Overview

overview

10

Static

static

3

f7fe5b9df1...18.exe

windows7-x64

10

f7fe5b9df1...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    16-12-2024 07:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f7fe5b9df14c50155386cd2c61b876cb_JaffaCakes118.exe

  • Size

    315KB

  • MD5

    f7fe5b9df14c50155386cd2c61b876cb

  • SHA1

    9b61cfcec6ec6c016585c7775c15df8aa24f946a

  • SHA256

    dbdde1a9fce9374a6adb8267c02814b386d33d6407cc7e91d0c3621cd7fd21f9

  • SHA512

    7210a7ad176219bfd2943345035256f4fdb83843793874aa309fc340b6dc61a84cda91d1c7111c18951e6774f28805473af6048a9c70634255dc1f881e640291

  • SSDEEP

    6144:eIebA5CHz6v+RbzOOTpmTzTutpicDwiXcPmh+v93ORPr4vqADn6fG:eIcA5/8bzTpAmtpD3XcPmh+v9yuqVfG

Score
10/10
cycbotponybackdoorcredential_accessdiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 7 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony family
    pony
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\f7fe5b9df14c50155386cd2c61b876cb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f7fe5b9df14c50155386cd2c61b876cb_JaffaCakes118.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3064
    • C:\Users\Admin\AppData\Local\Temp\f7fe5b9df14c50155386cd2c61b876cb_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\f7fe5b9df14c50155386cd2c61b876cb_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\91803\35A1B.exe%C:\Users\Admin\AppData\Roaming\91803
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2040
    • C:\Users\Admin\AppData\Local\Temp\f7fe5b9df14c50155386cd2c61b876cb_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\f7fe5b9df14c50155386cd2c61b876cb_JaffaCakes118.exe startC:\Program Files (x86)\038F1\lvvm.exe%C:\Program Files (x86)\038F1
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1616
    • C:\Program Files (x86)\LP\1B89\3A71.tmp
      "C:\Program Files (x86)\LP\1B89\3A71.tmp"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2304
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2600
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Modify Registry

4
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Query Registry

2
T1012

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\91803\38F1.180
    Filesize

    696B

    MD5

    8a668fa2368daba0d4eb476831e9ba37

    SHA1

    a278b10dbbcf31fb2e00c075cb4211e529cbfe48

    SHA256

    3838800827eb735a9dbff0d30ade13c7d25e9d3360e12cdf97561726ff7ae97d

    SHA512

    e5a4233071837b240fe49688cefdae6571b2152a115a897b54d6b14e79a85fda95e0fed10836d49926ba4b723a13ca1eff59f8a5d6f9805b63fd7594eb1260bd

    Download Submit

  • C:\Users\Admin\AppData\Roaming\91803\38F1.180
    Filesize

    300B

    MD5

    5344b1fd5a803528af12f80c66ccc9e2

    SHA1

    910066bdc409d86a3fb78bb0af835aed99dbccda

    SHA256

    bdd9121729806389c20631d1944f8106f4002ff8375beedbb6269c0df3156222

    SHA512

    a7a7153ede470b0dd302dfe9a6c57f49a414402a5bad786fa31fb37dffd07baa51a04cfe47faf9ada9a9ab4be62c1341ce96c563cb1e2c129141fcb4bf0c5805

    Download Submit

  • C:\Users\Admin\AppData\Roaming\91803\38F1.180
    Filesize

    1KB

    MD5

    6b38562a8a5e2dd899c0dc4655ca992b

    SHA1

    e7ec8ce4b1c98fc5141c33cea3139c2043d33a68

    SHA256

    b60e599f165b819ae2ed969bd1c623fb17342f331f658a57db1c231df5993d30

    SHA512

    d132eb49c4b7718619e4d85d4ff38ef87b79444d28904488c7ea755548f1a009ecb8e031a88650ff63b3857e40eec305b89d55bf85d687945c61268b044952cc

    Download Submit

  • C:\Users\Admin\AppData\Roaming\91803\38F1.180
    Filesize

    1KB

    MD5

    b1c14af824e6f9302e59c1c2d8b05eed

    SHA1

    471d480af67d760661bd2ea0fad42625d744e675

    SHA256

    06a7ab6d8f9a59b83329ca0a0d0fec88c7907df7d2908f1cfc50efd3b3e85b26

    SHA512

    fa3ab4f46a01656eb26ca34f3c3a927e3bbab435f5d5640cbbdc6cfd7caf706055200ba12f2e2e07b684389f2b0ff3a04f266836545bf96646baca40d4f75b50

    Download Submit

  • \Program Files (x86)\LP\1B89\3A71.tmp
    Filesize

    107KB

    MD5

    e7cab4aa4304bfbc54b9723fca9bd57a

    SHA1

    19d2cc42fd30ab58a8e03569777f4a9ef8fd531d

    SHA256

    0624d004147b8549387ff54f23f50b84096b94671caa471bae5fb138ee23daff

    SHA512

    518e32b0cbbe185fdc284195c44559fff73ab0b013efcf8f413ef63cc653f7fcba839d29edcb6034c63b6c7204d2bce3329a7146b6a0b013b063852d4b2a10c2

    Download Submit

  • memory/1616-123-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/1616-121-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2040-12-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2040-13-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2304-261-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/3064-119-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/3064-11-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/3064-0-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/3064-9-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/3064-3-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/3064-260-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/3064-2-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/3064-318-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download