Overview

overview

10

Static

static

3

JaffaCakes...8e.exe

windows7-x64

10

JaffaCakes...8e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-01-2025 21:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_60addbb48b547e182553d9f8aaaae18e.exe

  • Size

    840KB

  • MD5

    60addbb48b547e182553d9f8aaaae18e

  • SHA1

    77844cba4deaae8b2af15c71899b1dd8ddc51edf

  • SHA256

    6291e62fef34927bc7c8110bc2e079e728f21ba730b09be821983c1d4fbfde59

  • SHA512

    fd9a70d8521a8f7464c981f3d0f3158485cc11de1e49e4fb4b5f59760524e9b9037d43d1e9b71813ccb8627b8128b0d43e5d6c5e8ca73b9863643241c91e4134

  • SSDEEP

    12288:mCpyvXFPTfnCvX66h/NYJ9nDW6FApNg3gZqdDUtOuBiMc/j6KRVrxn7Nl4+GtlrL:zk9P7nCvX6MNYLIbgYJ3chra+GbrL

Score
10/10
cycbotbackdoordiscoveryevasionpersistenceratupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 6 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Adds Run key to start application 2 TTPs 54 IoCs
    persistence
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of SetThreadContext 4 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60addbb48b547e182553d9f8aaaae18e.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60addbb48b547e182553d9f8aaaae18e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3184
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60addbb48b547e182553d9f8aaaae18e.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60addbb48b547e182553d9f8aaaae18e.exe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4464
      • C:\Users\Admin\d3WQGzd9.exe
        C:\Users\Admin\d3WQGzd9.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2240
        • C:\Users\Admin\ceetol.exe
          "C:\Users\Admin\ceetol.exe"
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:4292
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del d3WQGzd9.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3104
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2564
      • C:\Users\Admin\awhost.exe
        C:\Users\Admin\awhost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4888
        • C:\Windows\SysWOW64\svchost.exe
          "C:\Windows\system32\svchost.exe"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2616
      • C:\Users\Admin\bwhost.exe
        C:\Users\Admin\bwhost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2324
        • C:\Users\Admin\bwhost.exe
          "C:\Users\Admin\bwhost.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3820
          • C:\Windows\explorer.exe
            000000D0*
            5⤵
              PID:4628
        • C:\Users\Admin\cwhost.exe
          C:\Users\Admin\cwhost.exe
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1072
          • C:\Users\Admin\cwhost.exe
            C:\Users\Admin\cwhost.exe startC:\Users\Admin\AppData\Roaming\conhost.exe%C:\Users\Admin\AppData\Roaming
            4⤵
            • Executes dropped EXE
            PID:2936
          • C:\Users\Admin\cwhost.exe
            C:\Users\Admin\cwhost.exe startC:\Users\Admin\AppData\Local\Temp\dwm.exe%C:\Users\Admin\AppData\Local\Temp
            4⤵
            • Executes dropped EXE
            PID:2104
        • C:\Users\Admin\dwhost.exe
          C:\Users\Admin\dwhost.exe
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3228
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del JaffaCakes118_60addbb48b547e182553d9f8aaaae18e.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1996
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:4812

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\7F23.174
      Filesize

      996B

      MD5

      0a5339930264fbe99eeee529f4d0a1e3

      SHA1

      f31ef794a826ecdd81de77d5281e458cf104fa00

      SHA256

      52f4e46a346c77abd2ee6640e46dbcdc836e4bcd1c9fef3e0dd3d19ca93e49b7

      SHA512

      cfcd28f776cbb79bb90488ad310cb2392ec001d1401276ed700bb4753225e5bb641f4294cab06b8098db32390cf9e82e25f4b2aa5e856cc4ca5c9d4a5cff2f2a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\7F23.174
      Filesize

      1KB

      MD5

      cea788752c4ba20e0b5e3a5c69b82a9b

      SHA1

      8e0db5fd817ca3f75d8bec449f69cec70bbc4286

      SHA256

      a601b8c8fdb0e81fa5b50e28815b252853cf0f96368d564f65481db9f1f141ba

      SHA512

      a4969ecf2e2d6ec64341587e143fd517020c7b9deaa8a5dd8c30d77764a4ee5f6b638190e4eb23adc217b83815aa2db89a89f1325449d2fafdb730c586a3c41f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\7F23.174
      Filesize

      600B

      MD5

      ebb9e88529c147cf0f599f0fa090b8f6

      SHA1

      fd38e819ad1d1763eac60cec17822128128e3928

      SHA256

      fb9320388398b50c3c1d6c8489128df68d9424a4b6a0d01aec618e8b1660eb6b

      SHA512

      8fd8e64cec4cc7272c3b50f572a97d4fdde9805cb192a0d9e890e1308bbd6f504006cc1b44fe7c3c589c48c9c2671edbd0232c54917fa13aff136f72b4dd6430

      Download Submit

    • C:\Users\Admin\awhost.exe
      Filesize

      68KB

      MD5

      b0406fa1f1b4a471ce4c1521708d1ef3

      SHA1

      bd2bb68d92c8b6af7604d52e336152bc48ea1227

      SHA256

      ef2abd7d609bba1f141b3e1dc6a79d937fe68e37d51b093fc29e0d800bf6fa29

      SHA512

      07bec70b25b083919a91de4930842ba8b264e869d0251134cbfecbc9227be704c70600c9db878eee08f7d1fa1df6c848577b632f810b014d62ace26b961bb2cc

      Download Submit

    • C:\Users\Admin\bwhost.exe
      Filesize

      136KB

      MD5

      acaf206a193335d7983a46a8c9e18fea

      SHA1

      3a33b8148c23887c2b9edc2d0dbec3d83398069b

      SHA256

      8aa2fb2e061fc4a30160f912db3f1ea75189d16d922f82aba6538e92c4df47ca

      SHA512

      846622efa83273ce9f40f38953077eca4a6f064923a8cf9b202d19cac9fac4c8e58007f2531fafafb6b408787d0ed23a3349b49794d0311736efa35bba6fba10

      Download Submit

    • C:\Users\Admin\ceetol.exe
      Filesize

      364KB

      MD5

      4f07a0204e1f4c778aeed97174053c7d

      SHA1

      11a552a33623566a28aa8f8bad2fa1d935412d97

      SHA256

      a8560f34381eeea45d9535f9b6966fa9625cf3bcb532bad5a7b35bfef25e5e01

      SHA512

      1291486b4afaa3c1dcbadd40feaab294f9175c6b614a699eb9f7338c7051339884a772b8fdc8359c67759ab484c492aa2cc96522cbc582300d40bd6f9743e1c2

      Download Submit

    • C:\Users\Admin\cwhost.exe
      Filesize

      170KB

      MD5

      40d9607cb66da11b9adfec5b93b8b311

      SHA1

      55bf463cd5c0c90ba92935ef81ae47ab3bc5fea6

      SHA256

      033e60eebb966b3bcfbe27fa3e99e8f393970f320b5cc25cb16517869eb5f3e6

      SHA512

      e764053de1c2444e61e638e67e91cf7d9d968df4d60b8bcc3f5ddfc317edb1f14e950d096d451fa372a699fc886125066f4e2f2de171641433ce1e066aa58078

      Download Submit

    • C:\Users\Admin\d3WQGzd9.exe
      Filesize

      364KB

      MD5

      db406d87e556a0008c18429ecf3cc93a

      SHA1

      3a1b7a87080bf1d78fca904bd7515833bbd380e8

      SHA256

      2712b4f742a53c7d4b9a55c8f760447a26925c10a3ca6c10b84dea49482a2768

      SHA512

      e0da870b0c8f8955277b9227ef3de2b4d3e45d37986ac9a9b445e24506f265020f071365a2135b1e2892aaa64c3b7477d6c4a57598f3601655d74d92d6222354

      Download Submit

    • C:\Users\Admin\dwhost.exe
      Filesize

      24KB

      MD5

      aaa893d374547f20f7fdd7c3b6c56b36

      SHA1

      f7aab7bd60af5e948b71abcccbcfb1d62f6580ff

      SHA256

      17c950477ffd3e28c4135c4cc5711589415129c7b21c4af1e89deaf68f043d03

      SHA512

      491b88e809425dd20dc9052fe45ab101ccb803c186a27d6502bf1cbefa8d903d51f72c02e604ec346f77b85c4324daa036341a42fcba0a96e5c69781ebfecb31

      Download Submit

    • memory/1072-166-0x0000000000400000-0x0000000000449000-memory.dmp

      Filesize

      292KB

      Download

    • memory/1072-154-0x0000000000400000-0x0000000000449000-memory.dmp

      Filesize

      292KB

      Download

    • memory/1072-291-0x0000000000400000-0x0000000000449000-memory.dmp

      Filesize

      292KB

      Download

    • memory/1072-287-0x0000000000400000-0x0000000000449000-memory.dmp

      Filesize

      292KB

      Download

    • memory/2104-161-0x0000000000400000-0x0000000000449000-memory.dmp

      Filesize

      292KB

      Download

    • memory/2324-66-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2616-53-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2616-54-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2616-52-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2936-82-0x0000000000400000-0x0000000000449000-memory.dmp

      Filesize

      292KB

      Download

    • memory/3820-63-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/3820-61-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/4464-84-0x0000000000400000-0x00000000004C4000-memory.dmp

      Filesize

      784KB

      Download

    • memory/4464-4-0x0000000000400000-0x00000000004C4000-memory.dmp

      Filesize

      784KB

      Download

    • memory/4464-2-0x0000000000400000-0x00000000004C4000-memory.dmp

      Filesize

      784KB

      Download

    • memory/4464-289-0x0000000000400000-0x00000000004C4000-memory.dmp

      Filesize

      784KB

      Download