438419dc812de02be0f3ba6de68e966002636ca18c513fc50dccf26c1e15554b6345278475c14a9bf1369037eedebf1b7e62b26f8f85143e12f772775c

      Download Submit

    • C:\Users\Admin\bdhost.exe
      Filesize

      174KB

      MD5

      f3e286f3fc9467d3b9e56d41038b17d5

      SHA1

      3653c381586b01016a56de58d59300e431368162

      SHA256

      ec735fb26d310b803d6c4370b7cdd2a4e0f100dc442d0545f3742b3b48da5f3f

      SHA512

      0ba3b50c8dbce8da4f3a312a8f57375b102dcc7348485300b1d65fec3b6f55f62eb54e8252ddd4d73620442813731f7bfceb84c122c07a778afde76d8a642e2d

      Download Submit

    • \??\globalroot\systemroot\assembly\temp\@
      Filesize

      2KB

      MD5

      dfc68a97532ec1c6b5d81b07c60ec6d0

      SHA1

      13606c88e59a611901e605a916fb0a7c62efdd32

      SHA256

      acabe94784a4f8ee55bec086c0ceb1c74e314d8b678b7e601de7bada33ab179c

      SHA512

      a9d459de6aa6242d7134248dd2013b539c0856007fd14209cd6644362d3f364d486d72e352a68cdfba0e07f61338d13e403eba55d320bdca179aaf05b006f0ba

      Download Submit

    • \Users\Admin\adhost.exe
      Filesize

      172KB

      MD5

      36fa3dbb1702552896cc677b5bda52dc

      SHA1

      c87f2707913047dcd2a896896fe2905b08c33985

      SHA256

      e8a3a99554c8aea64d2afa291655795896fbc14d053d3d29178c3536eee39f74

      SHA512

      9ace90bd8e81b507d2db75a493554b4a676730271883976033e4025dc6d19250070b6fd8825905e2aeea213bfc271e5d2c43a2eeca86bce0b3db497801731c53

      Download Submit

    • \Users\Admin\cdhost.exe
      Filesize

      118KB

      MD5

      4abe6afa1ff995b70ef6511c1f0567ae

      SHA1

      80935a41582e0fb168c37d2960dce974cab5f0ab

      SHA256

      fba532bcf20eaba48015c06e52efd121a46dffad4a293d47d1ccc6529e0beae8

      SHA512

      bd8521102317e02b91025d8f3b5976e3ea6a93b82d8ca76bc05f43ca845d92d1a206d1a2710c194a018504a1578004f154d83c26243ffa2336a19610ee51c565

      Download Submit

    • \Users\Admin\ddhost.exe
      Filesize

      24KB

      MD5

      71aecf19a1aec54e3d2c63f945cc6956

      SHA1

      12213f95739e45881458a7bbb429a0b7b363ccbf

      SHA256

      c98cd0c456aa393a80d81d259dc8077edaf44d833e0691054291a9ba285f74cf

      SHA512

      a8634acb97730db9415fd5cb93cb23e1adea0d19c182cf3daf423a73d76dbf7cd3ae1829a3a24fefaab8ffa3fb5e3b93662559067590c7a6779ead71b8f145e4

      Download Submit

    • \Users\Admin\g6NuH2.exe
      Filesize

      256KB

      MD5

      be8379280ac23f08b8b091e1bc345eae

      SHA1

      bb432b69277aec39e5566ec120d6fd8fe4e0097b

      SHA256

      caf1a47f843337e61a31e6faf6745bd9fd70e14af77f171c8764ea9d2fbe9dc5

      SHA512

      d5a26da6a5ded9961cc995a8f6e53b9a97d95330654a1e1e588ddcabcf4d058fe527b1d68de057b8b73be49f4bcb64b58db229a2007c9eb5858a7f1d81ddd215

      Download Submit

    • \Users\Admin\wiotio.exe
      Filesize

      256KB

      MD5

      910d08a087ab766e0028152a754fd1ac

      SHA1

      590aa4b1e172894b953862fcf1df706a08aa8147

      SHA256

      9e8c8b20dcc7e118a8915a038841bd051df3136a1c8dc7ede5d310936cbff0a1

      SHA512

      3a132b61ae262e4b04fd7a88d316a714a5d9f683e485c59e52541667841217d39fb91a8069cc44643a1cbc7ba1386c21e32a4d86cccf10fbb0f62b04fe7fbd9b

      Download Submit

    • \Windows\System32\consrv.dll
      Filesize

      53KB

      MD5

      d3bd9c7e7a29daa24c66dc62cd5f5633

      SHA1

      3895247052b6244659e73334e6398677dafa0ac1

      SHA256

      6b87925d0e03ab5daa4760b1a62bed66c49cb489d011e2c9633eb0fe466df83f

      SHA512

      e243a2272887b02417b08b0d0728689c8f01cc57d473ed811ba98c2f5aa4d985d02d0fd7772bc33356474abcc815609ab7a6c0e905d6fe884fb7bc70bc67e9d0

      Download Submit

    • memory/332-254-0x0000000002440000-0x0000000002452000-memory.dmp

      Filesize

      72KB

      Download

    • memory/836-151-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1540-77-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1568-12-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2320-154-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2320-144-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2320-274-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2384-46-0x00000000035E0000-0x000000000409A000-memory.dmp

      Filesize

      10.7MB

      Download

    • memory/2528-153-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2528-60-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2528-58-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2528-56-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2528-310-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2528-308-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2528-273-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2528-83-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2528-220-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2528-270-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2528-267-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2712-236-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2712-233-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2804-13-0x0000000000400000-0x00000000004C4000-memory.dmp

      Filesize

      784KB

      Download

    • memory/2804-16-0x0000000000400000-0x00000000004C4000-memory.dmp

      Filesize

      784KB

      Download

    • memory/2804-14-0x0000000000400000-0x00000000004C4000-memory.dmp

      Filesize

      784KB

      Download

    • memory/2804-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2804-54-0x0000000000400000-0x00000000004C4000-memory.dmp

      Filesize

      784KB

      Download

    • memory/2804-17-0x0000000000400000-0x00000000004C4000-memory.dmp

      Filesize

      784KB

      Download

    • memory/2804-230-0x00000000001E0000-0x0000000000200000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2804-2-0x0000000000400000-0x00000000004C4000-memory.dmp

      Filesize

      784KB

      Download

    • memory/2804-231-0x00000000001E0000-0x0000000000200000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2804-15-0x0000000000400000-0x00000000004C4000-memory.dmp

      Filesize

      784KB

      Download

    • memory/2804-4-0x0000000000400000-0x00000000004C4000-memory.dmp

      Filesize

      784KB

      Download

    • memory/2804-0-0x0000000000400000-0x00000000004C4000-memory.dmp

      Filesize

      784KB

      Download

    • memory/2804-307-0x0000000000400000-0x00000000004C4000-memory.dmp

      Filesize

      784KB

      Download

    • memory/2864-237-0x00000000001B0000-0x00000000001C9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/2864-242-0x00000000001B0000-0x00000000001C9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/2864-247-0x00000000001B0000-0x00000000001C9000-memory.dmp

      Filesize

      100KB

      Download