Overview

overview

10

Static

static

3

JaffaCakes...26.exe

windows7-x64

10

JaffaCakes...26.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-01-2025 11:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_561bcf19d75874021b13e56e58071f26.exe

  • Size

    283KB

  • MD5

    561bcf19d75874021b13e56e58071f26

  • SHA1

    37656c0c2de3d1688ca572004f36cd4f0268c321

  • SHA256

    2849a88cb4abfa16c08faa60dd7dd86c004aa325aa71a20f7606a7f88f94c3ec

  • SHA512

    fc0dd95af931efbe16a001539107907450480782ed78974cf02d48b64dcd501ff33b323c519defba8846b5636cbcc2d72f19171ccbe22be1514030c18d011e2c

  • SSDEEP

    6144:uFeBlDB5jsbJFlhWgFEYCcG6afRuHngSKZgMZvsihf4:uFeBRDjsbJDpFE96GkjKZPbg

Score
10/10
cycbotponybackdoorcredential_accessdiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 8 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony family
    pony
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_561bcf19d75874021b13e56e58071f26.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_561bcf19d75874021b13e56e58071f26.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2492
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_561bcf19d75874021b13e56e58071f26.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_561bcf19d75874021b13e56e58071f26.exe startC:\Users\Admin\AppData\Roaming\DE7E3\94FC8.exe%C:\Users\Admin\AppData\Roaming\DE7E3
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1396
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_561bcf19d75874021b13e56e58071f26.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_561bcf19d75874021b13e56e58071f26.exe startC:\Program Files (x86)\E3282\lvvm.exe%C:\Program Files (x86)\E3282
      2⤵
      • System Location Discovery: System Language Discovery
      PID:888
    • C:\Program Files (x86)\LP\C88D\2B16.tmp
      "C:\Program Files (x86)\LP\C88D\2B16.tmp"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2196
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1840
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Modify Registry

4
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Query Registry

2
T1012

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\DE7E3\3282.E7E
    Filesize

    696B

    MD5

    56ccb99963a436978a3800910b28b7a8

    SHA1

    97c4ef97cce5b2fc50b9cb368d8d88bff5dbad17

    SHA256

    41bac384d5c77d2129b09fa771dbf92a6e205e82c0682f9fae237c042614b25d

    SHA512

    ae5e7df4d1d8703f48a729f7e8e58c457d1e5b60b659a888a246505d62b2eb509527698ccb683370c2848d23dad727a091cc57013773502775aef279b728b632

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DE7E3\3282.E7E
    Filesize

    300B

    MD5

    7086704a81b634ac08895cdce7c580cd

    SHA1

    b5c9e8e10b74ceee41ceadb3e30fd3b50d0beb82

    SHA256

    f290958f3f974780aaa431cba6155871d057fabb540f6ba5d619b75aa5b2d9e4

    SHA512

    816fe6be04f31213cf3628c9b8feeb0ed0830775603ea5622156ceba87341b6faf25a03c0a1e733b97e940fc7f64dabba95619558e7cd9b9e9451ce885b116b6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DE7E3\3282.E7E
    Filesize

    1KB

    MD5

    68dd5068a378526996651d12a41020ca

    SHA1

    a91f49d0e1d71b64a756c6cdc936fd090a127cf4

    SHA256

    3827e48b5f7c733d9deb05ccbf43af870dd758106643ad26a86af59b0961ca66

    SHA512

    ca821271aa6757376bca8af81a83cec73a8a08805a68da4cca9730a8bf25fa35e02d2dfee99443f524f044c7990b8b97ba50a3f8b5732be81e7e3aff5ae235cb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DE7E3\3282.E7E
    Filesize

    1KB

    MD5

    6d442ea9142178f56d0e28007e7f0826

    SHA1

    8015fc47ddc9bb03d6cbd5c5bcce23acceaa353b

    SHA256

    c51f75a593073408317325f57e73b16ad40a20bf5992a8300689056027620a74

    SHA512

    4f7d9ec955148f0611753a437f153d0dc1cc6c1dbff059fdd5fb83e55ccad48ddd2834664ce0e3b36b34cae18e5ea78a4b9257f6e05064e6e48e5baf49db89cc

    Download Submit

  • \Program Files (x86)\LP\C88D\2B16.tmp
    Filesize

    100KB

    MD5

    8659e2fdb286421874e997e5b1d56ae4

    SHA1

    e3b46183011a317dd80baf92ff9ef1b2da53cc05

    SHA256

    80ceedded02c13a9c4ade2d2242b2bb295bc122b5c7c0f6b3332b0f4fceae2b8

    SHA512

    ae12fd737c0a6f765ebe7a6e312230220e5fb79d42c1478a6f00edf5e67b6dec201aee90d3082b7817726c6501c7c94ce4a8eab72b2a00547bfdc382bbf2a8dc

    Download Submit

  • memory/888-124-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/888-126-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/888-123-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/1396-12-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/1396-122-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/1396-9-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2196-248-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2492-1-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

    Download

  • memory/2492-120-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2492-11-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

    Download

  • memory/2492-7-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2492-247-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2492-2-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2492-293-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download