cycbot | 298155e10c68dcfdf0e68fecaab1236dde0c2a358d65257a1d64a72206f4a960

Resubmissions

12-01-2025 13:10

250112-qevpsatkhw 10

12-01-2025 11:11

250112-nal6qszmbw 10

Analysis

max time kernel
890s
max time network
844s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-01-2025 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
Size

275KB
MD5

0d3393d6895b52c627e9cf42414a6359
SHA1

0cd99b800c92868245d951bdbd418e6f1f3a4a22
SHA256

298155e10c68dcfdf0e68fecaab1236dde0c2a358d65257a1d64a72206f4a960
SHA512

872f9c281541e6a421809cdbb726066d9b8efa2390f562d89af1e5a0bebce827a80ba4971b7f32aecd9fc9496e5a3152dd4d03f0e6e9722712cea09032d45ce5
SSDEEP

6144:KSokLsgu1AicWHNGECoL03tnJbCrg4njSdjLtotWYlt/T:KSXDu1Ai5IECoOnJeL6BnYlt

Score

10^/10

cycbot backdoor discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 17 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2788-13-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2788-14-0x0000000000400000-0x0000000000467000-memory.dmp	family_cycbot
behavioral1/memory/2784-16-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2784-17-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2788-114-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1232-117-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2788-299-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2788-319-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2788-322-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/296-337-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2640-342-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2788-346-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2788-349-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2788-398-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1944-595-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1168-697-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1776-817-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
2688	F4C.tmp

Loads dropped DLL 5 IoCs

pid	Process
2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2988	WerFault.exe
2988	WerFault.exe
2988	WerFault.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\9FB.exe = "C:\\Program Files (x86)\\LP\\4675\\9FB.exe"	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2788-3-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2788-13-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2788-14-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/2784-16-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2784-17-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2788-114-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1232-116-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1232-117-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2788-299-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2788-319-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2788-322-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/296-337-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2640-342-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2788-346-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2788-349-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2788-398-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1944-595-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1168-697-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1776-817-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LP\4675\9FB.exe	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
File opened for modification	C:\Program Files (x86)\LP\4675\F4C.tmp	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
File opened for modification	C:\Program Files (x86)\LP\4675\9FB.exe	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2988	2688	WerFault.exe	37

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4C.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1784	explorer.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeRestorePrivilege	2816	msiexec.exe
Token: SeTakeOwnershipPrivilege	2816	msiexec.exe
Token: SeSecurityPrivilege	2816	msiexec.exe
Token: SeShutdownPrivilege	1784	explorer.exe
Token: SeShutdownPrivilege	1784	explorer.exe
Token: SeShutdownPrivilege	1784	explorer.exe
Token: SeShutdownPrivilege	1784	explorer.exe
Token: SeShutdownPrivilege	1784	explorer.exe
Token: SeShutdownPrivilege	1784	explorer.exe
Token: SeShutdownPrivilege	1784	explorer.exe
Token: SeShutdownPrivilege	1784	explorer.exe
Token: SeShutdownPrivilege	1784	explorer.exe
Token: SeShutdownPrivilege	1784	explorer.exe
Token: SeShutdownPrivilege	1784	explorer.exe
Token: SeShutdownPrivilege	1784	explorer.exe
Token: SeShutdownPrivilege	1784	explorer.exe
Token: SeShutdownPrivilege	1784	explorer.exe
Token: SeShutdownPrivilege	1784	explorer.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2784	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	31
PID 2788 wrote to memory of 2784	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	31
PID 2788 wrote to memory of 2784	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	31
PID 2788 wrote to memory of 2784	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	31
PID 2788 wrote to memory of 1232	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	33
PID 2788 wrote to memory of 1232	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	33
PID 2788 wrote to memory of 1232	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	33
PID 2788 wrote to memory of 1232	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	33
PID 2788 wrote to memory of 2688	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	37
PID 2788 wrote to memory of 2688	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	37
PID 2788 wrote to memory of 2688	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	37
PID 2788 wrote to memory of 2688	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	37
PID 2688 wrote to memory of 2988	2688	F4C.tmp	38
PID 2688 wrote to memory of 2988	2688	F4C.tmp	38
PID 2688 wrote to memory of 2988	2688	F4C.tmp	38
PID 2688 wrote to memory of 2988	2688	F4C.tmp	38
PID 2788 wrote to memory of 296	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	39
PID 2788 wrote to memory of 296	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	39
PID 2788 wrote to memory of 296	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	39
PID 2788 wrote to memory of 296	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	39
PID 2788 wrote to memory of 2640	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	40
PID 2788 wrote to memory of 2640	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	40
PID 2788 wrote to memory of 2640	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	40
PID 2788 wrote to memory of 2640	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	40
PID 2788 wrote to memory of 1944	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	42
PID 2788 wrote to memory of 1944	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	42
PID 2788 wrote to memory of 1944	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	42
PID 2788 wrote to memory of 1944	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	42
PID 2788 wrote to memory of 1168	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	43
PID 2788 wrote to memory of 1168	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	43
PID 2788 wrote to memory of 1168	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	43
PID 2788 wrote to memory of 1168	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	43
PID 2788 wrote to memory of 1776	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	44
PID 2788 wrote to memory of 1776	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	44
PID 2788 wrote to memory of 1776	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	44
PID 2788 wrote to memory of 1776	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	44
PID 2788 wrote to memory of 1556	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	45
PID 2788 wrote to memory of 1556	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	45
PID 2788 wrote to memory of 1556	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	45
PID 2788 wrote to memory of 1556	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	45
PID 2788 wrote to memory of 1564	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	46
PID 2788 wrote to memory of 1564	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	46
PID 2788 wrote to memory of 1564	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	46
PID 2788 wrote to memory of 1564	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	46
PID 2788 wrote to memory of 3012	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	47
PID 2788 wrote to memory of 3012	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	47
PID 2788 wrote to memory of 3012	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	47
PID 2788 wrote to memory of 3012	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	47
PID 2788 wrote to memory of 768	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	48
PID 2788 wrote to memory of 768	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	48
PID 2788 wrote to memory of 768	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	48
PID 2788 wrote to memory of 768	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	48
PID 2788 wrote to memory of 676	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	49
PID 2788 wrote to memory of 676	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	49
PID 2788 wrote to memory of 676	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	49
PID 2788 wrote to memory of 676	2788	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	49

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2788
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe startC:\Users\Admin\AppData\Roaming\52BBC\4FA46.exe%C:\Users\Admin\AppData\Roaming\52BBC
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2784
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe startC:\Program Files (x86)\BC20E\lvvm.exe%C:\Program Files (x86)\BC20E
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1232
- C:\Program Files (x86)\LP\4675\F4C.tmp
  "C:\Program Files (x86)\LP\4675\F4C.tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 176
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2988
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe startC:\Users\Admin\AppData\Roaming\52BBC\4FA46.exe%C:\Users\Admin\AppData\Roaming\52BBC
  2⤵
  - System Location Discovery: System Language Discovery
  PID:296
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe startC:\Program Files (x86)\BC20E\lvvm.exe%C:\Program Files (x86)\BC20E
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2640
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe startC:\Users\Admin\AppData\Roaming\52BBC\4FA46.exe%C:\Users\Admin\AppData\Roaming\52BBC
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1944
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe startC:\Program Files (x86)\BC20E\lvvm.exe%C:\Program Files (x86)\BC20E
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1168
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe startC:\Users\Admin\AppData\Roaming\52BBC\4FA46.exe%C:\Users\Admin\AppData\Roaming\52BBC
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1776
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe startC:\Program Files (x86)\BC20E\lvvm.exe%C:\Program Files (x86)\BC20E
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1556
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe startC:\Users\Admin\AppData\Roaming\52BBC\4FA46.exe%C:\Users\Admin\AppData\Roaming\52BBC
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1564
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe startC:\Program Files (x86)\BC20E\lvvm.exe%C:\Program Files (x86)\BC20E
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3012
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe startC:\Users\Admin\AppData\Roaming\52BBC\4FA46.exe%C:\Users\Admin\AppData\Roaming\52BBC
  2⤵
  - System Location Discovery: System Language Discovery
  PID:768
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe startC:\Program Files (x86)\BC20E\lvvm.exe%C:\Program Files (x86)\BC20E
  2⤵
  - System Location Discovery: System Language Discovery
  PID:676

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\52BBC\C20E.2BB

Filesize
996B

MD5
bc56df1fd84c046c14e8bd93f470fbe1

SHA1
781e6248c6e2ce18ecfc54d7b4ca873fccff917e

SHA256
c126ec8272bf141da749240d29f5d6a820e84bb4ac95aa8bb5c17cb2e813955c

SHA512
e8e1bc69cb1ca436f97dba49b8af918f95e12bde9e3e147eb37177f91bbc523095bd2c5d3cd199e6192d638d2317f6faaf8b817facc0fb8cc3db160f81ebf8a9

Download Submit
C:\Users\Admin\AppData\Roaming\52BBC\C20E.2BB

Filesize
600B

MD5
928da7d45ee0a3196cbd37ea9ac3550e

SHA1
636e73bc3f42e1219656450d1b38600da8143be9

SHA256
c8c3a3b662a9f7c1ea6e8b176b1d6e0456518af178f56db8b42b41073ada2415

SHA512
520878919e0dd81c5fad15dcd53cb1fc2cd15aa57ad18114aab702542a0471689f09288fdcaf3fa74a90e9a2cbf882dd1a6653155b8028ee072a986986104efe

Download Submit
C:\Users\Admin\AppData\Roaming\52BBC\C20E.2BB

Filesize
1KB

MD5
755242859774c270f6d73c02a64affa9

SHA1
b132e10fb77f22e4acde29a014cec68a6f86182a

SHA256
3f7d6f7ef66f67d9d031302b056fa82c93defbdae579feaf42d06bba710ee8e0

SHA512
7c6e9d35a82fd51a3c29d6a407b7020f819afdeac4a68ebda101a402c2a38a8656e26b96cc6b65b1835352507f879131df4e68d98d12ee2f552a5864dd21f8ee

Download Submit
C:\Users\Admin\AppData\Roaming\52BBC\C20E.2BB

Filesize
1KB

MD5
29dbf15c1e1b7ff83f83f1cfd9f0b428

SHA1
dada0dd521d4b2d3cf9ab33d47280716a9be8094

SHA256
32409685642de56d968017e2e725798d3389e0fe7bbff4253d6dd30a34fc6b04

SHA512
0c7110d09d7aa148a42b22a5ba312273e843ddbcb44eb02753b73c4aa7180ac0e888df34a3264d7021cfbe492e40560b1be969f1b6b22302f62dca7a59eea9e3

Download Submit
C:\Users\Admin\AppData\Roaming\52BBC\C20E.2BB

Filesize
2KB

MD5
129729a75d0dccb1088863f8e6705245

SHA1
fc9c4396f13868284911c43c732e7bcb1fd9f8b4

SHA256
70fa065754a1643e80154f362eacbacbedb21c120fefea4d8ad9bd331f333106

SHA512
0439e9310fb1d95d25af3e1f62d724dbdee658f7862fa6db5cd94627b0289e8d31a35bf05dd696e132e9ff58ccc3ce08b88a9fc61164f4f4c25f1b0134dc489c

Download Submit
C:\Users\Admin\AppData\Roaming\52BBC\C20E.2BB

Filesize
3KB

MD5
1b18950249faca44875b7dd11507eef8

SHA1
2349182e013b65f3157ccde0958393750214125e

SHA256
5e260355df48cbdcae7b80887270069373b98af0b1ea549c14bdeb5e8bbee6d1

SHA512
03537adaf42e2702e108becf439c2800fe2631407df6121e23e60ecafd07efa2f4b7b88be0bfb15afbedf3587faecf7202b7c5c57021ead5f5f9af95c54c7b75

Download Submit
C:\Users\Admin\AppData\Roaming\52BBC\C20E.2BB

Filesize
3KB

MD5
374659708d14b5c37fd8af7e7f5a531d

SHA1
ff3def9fc41118a493401887f1ea2643275ceac0

SHA256
e8c2973facf9911248f4d603632b9f62f6e65303d550d15c4e0f70e738db50aa

SHA512
9e3bc34b860f203feb9621df6c09fcf90c88bd5e99ac0ca9fd6731b5f0b5087a5b0543e5a9c0d820f0524229e25ae584f8ba6ac51e95fca43e108d375a8f37db

Download Submit
C:\Users\Admin\AppData\Roaming\52BBC\C20E.2BB

Filesize
3KB

MD5
8ee851e270b4250b20fd0b3e84c17551

SHA1
b97a044ad690877c8bea5e0440558c96bd2b13e2

SHA256
703dc49184a0c5d73354dbbf76930c2f009619694972bd88d4a06298f9c6e2ec

SHA512
c0eafdb11ba52370ab661eeb0ca5928572ccd8ddde4bb3189e17ac6bb26596b42a33d4aa9bde9d51adb657735b14a3b814113844b705f4100a7a21abc4a7e289

Download Submit
\Program Files (x86)\LP\4675\F4C.tmp

Filesize
97KB

MD5
6b5ac6578a6569bd04a0cd84361d62a4

SHA1
47a4e0e5d0dba0cfa49e7714eb1132c1e124fec9

SHA256
fcf0d2693cdf1581388d1ea096f38af087f8fda24a0394bad49c6f33d6e1d0d2

SHA512
e95ae3ac6e37697ff2e967c5c08359c5425c288039e586d89009e1ed2bd58786ea5ae23c1425389e5ff46f31d3129b617d6a1e5f3eb92ba1955f91a183b0b87c

Download Submit
memory/296-337-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1168-697-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1232-117-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1232-116-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1776-817-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1944-595-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2640-342-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2784-17-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2784-16-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2788-319-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2788-346-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2788-349-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2788-398-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2788-322-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2788-0-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2788-299-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2788-114-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2788-14-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2788-13-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2788-3-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2788-2-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download