Overview

overview

10

Static

static

3

JaffaCakes...6f.exe

windows7-x64

10

JaffaCakes...6f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-01-2025 12:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_56fb8a60bd63e00fb4f9c9c0708c8a6f.exe

  • Size

    273KB

  • MD5

    56fb8a60bd63e00fb4f9c9c0708c8a6f

  • SHA1

    60f38acf91d1ba5248dc497df6a502ea21993f06

  • SHA256

    140d47d09676bd6c84ad75d3ae07785c9729de0d3603bb7b4a789f7af1da568f

  • SHA512

    06d6a398230b18a39ebc4898da8245138c5b6030005a278042b0625d8c7d92b2f2f40f83c65efcf0580641f34f0799bea5d1c14c2b00c5535ed17fbc76988f5c

  • SSDEEP

    6144:oyH1hOETjx+j6dMzZ7wsnOw+sXUqdhqZCbBiLhuB:oE15Tj8eeTvAqdhqWM

Score
10/10
cycbotponybackdoorcredential_accessdiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 7 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony family
    pony
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 22 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56fb8a60bd63e00fb4f9c9c0708c8a6f.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56fb8a60bd63e00fb4f9c9c0708c8a6f.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2408
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56fb8a60bd63e00fb4f9c9c0708c8a6f.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56fb8a60bd63e00fb4f9c9c0708c8a6f.exe startC:\Users\Admin\AppData\Roaming\4D6EF\AFE07.exe%C:\Users\Admin\AppData\Roaming\4D6EF
      2⤵
        PID:2808
      • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56fb8a60bd63e00fb4f9c9c0708c8a6f.exe
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56fb8a60bd63e00fb4f9c9c0708c8a6f.exe startC:\Program Files (x86)\EFD42\lvvm.exe%C:\Program Files (x86)\EFD42
        2⤵
          PID:1556
        • C:\Program Files (x86)\LP\0734\DA87.tmp
          "C:\Program Files (x86)\LP\0734\DA87.tmp"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2168
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2668
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2404

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Active Setup

      1
      T1547.014

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Active Setup

      1
      T1547.014

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Defense Evasion

      Modify Registry

      4
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      3
      T1552

      Credentials In Files

      3
      T1552.001

      Discovery

      Query Registry

      2
      T1012

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Collection

      Data from Local System

      2
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\4D6EF\FD42.D6E
        Filesize

        696B

        MD5

        c02af78c71e0c2714c0c19947b8ce530

        SHA1

        2ee698d4457ed804d4ebe2091f383e3e13af601b

        SHA256

        63173a7f6d2785b176d8e9ba2e313776cad9ea3ccf2713dd8d91b491e7069c4c

        SHA512

        6c11a49541cae6bb5509a74a93c0fae12fc182a46a9bceb9fe9ad864c2f5da223c7b50fb80de377d596b68ebd547b528aaa18f8581ced96f743a3e4b7f84b001

        Download Submit

      • C:\Users\Admin\AppData\Roaming\4D6EF\FD42.D6E
        Filesize

        300B

        MD5

        3350a16b0b46d1b7abac704619cc3cad

        SHA1

        20a0bfb49246b066b07dc03003e1531ec5de018a

        SHA256

        bb89bedac15a5516ebc3ac4885236d837fbfc53be965088b935f08aca59d16b3

        SHA512

        6488959a27f61e6246db8f5786a7b0fdf73549e85cbfb426cec09a5f0581bcb88ad9c589cf49d5cc4073c5a71a2259fe097a6430ce81352a171171fb7aa77d05

        Download Submit

      • C:\Users\Admin\AppData\Roaming\4D6EF\FD42.D6E
        Filesize

        1KB

        MD5

        7b460502575ed3b7a47a9239db8080b7

        SHA1

        6ad24ef3e4274c6b24f395edb09a4dbd213a05e7

        SHA256

        ab31341a9d2607d4562497b017973e1b467ff456c6ebfc21d9985aca74e367e8

        SHA512

        e15172b28a83707707de193b0c078991bc5d49f323426c4733b9983191251644de3b7eef939923f83adfa98d675991a0d8ee2145aae1e624849fb271670c1791

        Download Submit

      • C:\Users\Admin\AppData\Roaming\4D6EF\FD42.D6E
        Filesize

        1KB

        MD5

        8061e2c106510e4d24b6373a2f80cb46

        SHA1

        4b3620d1f3d16fea7e99a78dd013697166fe624e

        SHA256

        e0960fbfd54ad656d17a0ab7d50a83ae97d4876f83067b1f9882e563e39625c5

        SHA512

        63e0594062e21b98f1e5d8700240ab2fef9bdddd7e8154055d1e693ec0de12e5553b0ac45b170b59c5fafb20cf258a5c6afb7025ef3dd7102bf186f21ac660bf

        Download Submit

      • \Program Files (x86)\LP\0734\DA87.tmp
        Filesize

        97KB

        MD5

        7ed57812afe5eb758136beab427c5b8e

        SHA1

        da347ebe4068a2d7c33ae732272ff2acad2f5279

        SHA256

        7e9f6353251602f7b674ed3717464181593920f688a3dbd0bfbae8218878d6a5

        SHA512

        568b895d92ae48dc9e43f1a4170a1d18cf73dac553ebe520d58e4cf2dad11c7d14a01aadae9384d64d4a7d34a0359a065a1710a3ed53c2eb803d4752b4e8b7fb

        Download Submit

      • memory/1556-113-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/1556-114-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2168-236-0x0000000000400000-0x000000000041C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2408-111-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2408-0-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2408-11-0x0000000000400000-0x0000000000467000-memory.dmp

        Filesize

        412KB

        Download

      • memory/2408-9-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2408-235-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2408-3-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2408-2-0x0000000000400000-0x0000000000467000-memory.dmp

        Filesize

        412KB

        Download

      • memory/2408-294-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2808-14-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2808-12-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download