cycbot | 2b2c5f7bd2c76e12ae57782ec34ec76390923258f11860a800d53756eab6989e

Resubmissions

13-01-2025 04:38

250113-e9kmhswmds 10

12-01-2025 15:55

250112-tc3jdsymcz 10

Analysis

max time kernel
890s
max time network
759s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
13-01-2025 04:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
Size

287KB
MD5

128002ba2034313b5ee8ae7b962b1ba6
SHA1

63d1abdd81c0630f2c8afd4be32e8dce2fcb6d73
SHA256

2b2c5f7bd2c76e12ae57782ec34ec76390923258f11860a800d53756eab6989e
SHA512

8309fb3854886f10377b5c5f11380cea1ad99ec00a2434eb99c218e6c3003ef117775b25e290fda4b636b243a0d2da1f9af80009bcc17a8c031551c12c838869
SSDEEP

6144:RuOsFiolw4pTBBZ0jkbno6/3MBftnpqcQC3HzSBrph+HavbfH:sZicfSeo6/qft43ckP+6jfH

Score

10^/10

cycbot pony backdoor credential_access discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 18 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1996-3-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1996-54-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/1996-59-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1204-62-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1204-63-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1564-177-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1996-224-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1996-352-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1996-357-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1196-371-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2628-375-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1996-379-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1996-450-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1996-641-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2620-651-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1688-752-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1088-862-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1524-866-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe

Pony family
pony
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
2320	DE00.tmp

Loads dropped DLL 2 IoCs

pid	Process
1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\73C.exe = "C:\\Program Files (x86)\\LP\\053C\\73C.exe"	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1996-2-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1996-3-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1996-54-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1996-59-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1204-62-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1204-63-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1564-177-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1996-224-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1996-352-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1996-357-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1196-371-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2628-375-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1996-379-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1996-450-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1996-641-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2620-651-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1688-752-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1088-862-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1524-866-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LP\053C\73C.exe	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
File opened for modification	C:\Program Files (x86)\LP\053C\73C.exe	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
File opened for modification	C:\Program Files (x86)\LP\053C\DE00.tmp	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DE00.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2240	explorer.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeRestorePrivilege	2808	msiexec.exe
Token: SeTakeOwnershipPrivilege	2808	msiexec.exe
Token: SeSecurityPrivilege	2808	msiexec.exe
Token: SeShutdownPrivilege	2240	explorer.exe
Token: SeShutdownPrivilege	2240	explorer.exe
Token: SeShutdownPrivilege	2240	explorer.exe
Token: SeShutdownPrivilege	2240	explorer.exe
Token: SeShutdownPrivilege	2240	explorer.exe
Token: SeShutdownPrivilege	2240	explorer.exe
Token: SeShutdownPrivilege	2240	explorer.exe
Token: SeShutdownPrivilege	2240	explorer.exe
Token: SeShutdownPrivilege	2240	explorer.exe
Token: SeShutdownPrivilege	2240	explorer.exe
Token: 33	2756	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2756	AUDIODG.EXE
Token: 33	2756	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2756	AUDIODG.EXE
Token: SeShutdownPrivilege	2240	explorer.exe
Token: SeShutdownPrivilege	2240	explorer.exe
Token: SeShutdownPrivilege	2240	explorer.exe
Token: SeShutdownPrivilege	2240	explorer.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe

Suspicious use of SendNotifyMessage 21 IoCs

pid	Process
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 1204	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	30
PID 1996 wrote to memory of 1204	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	30
PID 1996 wrote to memory of 1204	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	30
PID 1996 wrote to memory of 1204	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	30
PID 1996 wrote to memory of 1564	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	32
PID 1996 wrote to memory of 1564	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	32
PID 1996 wrote to memory of 1564	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	32
PID 1996 wrote to memory of 1564	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	32
PID 1996 wrote to memory of 2320	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	36
PID 1996 wrote to memory of 2320	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	36
PID 1996 wrote to memory of 2320	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	36
PID 1996 wrote to memory of 2320	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	36
PID 1996 wrote to memory of 1196	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	37
PID 1996 wrote to memory of 1196	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	37
PID 1996 wrote to memory of 1196	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	37
PID 1996 wrote to memory of 1196	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	37
PID 1996 wrote to memory of 2628	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	38
PID 1996 wrote to memory of 2628	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	38
PID 1996 wrote to memory of 2628	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	38
PID 1996 wrote to memory of 2628	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	38
PID 1996 wrote to memory of 2620	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	39
PID 1996 wrote to memory of 2620	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	39
PID 1996 wrote to memory of 2620	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	39
PID 1996 wrote to memory of 2620	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	39
PID 1996 wrote to memory of 1688	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	40
PID 1996 wrote to memory of 1688	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	40
PID 1996 wrote to memory of 1688	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	40
PID 1996 wrote to memory of 1688	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	40
PID 1996 wrote to memory of 1088	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	41
PID 1996 wrote to memory of 1088	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	41
PID 1996 wrote to memory of 1088	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	41
PID 1996 wrote to memory of 1088	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	41
PID 1996 wrote to memory of 1524	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	42
PID 1996 wrote to memory of 1524	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	42
PID 1996 wrote to memory of 1524	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	42
PID 1996 wrote to memory of 1524	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	42
PID 1996 wrote to memory of 1928	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	43
PID 1996 wrote to memory of 1928	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	43
PID 1996 wrote to memory of 1928	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	43
PID 1996 wrote to memory of 1928	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	43
PID 1996 wrote to memory of 2428	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	44
PID 1996 wrote to memory of 2428	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	44
PID 1996 wrote to memory of 2428	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	44
PID 1996 wrote to memory of 2428	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	44
PID 1996 wrote to memory of 2368	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	45
PID 1996 wrote to memory of 2368	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	45
PID 1996 wrote to memory of 2368	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	45
PID 1996 wrote to memory of 2368	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	45
PID 1996 wrote to memory of 2352	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	46
PID 1996 wrote to memory of 2352	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	46
PID 1996 wrote to memory of 2352	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	46
PID 1996 wrote to memory of 2352	1996	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe	46

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1996
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe startC:\Users\Admin\AppData\Roaming\C2F0C\15105.exe%C:\Users\Admin\AppData\Roaming\C2F0C
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1204
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe startC:\Program Files (x86)\0CC9B\lvvm.exe%C:\Program Files (x86)\0CC9B
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1564
- C:\Program Files (x86)\LP\053C\DE00.tmp
  "C:\Program Files (x86)\LP\053C\DE00.tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2320
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe startC:\Users\Admin\AppData\Roaming\C2F0C\15105.exe%C:\Users\Admin\AppData\Roaming\C2F0C
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1196
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe startC:\Program Files (x86)\0CC9B\lvvm.exe%C:\Program Files (x86)\0CC9B
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2628
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe startC:\Users\Admin\AppData\Roaming\C2F0C\15105.exe%C:\Users\Admin\AppData\Roaming\C2F0C
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2620
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe startC:\Program Files (x86)\0CC9B\lvvm.exe%C:\Program Files (x86)\0CC9B
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1688
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe startC:\Users\Admin\AppData\Roaming\C2F0C\15105.exe%C:\Users\Admin\AppData\Roaming\C2F0C
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1088
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe startC:\Program Files (x86)\0CC9B\lvvm.exe%C:\Program Files (x86)\0CC9B
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1524
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe startC:\Users\Admin\AppData\Roaming\C2F0C\15105.exe%C:\Users\Admin\AppData\Roaming\C2F0C
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1928
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe startC:\Program Files (x86)\0CC9B\lvvm.exe%C:\Program Files (x86)\0CC9B
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2428
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe startC:\Users\Admin\AppData\Roaming\C2F0C\15105.exe%C:\Users\Admin\AppData\Roaming\C2F0C
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2368
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_128002ba2034313b5ee8ae7b962b1ba6.exe startC:\Program Files (x86)\0CC9B\lvvm.exe%C:\Program Files (x86)\0CC9B
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2352

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2240

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x55c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\C2F0C\CC9B.2F0

Filesize
996B

MD5
13f68596560261d1db577bc51a32025d

SHA1
1f63fe440e9e7d765e730b7f5c411dfee96ef7cd

SHA256
115f78f23c66116075675bc3939af93e803a981268cc927f411c3d0effb0d905

SHA512
da298df11742d26a604056cb3e37b086cd68979ab1873c28d5ab49dd306c2f048dc63e0f78d2a4ec01d61b273d8d8a2d6e98f514e2cf0538c7ab5ebcb258c1ed

Download Submit
C:\Users\Admin\AppData\Roaming\C2F0C\CC9B.2F0

Filesize
1KB

MD5
904133098b8e545238bfbca813ec1631

SHA1
8947ec224407b171f3efd828a05f3d42ab5d3c52

SHA256
769d9b798d0f0af31636561bc53fd49c25bb5a358b4e93a53f50bdc70931092b

SHA512
036ab99d41e8da695e0f8bc43e49f699cb03ad6cf5cc635f6096b235b2a612b2d1d6d112ebbb843138ccc479e1810a9f2b032909e1d10db18d420b8206369689

Download Submit
C:\Users\Admin\AppData\Roaming\C2F0C\CC9B.2F0

Filesize
1KB

MD5
d2cdeadeb2f903b1123e963fa5a14650

SHA1
88f4658cfe46d2b0c1d9e2d13b417acf6faff4dc

SHA256
5b57d822f37088db87994557b59ea29a73d49d7ae024157927b9ffceac030680

SHA512
dd16547f2bc46f6c10c50e9b7043bc747c5dd3669504cb4a89d137d0e16fffdd19b52ccdba002803ddbe46a8750132532eb8948af5f838dbccf008d958bbe499

Download Submit
C:\Users\Admin\AppData\Roaming\C2F0C\CC9B.2F0

Filesize
2KB

MD5
20e1686ce5ce445eef111f3bf3977b91

SHA1
e1b8207b0e5ba893b2d4cf11abdeb61e142f56d6

SHA256
2eefbaf6febe3a44aa32cc311cac19f190fe1dbea268f16b906bb1017856ebf6

SHA512
a140f00786e5ed46bf24af589fd49feee433f418bc736342cf6b6133beaf76aac8a5f26bf744730fc905d447712d2aa0a84d8873c6b25aee04c1270d67e6b8c2

Download Submit
C:\Users\Admin\AppData\Roaming\C2F0C\CC9B.2F0

Filesize
3KB

MD5
e84b0c265110eeacf39f2e3469cf1503

SHA1
ac9efc2e52e59bcf9c0fa797de00cd05291e7c65

SHA256
1946828c76a21b7a4b1a5d737f4de17f833d4615b75ea89b7cff76119582d98a

SHA512
73c28c41aa1a14e447df70e2063aefc90307ede7593b46d83f10c5bfbc4e5399f5cb5fe85838f06299bc4b4b1ba08d446b1177aec2bd6a122387016d166e11a4

Download Submit
C:\Users\Admin\AppData\Roaming\C2F0C\CC9B.2F0

Filesize
600B

MD5
d1a8af85473f1b15826703388067ad8b

SHA1
b829c37ed15ec8ac143384dc0c7df10ae5031833

SHA256
e5fc9d51a8e7bd266ccf96c5bc7162f0097ad4f2a88e36713d0ff4998264eec7

SHA512
5b8f4903062017ea041f7d7e53a5437ad34abe8a2a0aab0d4f432771edb346de1e6df3d21c2814e7835ceae765eb8003c42ab74608fe50f48ea105d122e1522e

Download Submit
C:\Users\Admin\AppData\Roaming\C2F0C\CC9B.2F0

Filesize
3KB

MD5
9dc977ae075d5edc4d1ececa61cb6066

SHA1
d498d2c62ac288149ec5c1b48f8160d2d9771d9b

SHA256
04d5fc141a2188764fd66bdd4d1e03d0dad5b27ce45bc73ffdd00bdda1bd9453

SHA512
ce7a6afd3f8a667f9458b41dadb755f4681e8eea20643e404a3fe5882932080e0a8301ed6b991e6bd50d15723474c12443712cc17924bbf321a33fd33018464a

Download Submit
C:\Users\Admin\AppData\Roaming\C2F0C\CC9B.2F0

Filesize
3KB

MD5
473bb5fbcf847dd8134121605684cabb

SHA1
45a4a8369c2fa0dbf210efc1f1251e8cb9c357b7

SHA256
73a03698fc40f31429e0d65b40a2bda88fc80593bb0376aff58e1d858bfba555

SHA512
31dfa1e365bbeebee536f0facaef25232f7f9edd34e73ee4e2349c99399dfb6d98ef089caa0fae67955c8d89e8bfcc019fa9bb772003926fe7ac819b2aede7ad

Download Submit
C:\Users\Admin\AppData\Roaming\C2F0C\CC9B.2F0

Filesize
300B

MD5
fceb94cf5f9517ef7d202878870528a7

SHA1
5db9d42ee4d81e058a29c2d194079be49dd47254

SHA256
5b400ceb87e99b046a4779b6583c98128b5b7c78e483abc196d613ae69be2564

SHA512
2ea9692a3685232c3e2d95f512921e8fd34184b09fc64de1cdd8e8ca235b11e42c8584376b828e2c561e6f26455967e8462d79f31d1e8f5ad68865baead869ff

Download Submit
\Program Files (x86)\LP\053C\DE00.tmp

Filesize
101KB

MD5
c28186290b51a5350bfc382685940af4

SHA1
dcc9eb2a2375f81dfb98515c07912ad4028216be

SHA256
7315bbc1d631338fffeeec3edb5d64bb6d050c9f390da8bdc7714806b8966eaa

SHA512
a94b534cb518097e2b89718bc70c77a9c1c8cc43c302e547b02cf1bad0bbc7cd6bc9bb42dd19823c3cd90389057dc3df62f7c03b7e42066cf49563c86cbdf7e7

Download Submit
memory/1088-862-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1196-371-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1204-63-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1204-61-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1204-62-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1524-866-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1564-177-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1688-752-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1996-450-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1996-641-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1996-2-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1996-352-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1996-379-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1996-224-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1996-357-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1996-1-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1996-3-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1996-59-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1996-54-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2240-368-0x0000000002620000-0x0000000002630000-memory.dmp

Filesize
64KB

Download
memory/2320-353-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2620-651-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2628-375-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download