Overview

overview

10

Static

static

3

JaffaCakes...8a.exe

windows7-x64

10

JaffaCakes...8a.exe

windows10-2004-x64

10

JaffaCakes...8a.exe

android-9-x86

JaffaCakes...8a.exe

android-10-x64

JaffaCakes...8a.exe

android-11-x64

JaffaCakes...8a.exe

macos-10.15-amd64

JaffaCakes...8a.exe

ubuntu-18.04-amd64

JaffaCakes...8a.exe

debian-9-armhf

JaffaCakes...8a.exe

debian-9-mips

JaffaCakes...8a.exe

debian-9-mipsel

Resubmissions

14-01-2025 12:41

250114-pwxp2azpdn 10

14-01-2025 10:56

250114-m132hayjhj 10

Analysis

  • max time kernel
    110s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-01-2025 12:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe

  • Size

    177KB

  • MD5

    3be07720d75271452be60d7ea80d508a

  • SHA1

    ce8685fbc1a0ef90eab3911b64e3cfebd60238c2

  • SHA256

    2125a1e00be1bd129634cdd69d9540a4c49ae1864702547ada32ec70da42c95c

  • SHA512

    375a01be852e44e3025b06f6cc58902fd12f465c028cdbe28e537218b27e00ce81fa6c038c13aae49632a1e3aea1229086dade40721f509c9f022794113af897

  • SSDEEP

    3072:AWdbPR3RVFNvm8L8ds89HNnXbIygHVP3txJDnWUUXK6sAkqOjwPp1ipLitl9:XhPRH/vfL8dV9HNMygHVPrVWUUXK8kqt

Score
10/10
cycbotbackdoordiscoverypersistenceratupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 6 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe
    C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe sh $MOZILLA/ %SIGILL% "SIGTERM|DESTROY|SIGKILL"
    1⤵
    • Modifies WinLogon for persistence
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3092
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe startC:\Program Files (x86)\LP\504E\11E.exe%C:\Program Files (x86)\LP\504E
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3688
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe startC:\Program Files (x86)\B00C0\lvvm.exe%C:\Program Files (x86)\B00C0
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1992

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\E45B0\00C0.45B
    Filesize

    996B

    MD5

    7b122234e9d7a52e896fab59a8410626

    SHA1

    e98229fc7b8042d5067a7f4a982fa1570c0c7797

    SHA256

    066610aa814590108e0fef8295ae8cdf59caa251947350952cc7baa816f8763e

    SHA512

    395326dc42e1bca49a7ad60a21a2b125c081a6268b6af0358dccf96ca588ad6f0c3b151b1336847bd335ba36e484ad8fe49f9ebd2dab96b1030a698d97a48770

    Download Submit

  • C:\Users\Admin\AppData\Roaming\E45B0\00C0.45B
    Filesize

    600B

    MD5

    724710e6c5de80fd98e6f21803fb7684

    SHA1

    aa4ac8eaeebc87ac51f9ab536f2b64639ce529b6

    SHA256

    258c20078a9a7addd26c2e9398bcbe250e8a156a635d8a245859cad201cbdf37

    SHA512

    122f1819673aadbc678de5872c349becc7154e4af6094cb6e87ba461b69ffac296a684026cfd35c1e3b3372ef713ba88590ee822ca32b97d67d6158c0e11956b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\E45B0\00C0.45B
    Filesize

    1KB

    MD5

    9923981adf7c829dafd0f736218a0f4a

    SHA1

    24b9bafb774f049c1b53bb29473ca2aa7e09923a

    SHA256

    6f5d1e8c7395c5cf3d24f4f53428443c0a4a0271e96e30986688ebffe8805bf0

    SHA512

    41204d272b54a4dddd435e4ff7efcdb89bbbe97a990a4e11b882cc7042237e263c5372141e9aefc587ab9ea96859e5bfb9316633e8c517bc194cda730766d042

    Download Submit

  • memory/1992-128-0x0000000000400000-0x0000000000491000-memory.dmp

    Filesize

    580KB

    Download

  • memory/1992-126-0x0000000000400000-0x0000000000491000-memory.dmp

    Filesize

    580KB

    Download

  • memory/3092-17-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

    Download

  • memory/3092-1-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

    Download

  • memory/3092-16-0x0000000000400000-0x0000000000491000-memory.dmp

    Filesize

    580KB

    Download

  • memory/3092-129-0x0000000000400000-0x0000000000491000-memory.dmp

    Filesize

    580KB

    Download

  • memory/3092-2-0x0000000000400000-0x0000000000491000-memory.dmp

    Filesize

    580KB

    Download

  • memory/3092-283-0x0000000000400000-0x0000000000491000-memory.dmp

    Filesize

    580KB

    Download

  • memory/3688-15-0x0000000000400000-0x0000000000491000-memory.dmp

    Filesize

    580KB

    Download

  • memory/3688-13-0x0000000000400000-0x0000000000491000-memory.dmp

    Filesize

    580KB

    Download

  • memory/3688-12-0x0000000000400000-0x0000000000491000-memory.dmp

    Filesize

    580KB

    Download