Overview

overview

10

Static

static

3

JaffaCakes...c5.exe

windows7-x64

10

JaffaCakes...c5.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    140s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    14-01-2025 03:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_350eab105ca0aa6c5496d97c7ceb87c5.exe

  • Size

    156KB

  • MD5

    350eab105ca0aa6c5496d97c7ceb87c5

  • SHA1

    fa3559740d432459b55281a6400a783a574bec86

  • SHA256

    9ccc95b4d76030316ab552fae69dbdb126d19cb048ac8306820ba7df634136be

  • SHA512

    523ed4c735037b551e1bc43961026857c8516e32369ab797c05c9aa1b9c1e3fa4c775523e592dc49457cbbfdc7e7f03d599d4da55f35097ddfdac7fddf3573c0

  • SSDEEP

    3072:NgeidsspSREFH/wyI6lKZo1WMlbKm0F6atVc2agaffMHEyaTkvA:TPsO6H5IYYDMlbl0FfW2fafUkpTr

Score
10/10
cycbotbackdoordiscoverypersistenceratspywarestealerupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 5 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_350eab105ca0aa6c5496d97c7ceb87c5.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_350eab105ca0aa6c5496d97c7ceb87c5.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_350eab105ca0aa6c5496d97c7ceb87c5.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_350eab105ca0aa6c5496d97c7ceb87c5.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2284
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_350eab105ca0aa6c5496d97c7ceb87c5.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_350eab105ca0aa6c5496d97c7ceb87c5.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1900

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\6694.9F4
    Filesize

    1KB

    MD5

    1f847c8afe4e3e25b75488d1f4f0629b

    SHA1

    fe191ee10f5e98f5a96ff53017d36df24c4692e6

    SHA256

    7b8770e9df1f531a8bc0f2ee60e84c017ccad72d40cb50e8a0b924ddd136a47c

    SHA512

    3596c8768cfa72700b611a0e26e10f769ff9c3826aff0d30a5f1b661df1afb6817ba5dfd86f4c240d07b4a43d4ec5909cccb956d7e5048bd5dc655c02d359244

    Download Submit

  • C:\Users\Admin\AppData\Roaming\6694.9F4
    Filesize

    597B

    MD5

    6c299258f2f31ec73f6eed04d260eae6

    SHA1

    bfe11fd76412aed0b9f2542df1b518dff464eb49

    SHA256

    b5df642c9d773cb5c37a6c59005e07824eca72e8a8f8f84b3ff71b7ba19a707d

    SHA512

    87bcbc1e576a55592a6310ab280cc810f93b1348c6548adc4768978bf2e8fe9143eedf26b7a7cc26d5389052c27b3422a49020f9e7e596cefaf0db1c87fa4798

    Download Submit

  • C:\Users\Admin\AppData\Roaming\6694.9F4
    Filesize

    1KB

    MD5

    85683d784d53f204f72526bbcc6c6ae3

    SHA1

    084b2fc12eca2139cc336d317333e62ec3fa90c8

    SHA256

    61da188a07ee4e43c24847a668354d6a6ad8ccc376ca40cf90dc36706e5755ea

    SHA512

    73d294bb4bd8140bcec3032f7ef598eb33927d0316d2d3d2db0ad55f3aa9fea4cea086e3f3813e4f8e33a52a94e134325006afb4ea4eef733272909d0d509a36

    Download Submit

  • C:\Users\Admin\AppData\Roaming\6694.9F4
    Filesize

    897B

    MD5

    5ef01e6a7a3fae2c619b93d3dbb90c1f

    SHA1

    eaecdb5d1e1e741581e35c2b191f248a1d4a2123

    SHA256

    2a95d3f24c5757f9c6892436b22f240bb6da498108a3e43653c705e914b7949c

    SHA512

    c26919f4a43a0857660957338785d3d1eb39f5d3c2ee667157cd91a9159dca16fe8109cacc7091806dfb3923f1349cbf00a34a943fccf0652d41483c1ba2ad44

    Download Submit

  • memory/1900-99-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1900-98-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2284-8-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2284-7-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2368-19-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2368-96-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2368-1-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2368-2-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2368-217-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download