Analysis
-
max time kernel
140s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02-01-2025 05:01
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_62cf181fb2fd82475dafafd74539ebf1.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_62cf181fb2fd82475dafafd74539ebf1.exe
-
Size
174KB
-
MD5
62cf181fb2fd82475dafafd74539ebf1
-
SHA1
332e45941b06e60f42a8d2a08cb833d275277abe
-
SHA256
35a887f5eb0904c6b397dfedd868ad7fa436b864d1185fd376b9155ce1874696
-
SHA512
e259aa2b1eca2bda64a25f5036662eed2c446d004ae49d83cf77802f8a6cca27c17bb222cb602b8bd21314e9d0cc224e95b887e52525f3ae10a60dbc8d73c8e4
-
SSDEEP
3072:8EZevKD5vXDrqYlhqs+5YM7CEdaPWRfsg3rJVIu0TOsKWX1:wKD5fDrqOhqsnEdBfv9V/0TOsKW
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral2/memory/3248-13-0x0000000000400000-0x000000000048D000-memory.dmp family_cycbot behavioral2/memory/1816-14-0x0000000000400000-0x000000000048D000-memory.dmp family_cycbot behavioral2/memory/1816-72-0x0000000000400000-0x000000000048D000-memory.dmp family_cycbot behavioral2/memory/3032-76-0x0000000000400000-0x000000000048D000-memory.dmp family_cycbot behavioral2/memory/1816-188-0x0000000000400000-0x000000000048D000-memory.dmp family_cycbot -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe" JaffaCakes118_62cf181fb2fd82475dafafd74539ebf1.exe -
resource yara_rule behavioral2/memory/1816-2-0x0000000000400000-0x000000000048D000-memory.dmp upx behavioral2/memory/3248-13-0x0000000000400000-0x000000000048D000-memory.dmp upx behavioral2/memory/1816-14-0x0000000000400000-0x000000000048D000-memory.dmp upx behavioral2/memory/1816-72-0x0000000000400000-0x000000000048D000-memory.dmp upx behavioral2/memory/3032-74-0x0000000000400000-0x000000000048D000-memory.dmp upx behavioral2/memory/3032-76-0x0000000000400000-0x000000000048D000-memory.dmp upx behavioral2/memory/1816-188-0x0000000000400000-0x000000000048D000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_62cf181fb2fd82475dafafd74539ebf1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_62cf181fb2fd82475dafafd74539ebf1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_62cf181fb2fd82475dafafd74539ebf1.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1816 wrote to memory of 3248 1816 JaffaCakes118_62cf181fb2fd82475dafafd74539ebf1.exe 82 PID 1816 wrote to memory of 3248 1816 JaffaCakes118_62cf181fb2fd82475dafafd74539ebf1.exe 82 PID 1816 wrote to memory of 3248 1816 JaffaCakes118_62cf181fb2fd82475dafafd74539ebf1.exe 82 PID 1816 wrote to memory of 3032 1816 JaffaCakes118_62cf181fb2fd82475dafafd74539ebf1.exe 83 PID 1816 wrote to memory of 3032 1816 JaffaCakes118_62cf181fb2fd82475dafafd74539ebf1.exe 83 PID 1816 wrote to memory of 3032 1816 JaffaCakes118_62cf181fb2fd82475dafafd74539ebf1.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62cf181fb2fd82475dafafd74539ebf1.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62cf181fb2fd82475dafafd74539ebf1.exe"1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62cf181fb2fd82475dafafd74539ebf1.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62cf181fb2fd82475dafafd74539ebf1.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft2⤵
- System Location Discovery: System Language Discovery
PID:3248
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62cf181fb2fd82475dafafd74539ebf1.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62cf181fb2fd82475dafafd74539ebf1.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵
- System Location Discovery: System Language Discovery
PID:3032
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5064c07860ce1b2370bfaa08d5407ecd5
SHA1bb81bd02ce58decdcbd5732ae7303ab674e91f7d
SHA256c37f6c5d8022ad976ae8746f0ce7de50692179de055ba82eacd9d48f0ade2bb8
SHA512f123e6ead5e194b20647e2ac7723e3424cd00e3d8ca874176e3fffeaa729b62b6b766400e564c9e41978237ac7c6c0dc2a7e7e7c7415a705fed0d00e06548f91
-
Filesize
600B
MD5d286fcfd61e1453cec2d205534191e94
SHA1268025b014a3f4115459c24cd1ac98c279ee833d
SHA2566bad906a6adaaccb760db1dfc62b2023087ab335934f725f6dcd49c0d0b5b767
SHA5120c5fb721821263510e9c39ded79b9b6f6fca0bf3b3d87417b4e49394da29af3135192ee822e96dc78782e7dc3c7fca08742ca09150b9cbf53d206c0e7f41ddab
-
Filesize
996B
MD5947b908dc4f9f4c8b7b9a6cef5398fb6
SHA1042e134c657ae543c9b1dd7d6a8e170e00ddc322
SHA256192b245c835440912863ca38f7eed67051648be24d54e08dd3b6c7e638340d1e
SHA5129c9d003d21c28bec044e26fc11d4c8187406ad9c8a5e81b51c636588f2e2b5951cb6db7271872765c1f2f079def067325b4db9eee360591f92a42cbec42fd12f