Analysis

  • max time kernel
    141s
  • max time network
    70s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    14/01/2025, 19:26 UTC

General

  • Target

    JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe

  • Size

    187KB

  • MD5

    439fa8e7368ee82bacc8e9dfb93153ce

  • SHA1

    bf95486af9518ae3c207f1bcb7c2be2c02ffe54f

  • SHA256

    113e4bc5259272347a7aa39e0a172317f01a14814c3359cbeddc144e7f16a236

  • SHA512

    504aac164a6127a3a0df92f67f2247bcf3bf6f3f985e6e53061a93de8131e356cd091f29a145d101760623903750c39c3e44569b0b734c8a9353b037ce9c89d5

  • SSDEEP

    3072:EiEwWW0AYX9dbOKLCNh072GeTm9sZuKp2nPSqgPXWL+T5hC:EiE97diKeCa52Cth

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 5 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe startC:\Program Files (x86)\LP\4E62\5DC.exe%C:\Program Files (x86)\LP\4E62
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2712
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe startC:\Users\Admin\AppData\Roaming\2E0C0\1A84E.exe%C:\Users\Admin\AppData\Roaming\2E0C0
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1468

Network

  • flag-us
    DNS
    istockanalyst.com
    JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe
    Remote address:
    8.8.8.8:53
    Request
    istockanalyst.com
    IN A
    Response
    istockanalyst.com
    IN A
    104.21.48.1
    istockanalyst.com
    IN A
    104.21.64.1
    istockanalyst.com
    IN A
    104.21.32.1
    istockanalyst.com
    IN A
    104.21.16.1
    istockanalyst.com
    IN A
    104.21.96.1
    istockanalyst.com
    IN A
    104.21.112.1
    istockanalyst.com
    IN A
    104.21.80.1
  • flag-us
    GET
    http://istockanalyst.com/12.jpg?sv=463&tq=gJ4WK%2FSUh5TBhRMw9YLJmMSTUivqg4aUxZJUK%2B%2FbxWq1SfkIYWBo
    JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe
    Remote address:
    104.21.48.1:80
    Request
    GET /12.jpg?sv=463&tq=gJ4WK%2FSUh5TBhRMw9YLJmMSTUivqg4aUxZJUK%2B%2FbxWq1SfkIYWBo HTTP/1.0
    Connection: close
    Host: istockanalyst.com
    Accept: */*
    User-Agent: chrome/9.0
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Tue, 14 Jan 2025 19:26:23 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: close
    Cache-Control: max-age=3600
    Expires: Tue, 14 Jan 2025 20:26:23 GMT
    Location: https://istockanalyst.com/12.jpg?sv=463&tq=gJ4WK%2FSUh5TBhRMw9YLJmMSTUivqg4aUxZJUK%2B%2FbxWq1SfkIYWBo
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zn2qUW9z4Pz0ujGO4UfmZoaHswndFdoywQKwb%2BzjN6HV39iTDCXG%2FKXPIo1q99LGJgMZDgx8OEZmWbK3luFnrUkJIfysBhcImvYErTyUsgSxmvALetKDEHdxBeoVGs69GnikkQ%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 90200475ecd5e908-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=39542&min_rtt=39542&rtt_var=19771&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=174&delivery_rate=0&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
  • flag-us
    DNS
    5-da2.blogercontent.com
    JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe
    Remote address:
    8.8.8.8:53
    Request
    5-da2.blogercontent.com
    IN A
    Response
  • flag-us
    DNS
    5xjj-a.wwwmediahosts.com
    JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe
    Remote address:
    8.8.8.8:53
    Request
    5xjj-a.wwwmediahosts.com
    IN A
    Response
  • flag-us
    DNS
    www.google.com
    JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe
    Remote address:
    8.8.8.8:53
    Request
    www.google.com
    IN A
    Response
    www.google.com
    IN A
    142.250.187.196
  • flag-gb
    GET
    http://www.google.com/
    JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe
    Remote address:
    142.250.187.196:80
    Request
    GET / HTTP/1.0
    Connection: close
    Host: www.google.com
    Accept: */*
    Response
    HTTP/1.0 302 Found
    Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGJv1mrwGIjAnSIv4ciloe0XbUL7F_4PwWgFzr6J55fl_BI-UPEq4uBZVDj93oEceCgU6yN2Eun4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    x-hallmonitor-challenge: CgwIm_WavAYQt-r_1gMSBLXXsFM
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-VrEAStYyOocURV32Coictg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
    Date: Tue, 14 Jan 2025 19:27:23 GMT
    Server: gws
    Content-Length: 396
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: AEC=AZ6Zc-VUWYRMcbBtkUEoUVOcLYWPl05BmoLXe1GxJdAR1AxW3uJiWLqqN-U; expires=Sun, 13-Jul-2025 19:27:23 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
  • flag-us
    DNS
    kwgf.blogercontent.com
    JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe
    Remote address:
    8.8.8.8:53
    Request
    kwgf.blogercontent.com
    IN A
    Response
  • flag-gb
    GET
    http://www.google.com/
    JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe
    Remote address:
    142.250.187.196:80
    Request
    GET / HTTP/1.1
    Connection: close
    Pragma: no-cache
    Host: www.google.com
    Response
    HTTP/1.1 302 Found
    Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGJz1mrwGIjDHcsDdZc_Ws6JG4hdiludMJq8b0CwXb7X-zNy1QoMCwB3yHXlJt6vU-M6YH4aJIVIyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    x-hallmonitor-challenge: CgwInPWavAYQiJu4mgISBLXXsFM
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-BZ38cgxgJcEzR7oRlzhyyQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
    Date: Tue, 14 Jan 2025 19:27:24 GMT
    Server: gws
    Content-Length: 396
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: AEC=AZ6Zc-XPWPPGBgInCu-JXlGOVX6SS_5g6zfHkmIrUwE_46bqtyekaaHC_Q; expires=Sun, 13-Jul-2025 19:27:24 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
    Connection: close
  • flag-gb
    GET
    http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGJz1mrwGIjDHcsDdZc_Ws6JG4hdiludMJq8b0CwXb7X-zNy1QoMCwB3yHXlJt6vU-M6YH4aJIVIyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe
    Remote address:
    142.250.187.196:80
    Request
    GET /sorry/index?continue=http://www.google.com/&q=EgS117BTGJz1mrwGIjDHcsDdZc_Ws6JG4hdiludMJq8b0CwXb7X-zNy1QoMCwB3yHXlJt6vU-M6YH4aJIVIyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
    Connection: close
    Pragma: no-cache
    Host: www.google.com
    Response
    HTTP/1.1 429 Too Many Requests
    Date: Tue, 14 Jan 2025 19:27:24 GMT
    Pragma: no-cache
    Expires: Fri, 01 Jan 1990 00:00:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Content-Type: text/html
    Server: HTTP server (unknown)
    Content-Length: 3075
    X-XSS-Protection: 0
    Connection: close
  • 104.21.48.1:80
    http://istockanalyst.com/12.jpg?sv=463&tq=gJ4WK%2FSUh5TBhRMw9YLJmMSTUivqg4aUxZJUK%2B%2FbxWq1SfkIYWBo
    http
    JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe
    404 B
    1.3kB
    5
    5

    HTTP Request

    GET http://istockanalyst.com/12.jpg?sv=463&tq=gJ4WK%2FSUh5TBhRMw9YLJmMSTUivqg4aUxZJUK%2B%2FbxWq1SfkIYWBo

    HTTP Response

    301
  • 142.250.187.196:80
    http://www.google.com/
    http
    JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe
    302 B
    1.5kB
    5
    5

    HTTP Request

    GET http://www.google.com/

    HTTP Response

    302
  • 142.250.187.196:80
    http://www.google.com/
    http
    JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe
    307 B
    1.5kB
    5
    5

    HTTP Request

    GET http://www.google.com/

    HTTP Response

    302
  • 127.0.0.1:56162
    JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe
  • 127.0.0.1:56162
    JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe
  • 142.250.187.196:80
    http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGJz1mrwGIjDHcsDdZc_Ws6JG4hdiludMJq8b0CwXb7X-zNy1QoMCwB3yHXlJt6vU-M6YH4aJIVIyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    http
    JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe
    526 B
    3.7kB
    6
    7

    HTTP Request

    GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGJz1mrwGIjDHcsDdZc_Ws6JG4hdiludMJq8b0CwXb7X-zNy1QoMCwB3yHXlJt6vU-M6YH4aJIVIyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

    HTTP Response

    429
  • 8.8.8.8:53
    istockanalyst.com
    dns
    JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe
    63 B
    175 B
    1
    1

    DNS Request

    istockanalyst.com

    DNS Response

    104.21.48.1
    104.21.64.1
    104.21.32.1
    104.21.16.1
    104.21.96.1
    104.21.112.1
    104.21.80.1

  • 8.8.8.8:53
    5-da2.blogercontent.com
    dns
    JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe
    69 B
    142 B
    1
    1

    DNS Request

    5-da2.blogercontent.com

  • 8.8.8.8:53
    5xjj-a.wwwmediahosts.com
    dns
    JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe
    70 B
    143 B
    1
    1

    DNS Request

    5xjj-a.wwwmediahosts.com

  • 8.8.8.8:53
    www.google.com
    dns
    JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe
    60 B
    76 B
    1
    1

    DNS Request

    www.google.com

    DNS Response

    142.250.187.196

  • 8.8.8.8:53
    kwgf.blogercontent.com
    dns
    JaffaCakes118_439fa8e7368ee82bacc8e9dfb93153ce.exe
    68 B
    141 B
    1
    1

    DNS Request

    kwgf.blogercontent.com

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\2E0C0\07DE.E0C

    Filesize

    996B

    MD5

    f493b74835a32185f462b1043c88053d

    SHA1

    bba33184509bc0fd253aef77fb10e5a67405fe63

    SHA256

    1482cd0cc046741ee9605a16871fb5962e82144f9f716c5cb3fd9cee1fc6545e

    SHA512

    c8b700eb24e49a400cdc2cc9f84aa2fa005e127c68a7e1138f8ab0b00585cd6bdacd20c3e6bb4b76baef6427ade65a52e45d7daf5f7d6b001da9a1b9e8d4aaa0

  • C:\Users\Admin\AppData\Roaming\2E0C0\07DE.E0C

    Filesize

    600B

    MD5

    50967216017d15fb2e9e9e24ab9694de

    SHA1

    581fbfcc4c688e47023f45ca09b4b494fd318aa3

    SHA256

    8076abc6044aad10c7597f33cb99bc9de2ec91cf1d1820446d837429542e2767

    SHA512

    a13469e33896427e9d3bf202f1efd14c6b6eb27b99829814d3de63781242adff169b5d0a9d6b4f4525ab4c124a520a6cb0d5d3cdc82670c5dd50191c5f7a87d5

  • C:\Users\Admin\AppData\Roaming\2E0C0\07DE.E0C

    Filesize

    1KB

    MD5

    5b9157075f34b701f48a6c7ccf5cf060

    SHA1

    6f38301dde30759c89eeac9498d87ff1a6f36502

    SHA256

    0d84809811de0d7ecc6eff0187dce59276cc4cb383144bc3b7c5b99a48308a84

    SHA512

    e625eb068487d33d1136ed35e1fa55e012f92a54b26966a842a24e81b6e1381d4f149b1fc59e53b6d4ee15a03e072b8856ff3720af907d4db408013330d9feb4

  • memory/1468-145-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

  • memory/1468-147-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

  • memory/2236-16-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

  • memory/2236-1-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

  • memory/2236-15-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

  • memory/2236-2-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

  • memory/2236-322-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

  • memory/2712-14-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

  • memory/2712-12-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

  • memory/2712-11-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.