Analysis
-
max time kernel
140s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-01-2025 13:25
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_6cf249e7391115ab5e47419bfd640e7f.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_6cf249e7391115ab5e47419bfd640e7f.exe
-
Size
176KB
-
MD5
6cf249e7391115ab5e47419bfd640e7f
-
SHA1
bc57fc7914fc4911c2c78b4bbea1ae4f07c6e296
-
SHA256
05961272f57f967605d9ef765d46dd0d583da1e64b36984b7901b1e4d3b85c93
-
SHA512
73a9f662f736410e54cd6a6c8566b88fe59dcd6fc0a1f55edf47137499f9fe6f980317a6cc0e926fdbe4430554bf5c244efca9e5b13d2c8368308cb39c7e1ff8
-
SSDEEP
3072:I62/a+CB/Og9XEBH0EkHLE7CtVTeJ8Kn6Nyt4ibYnC95OUckrXbd259l7eEhWW:z2i+A/HmHFuw6g8K6Qt46Ln11p2v4Eo
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 6 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2520-15-0x0000000000400000-0x0000000000491000-memory.dmp family_cycbot behavioral1/memory/2380-16-0x0000000000400000-0x0000000000491000-memory.dmp family_cycbot behavioral1/memory/2380-17-0x0000000000400000-0x000000000048E000-memory.dmp family_cycbot behavioral1/memory/1240-112-0x0000000000400000-0x0000000000491000-memory.dmp family_cycbot behavioral1/memory/2380-113-0x0000000000400000-0x0000000000491000-memory.dmp family_cycbot behavioral1/memory/2380-279-0x0000000000400000-0x0000000000491000-memory.dmp family_cycbot -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\138C3\\93024.exe" JaffaCakes118_6cf249e7391115ab5e47419bfd640e7f.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2380-2-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral1/memory/2520-15-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral1/memory/2520-14-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral1/memory/2380-16-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral1/memory/2380-17-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral1/memory/1240-112-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral1/memory/1240-111-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral1/memory/2380-113-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral1/memory/2380-279-0x0000000000400000-0x0000000000491000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_6cf249e7391115ab5e47419bfd640e7f.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2520 2380 JaffaCakes118_6cf249e7391115ab5e47419bfd640e7f.exe 30 PID 2380 wrote to memory of 2520 2380 JaffaCakes118_6cf249e7391115ab5e47419bfd640e7f.exe 30 PID 2380 wrote to memory of 2520 2380 JaffaCakes118_6cf249e7391115ab5e47419bfd640e7f.exe 30 PID 2380 wrote to memory of 2520 2380 JaffaCakes118_6cf249e7391115ab5e47419bfd640e7f.exe 30 PID 2380 wrote to memory of 1240 2380 JaffaCakes118_6cf249e7391115ab5e47419bfd640e7f.exe 32 PID 2380 wrote to memory of 1240 2380 JaffaCakes118_6cf249e7391115ab5e47419bfd640e7f.exe 32 PID 2380 wrote to memory of 1240 2380 JaffaCakes118_6cf249e7391115ab5e47419bfd640e7f.exe 32 PID 2380 wrote to memory of 1240 2380 JaffaCakes118_6cf249e7391115ab5e47419bfd640e7f.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6cf249e7391115ab5e47419bfd640e7f.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6cf249e7391115ab5e47419bfd640e7f.exe"1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6cf249e7391115ab5e47419bfd640e7f.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6cf249e7391115ab5e47419bfd640e7f.exe startC:\Program Files (x86)\LP\24F1\9F7.exe%C:\Program Files (x86)\LP\24F12⤵PID:2520
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6cf249e7391115ab5e47419bfd640e7f.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6cf249e7391115ab5e47419bfd640e7f.exe startC:\Program Files (x86)\C31DA\lvvm.exe%C:\Program Files (x86)\C31DA2⤵PID:1240
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD51befb96c6b6562f575ba530b5d3bd6ac
SHA1d4f11545c92b7b147d98708eab5fecceeecc490f
SHA2568b525c65c343ab453a9663f3b283ea0f791ec7903fad7ebeb104aee8f5b5c7be
SHA51229fb1da2b444cc1b368ca55a778fe9919a5587dc7845f5c3fd0f6e0a8a128826d8806feaee843f3a224f58bb319e13ae14d47b8ceefc7ee44704dbfeb96eccdb
-
Filesize
600B
MD535485d9c9914c593ce61f87221a84bac
SHA12aafec907adc364d361d6c268e7136dd8ca3ccd7
SHA25601feb0ea61f670f5792f73781e95de87916e54352cb801deca6cbfd405b5b524
SHA5120072b2f1fa8bc0a7253e46e0c976050640b5cb495b6d2bcaa232b0f369d367012e2e2a74338df7c9fbdf7950d2a938d255df4c6c7860fe5352b4ed272f4ff50d
-
Filesize
1KB
MD5dbed7ee476cdd1f4197d3bc7357998c5
SHA157d0a0124ce65ae0bf01654ea85838181064b425
SHA25631d24ad85f0377e92685d296cfafdbdde2cd1dca321767125ae002cc0b8f98f3
SHA51287ddc86d9a207bf73d2f21a69d6a1a566d6316ce19992b9c781bd459f461a001cbe507a6799ab6bba1c9ff97c8e2c0ead17d77f087b5b8dd2c270d8d26089acc