Overview

overview

10

Static

static

3

JaffaCakes...7a.exe

windows7-x64

10

JaffaCakes...7a.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_6f6da6318514b8ec2fac667def3f907a

  • Size

    840KB

  • Sample

    250103-zb4yqasjgx

  • MD5

    6f6da6318514b8ec2fac667def3f907a

  • SHA1

    41fd39391f136797ba03a2a3725047e3acd5ff0a

  • SHA256

    cacd53a54de4c112c3633cd02f3f55f1793b867080abffa76239a58142ddec84

  • SHA512

    8cf4b099d75115b54900c27a941905389641f9247f437d20953f6cdba540047b1e4399c325a1b6008b854c26b4cb8bc723e41b4be9e73479196f7f86d0ade634

  • SSDEEP

    12288:bCpyvXFPTfnCvX66h/NYJ9nDW6FApNg3gZqdDUtOuBiMc/j6KRVrxn7Nl4+GtlrL:ek9P7nCvX6MNYLIbgYJ3chra+GbrL

Score
10/10
cycbotbackdoordiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Targets

    • Target

      JaffaCakes118_6f6da6318514b8ec2fac667def3f907a

    • Size

      840KB

    • MD5

      6f6da6318514b8ec2fac667def3f907a

    • SHA1

      41fd39391f136797ba03a2a3725047e3acd5ff0a

    • SHA256

      cacd53a54de4c112c3633cd02f3f55f1793b867080abffa76239a58142ddec84

    • SHA512

      8cf4b099d75115b54900c27a941905389641f9247f437d20953f6cdba540047b1e4399c325a1b6008b854c26b4cb8bc723e41b4be9e73479196f7f86d0ade634

    • SSDEEP

      12288:bCpyvXFPTfnCvX66h/NYJ9nDW6FApNg3gZqdDUtOuBiMc/j6KRVrxn7Nl4+GtlrL:ek9P7nCvX6MNYLIbgYJ3chra+GbrL

    Score
    10/10
    cycbotbackdoordiscoveryevasionpersistenceratspywarestealerupx

    • Cycbot

      Cycbot is a backdoor and trojan written in C++..

      backdoorratcycbot

    • Cycbot family

      cycbot

    • Detects Cycbot payload

      Cycbot is a backdoor and trojan written in C++.

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates processes with tasklist

      discovery

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks