Analysis
-
max time kernel
140s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
14-01-2025 09:11
General
-
Target
JaffaCakes118_3a57882a1c934a13be0a29a9d660bc4a.exe
-
Size
168KB
-
MD5
3a57882a1c934a13be0a29a9d660bc4a
-
SHA1
e6f7446696dc8116efd51692f5ebc66adb2e3a92
-
SHA256
136b06a2ee6f1c5b6419cc4c37fd85b0d0903550e3839698d9a16ef2572776a2
-
SHA512
0162c84b1965a1ad00d97eb8342e0aba1f7213fc833163b98fe3c7f3813c90d3eaa19d8edb154ec71e4f4e76248272c84f8e07d82b33d89f6f826406eb43ead1
-
SSDEEP
3072:M4eoU6nPV+fNdW9np9fJDkU5xy4h0HWcrtEDrhFyxi1k0It:J1U6PV+f7WpRPxrgSrhFmiG0
Malware Config
Signatures
-
Cycbot
Cycbot is a backdoor and trojan written in C++..
-
Cycbot family
-
Detects Cycbot payload 6 IoCs
Cycbot is a backdoor and trojan written in C++.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
UPX packed file 8 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3a57882a1c934a13be0a29a9d660bc4a.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3a57882a1c934a13be0a29a9d660bc4a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3a57882a1c934a13be0a29a9d660bc4a.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3a57882a1c934a13be0a29a9d660bc4a.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3a57882a1c934a13be0a29a9d660bc4a.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3a57882a1c934a13be0a29a9d660bc4a.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56cc6953be0948cac4d292a9951c73ecf
SHA19404ff3b4dd4f0f00285cf59bd3b970212621ae6
SHA2563e1791c678cd0d1b7297a2c986b3a7626003e3a27795f25f368ce1b84d79f221
SHA5121b77e53b92c2fa1e1e987fdd9dbcbbee79f6f7729e8b69730ee6db6aa1154c89ab168fd2f2c516cdd7dd482ea270e87e13ea3cd5283a3183dbc6190e9da4c600
-
Filesize
600B
MD54078d8faf24a898121a12fef1d742ee6
SHA15db1050a6f6ce6d96bc1e3d32042d50471136806
SHA2567ddb6c3ea7757de6da82b3d2f955b30259674ef0b6bd33746c72c26c85801933
SHA512b9255ce9fc5d177e20f28c8e098750a63bb6bbb4252cfd6dcdb9dbe19d34b03f273e0378dcfb432e035e72f949431b36b78204434e5d0b0d185323d85d3cc713
-
Filesize
996B
MD523c8d7ac9b8ea7cf53b38db016bc3342
SHA19051283e6b276968fe1eb44ebcae15d314cc7a0b
SHA2567c960c37a7a5016da190b474f4806591afe91eb36bb82d09168b0b207c147404
SHA51223665d1a135a8da6828c917a57bc482701ecad1c61f75187400929b28bac251fbd3bd42312dfb6f2d86faaf2c6229411a220dbdfeeb6799a5d727269c01548fa
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
280KB