Analysis
-
max time kernel
141s -
max time network
70s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
14/01/2025, 19:26 UTC
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe
Resource
win7-20241010-en
General
-
Target
JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe
-
Size
187KB
-
MD5
439fa8e7368ee82bacc8e9dfb93153ce
-
SHA1
bf95486af9518ae3c207f1bcb7c2be2c02ffe54f
-
SHA256
113e4bc5259272347a7aa39e0a172317f01a14814c3359cbeddc144e7f16a236
-
SHA512
504aac164a6127a3a0df92f67f2247bcf3bf6f3f985e6e53061a93de8131e356cd091f29a145d101760623903750c39c3e44569b0b734c8a9353b037ce9c89d5
-
SSDEEP
3072:EiEwWW0AYX9dbOKLCNh072GeTm9sZuKp2nPSqgPXWL+T5hC:EiE97diKeCa52Cth
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2712-14-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot behavioral1/memory/2236-15-0x0000000000400000-0x0000000000452000-memory.dmp family_cycbot behavioral1/memory/2236-16-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot behavioral1/memory/1468-147-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot behavioral1/memory/2236-322-0x0000000000400000-0x0000000000455000-memory.dmp family_cycbot -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2236-2-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2712-11-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2712-12-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2712-14-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2236-15-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral1/memory/2236-16-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/1468-147-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2236-322-0x0000000000400000-0x0000000000455000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2236 wrote to memory of 2712 2236 JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe 29 PID 2236 wrote to memory of 2712 2236 JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe 29 PID 2236 wrote to memory of 2712 2236 JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe 29 PID 2236 wrote to memory of 2712 2236 JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe 29 PID 2236 wrote to memory of 1468 2236 JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe 31 PID 2236 wrote to memory of 1468 2236 JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe 31 PID 2236 wrote to memory of 1468 2236 JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe 31 PID 2236 wrote to memory of 1468 2236 JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe startC:\Program Files (x86)\LP\4E62\5DC.exe%C:\Program Files (x86)\LP\4E622⤵
- System Location Discovery: System Language Discovery
PID:2712
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe startC:\Users\Admin\AppData\Roaming\2E0C0\1A84E.exe%C:\Users\Admin\AppData\Roaming\2E0C02⤵
- System Location Discovery: System Language Discovery
PID:1468
-
Network
-
Remote address:8.8.8.8:53Requestistockanalyst.comIN AResponseistockanalyst.comIN A104.21.48.1istockanalyst.comIN A104.21.64.1istockanalyst.comIN A104.21.32.1istockanalyst.comIN A104.21.16.1istockanalyst.comIN A104.21.96.1istockanalyst.comIN A104.21.112.1istockanalyst.comIN A104.21.80.1
-
GEThttp://istockanalyst.com/12.jpg?sv=463&tq=gJ4WK%2FSUh5TBhRMw9YLJmMSTUivqg4aUxZJUK%2B%2FbxWq1SfkIYWBoJaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exeRemote address:104.21.48.1:80RequestGET /12.jpg?sv=463&tq=gJ4WK%2FSUh5TBhRMw9YLJmMSTUivqg4aUxZJUK%2B%2FbxWq1SfkIYWBo HTTP/1.0
Connection: close
Host: istockanalyst.com
Accept: */*
User-Agent: chrome/9.0
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-Length: 167
Connection: close
Cache-Control: max-age=3600
Expires: Tue, 14 Jan 2025 20:26:23 GMT
Location: https://istockanalyst.com/12.jpg?sv=463&tq=gJ4WK%2FSUh5TBhRMw9YLJmMSTUivqg4aUxZJUK%2B%2FbxWq1SfkIYWBo
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zn2qUW9z4Pz0ujGO4UfmZoaHswndFdoywQKwb%2BzjN6HV39iTDCXG%2FKXPIo1q99LGJgMZDgx8OEZmWbK3luFnrUkJIfysBhcImvYErTyUsgSxmvALetKDEHdxBeoVGs69GnikkQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90200475ecd5e908-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=39542&min_rtt=39542&rtt_var=19771&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=174&delivery_rate=0&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
-
Remote address:8.8.8.8:53Request5-da2.blogercontent.comIN AResponse
-
Remote address:8.8.8.8:53Request5xjj-a.wwwmediahosts.comIN AResponse
-
Remote address:8.8.8.8:53Requestwww.google.comIN AResponsewww.google.comIN A142.250.187.196
-
Remote address:142.250.187.196:80RequestGET / HTTP/1.0
Connection: close
Host: www.google.com
Accept: */*
ResponseHTTP/1.0 302 Found
x-hallmonitor-challenge: CgwIm_WavAYQt-r_1gMSBLXXsFM
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-VrEAStYyOocURV32Coictg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Tue, 14 Jan 2025 19:27:23 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AZ6Zc-VUWYRMcbBtkUEoUVOcLYWPl05BmoLXe1GxJdAR1AxW3uJiWLqqN-U; expires=Sun, 13-Jul-2025 19:27:23 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
-
Remote address:8.8.8.8:53Requestkwgf.blogercontent.comIN AResponse
-
Remote address:142.250.187.196:80RequestGET / HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com
ResponseHTTP/1.1 302 Found
x-hallmonitor-challenge: CgwInPWavAYQiJu4mgISBLXXsFM
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-BZ38cgxgJcEzR7oRlzhyyQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Tue, 14 Jan 2025 19:27:24 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AZ6Zc-XPWPPGBgInCu-JXlGOVX6SS_5g6zfHkmIrUwE_46bqtyekaaHC_Q; expires=Sun, 13-Jul-2025 19:27:24 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Connection: close
-
GEThttp://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGJz1mrwGIjDHcsDdZc_Ws6JG4hdiludMJq8b0CwXb7X-zNy1QoMCwB3yHXlJt6vU-M6YH4aJIVIyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMJaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exeRemote address:142.250.187.196:80RequestGET /sorry/index?continue=http://www.google.com/&q=EgS117BTGJz1mrwGIjDHcsDdZc_Ws6JG4hdiludMJq8b0CwXb7X-zNy1QoMCwB3yHXlJt6vU-M6YH4aJIVIyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com
ResponseHTTP/1.1 429 Too Many Requests
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/html
Server: HTTP server (unknown)
Content-Length: 3075
X-XSS-Protection: 0
Connection: close
-
104.21.48.1:80http://istockanalyst.com/12.jpg?sv=463&tq=gJ4WK%2FSUh5TBhRMw9YLJmMSTUivqg4aUxZJUK%2B%2FbxWq1SfkIYWBohttpJaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe404 B 1.3kB 5 5
HTTP Request
GET http://istockanalyst.com/12.jpg?sv=463&tq=gJ4WK%2FSUh5TBhRMw9YLJmMSTUivqg4aUxZJUK%2B%2FbxWq1SfkIYWBoHTTP Response
301 -
302 B 1.5kB 5 5
HTTP Request
GET http://www.google.com/HTTP Response
302 -
307 B 1.5kB 5 5
HTTP Request
GET http://www.google.com/HTTP Response
302 -
-
-
142.250.187.196:80http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGJz1mrwGIjDHcsDdZc_Ws6JG4hdiludMJq8b0CwXb7X-zNy1QoMCwB3yHXlJt6vU-M6YH4aJIVIyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMhttpJaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe526 B 3.7kB 6 7
HTTP Request
GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGJz1mrwGIjDHcsDdZc_Ws6JG4hdiludMJq8b0CwXb7X-zNy1QoMCwB3yHXlJt6vU-M6YH4aJIVIyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMHTTP Response
429
-
63 B 175 B 1 1
DNS Request
istockanalyst.com
DNS Response
104.21.48.1104.21.64.1104.21.32.1104.21.16.1104.21.96.1104.21.112.1104.21.80.1
-
69 B 142 B 1 1
DNS Request
5-da2.blogercontent.com
-
70 B 143 B 1 1
DNS Request
5xjj-a.wwwmediahosts.com
-
60 B 76 B 1 1
DNS Request
www.google.com
DNS Response
142.250.187.196
-
68 B 141 B 1 1
DNS Request
kwgf.blogercontent.com
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD5f493b74835a32185f462b1043c88053d
SHA1bba33184509bc0fd253aef77fb10e5a67405fe63
SHA2561482cd0cc046741ee9605a16871fb5962e82144f9f716c5cb3fd9cee1fc6545e
SHA512c8b700eb24e49a400cdc2cc9f84aa2fa005e127c68a7e1138f8ab0b00585cd6bdacd20c3e6bb4b76baef6427ade65a52e45d7daf5f7d6b001da9a1b9e8d4aaa0
-
Filesize
600B
MD550967216017d15fb2e9e9e24ab9694de
SHA1581fbfcc4c688e47023f45ca09b4b494fd318aa3
SHA2568076abc6044aad10c7597f33cb99bc9de2ec91cf1d1820446d837429542e2767
SHA512a13469e33896427e9d3bf202f1efd14c6b6eb27b99829814d3de63781242adff169b5d0a9d6b4f4525ab4c124a520a6cb0d5d3cdc82670c5dd50191c5f7a87d5
-
Filesize
1KB
MD55b9157075f34b701f48a6c7ccf5cf060
SHA16f38301dde30759c89eeac9498d87ff1a6f36502
SHA2560d84809811de0d7ecc6eff0187dce59276cc4cb383144bc3b7c5b99a48308a84
SHA512e625eb068487d33d1136ed35e1fa55e012f92a54b26966a842a24e81b6e1381d4f149b1fc59e53b6d4ee15a03e072b8856ff3720af907d4db408013330d9feb4