Overview

overview

10

Static

static

3

JaffaCakes...c3.exe

windows7-x64

10

JaffaCakes...c3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-01-2025 03:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_4ba75e78ae2bf5403530a4ecc083c1c3.exe

  • Size

    165KB

  • MD5

    4ba75e78ae2bf5403530a4ecc083c1c3

  • SHA1

    28118be5be0eb63cd02b0941328449bb92da747d

  • SHA256

    1d9e42c7b932afa13ae0fae436f458e96898d27e5d1e54b479fc76ba53d97bee

  • SHA512

    609da943c6a6b116179e890985a162dcfe8b27f959c6e06db5a92d00990e2dce18be864b0ada7b810d3e4e0965dc34342f2d446596e15808d4b1e184f7c07d92

  • SSDEEP

    3072:hMMbRiYdtr+FnuJ2PaCZwXPlbPXHVO2oBvQ6xNDCnz1dShLeA184Uum9xVp:hzb0Ydp3Ehih1PoBI6HDw11A184UTxV

Score
10/10
cycbotbackdoordiscoverypersistenceratupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 6 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ba75e78ae2bf5403530a4ecc083c1c3.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ba75e78ae2bf5403530a4ecc083c1c3.exe"
    1⤵
    • Modifies WinLogon for persistence
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4996
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ba75e78ae2bf5403530a4ecc083c1c3.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ba75e78ae2bf5403530a4ecc083c1c3.exe startC:\Program Files (x86)\LP\9E9B\1E6.exe%C:\Program Files (x86)\LP\9E9B
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1368
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ba75e78ae2bf5403530a4ecc083c1c3.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ba75e78ae2bf5403530a4ecc083c1c3.exe startC:\Program Files (x86)\B9607\lvvm.exe%C:\Program Files (x86)\B9607
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3312

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\BDDB9\9607.DDB
    Filesize

    996B

    MD5

    26b705071d0ccebe5e5cc32a55867ffc

    SHA1

    a9bb67ce226e0f10a189f2bbd75abc17d38ae5f1

    SHA256

    794fd0fde0de6c66be4910ecdcbfa94bd06f0f833d69fef2f4205dd61b0ce068

    SHA512

    e488418a679d582a7a860f33970ba22e3d011dedd277830418243c9433efafd93c3bf65e2627940ca8db7637fcbc56e1d3efbcfb3385ea107dff151497197362

    Download Submit

  • C:\Users\Admin\AppData\Roaming\BDDB9\9607.DDB
    Filesize

    600B

    MD5

    b3d862b42b766a07a544c5129454e66c

    SHA1

    7d8a1da0d4b6dd0f14417306c6224a720cdca740

    SHA256

    38ad8819eb274937041a51c0ccbd7273ac91406d2d66e52197953c53d6ffd898

    SHA512

    0951d38ae604c054dbfaf218278fe81d24d98dacd8bcbc1e5a211ecd9c1f3c8fe813678b15a4b8417afc5851ba74efc1a23b9074abf5a23968a031309c7dcbdf

    Download Submit

  • C:\Users\Admin\AppData\Roaming\BDDB9\9607.DDB
    Filesize

    1KB

    MD5

    f5469e9a9b1c9c7dedad7ae0e5bf8788

    SHA1

    22acbc2992c5e73acb38370e33e8deb875e36b6d

    SHA256

    e6167e586a4ac708c62d7c5e488592e322174840bbe83eb36853f24d3818a698

    SHA512

    b159a7e6c7c4634db2bfbf61a17efb8ee2ac1a1cb88a9a58efef50feeea76c717da5f166f37645984f29910d7e8adb56106811d84ec84df1af6c37e417a9993e

    Download Submit

  • memory/1368-18-0x0000000000400000-0x0000000000491000-memory.dmp

    Filesize

    580KB

    Download

  • memory/1368-14-0x0000000074EA0000-0x0000000074ED9000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1368-17-0x0000000074EA0000-0x0000000074ED9000-memory.dmp

    Filesize

    228KB

    Download

  • memory/3312-130-0x0000000000400000-0x0000000000491000-memory.dmp

    Filesize

    580KB

    Download

  • memory/3312-125-0x0000000074EA0000-0x0000000074ED9000-memory.dmp

    Filesize

    228KB

    Download

  • memory/3312-127-0x0000000000400000-0x0000000000491000-memory.dmp

    Filesize

    580KB

    Download

  • memory/3312-129-0x0000000074EA0000-0x0000000074ED9000-memory.dmp

    Filesize

    228KB

    Download

  • memory/4996-19-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

    Download

  • memory/4996-20-0x0000000000400000-0x0000000000491000-memory.dmp

    Filesize

    580KB

    Download

  • memory/4996-4-0x0000000000400000-0x0000000000491000-memory.dmp

    Filesize

    580KB

    Download

  • memory/4996-0-0x0000000000400000-0x0000000000491000-memory.dmp

    Filesize

    580KB

    Download

  • memory/4996-131-0x0000000000400000-0x0000000000491000-memory.dmp

    Filesize

    580KB

    Download

  • memory/4996-3-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

    Download

  • memory/4996-1-0x0000000074EA0000-0x0000000074ED9000-memory.dmp

    Filesize

    228KB

    Download

  • memory/4996-293-0x0000000000400000-0x0000000000491000-memory.dmp

    Filesize

    580KB

    Download

  • memory/4996-294-0x0000000074EA0000-0x0000000074ED9000-memory.dmp

    Filesize

    228KB

    Download