Overview

overview

10

Static

static

3

JaffaCakes...47.exe

windows7-x64

10

JaffaCakes...47.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    141s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-01-2025 11:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_74ce5b017a38597f7f82f49d108eb747.exe

  • Size

    165KB

  • MD5

    74ce5b017a38597f7f82f49d108eb747

  • SHA1

    73dafc8339923aa6589baf546917bf797b35e406

  • SHA256

    210e53389f31229737bff81b5d7959563e311c8f718ff439035a31da3c3b8a8c

  • SHA512

    8b14b2b4b48ec4949d1fef77cd4b7a0280c08092c06dd214e812db7fc1ba29a7e614690ceb599720a0d008ba52f90d24933517917db6e28f55092f3cd6c51cf0

  • SSDEEP

    3072:rDSpSLmyts3JgpAOV2E/RhNpgULX8LHodser6D8g8tFlr7pJa8ihWIpRq5M:niSLmytGJ+VX/lpgUILIdX6P8J5Ja8I1

Score
10/10
cycbotbackdoordiscoverypersistenceratspywarestealerupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 5 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_74ce5b017a38597f7f82f49d108eb747.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_74ce5b017a38597f7f82f49d108eb747.exe"
    1⤵
    • Modifies WinLogon for persistence
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2284
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_74ce5b017a38597f7f82f49d108eb747.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_74ce5b017a38597f7f82f49d108eb747.exe startC:\Program Files (x86)\LP\327E\D5E.exe%C:\Program Files (x86)\LP\327E
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2712
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_74ce5b017a38597f7f82f49d108eb747.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_74ce5b017a38597f7f82f49d108eb747.exe startC:\Program Files (x86)\1C87D\lvvm.exe%C:\Program Files (x86)\1C87D
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1800

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\E251C\C87D.251
    Filesize

    1KB

    MD5

    ad29fb2f90300dec086e5a285c3add41

    SHA1

    5307850da5fcbaf0efd6f97826efa80f734da180

    SHA256

    0e8709369726b6959420551ab8db281dba205d78f6feeaca8385609b683099e3

    SHA512

    9da6f2486181f6696d2188fa23767ae9790960c206b94325091b8dae140b5c3638f901aa0de15760f4d07ce14b091c70986c0bd0c93004ae15ba18844fe08d75

    Download Submit

  • C:\Users\Admin\AppData\Roaming\E251C\C87D.251
    Filesize

    897B

    MD5

    08f6dfc3689fa64b561735b54b7d2967

    SHA1

    147dc4630baa5fd8a25db1e3bf9faf151d9754a2

    SHA256

    a057d3da88e0a1ddb357004d4fe8157dc73d59bd498eeb4e43d5fa89ba4d8a8e

    SHA512

    60bd19f8f9c92c32d8febd3aba987e0d084838534b5d10ad8b5e22fc6c331b60b691820ed9e05439472687f754aded82224839b45ac25e914d5b44ebcd67e580

    Download Submit

  • C:\Users\Admin\AppData\Roaming\E251C\C87D.251
    Filesize

    1KB

    MD5

    a078ae8243263c905491e98c42f9d352

    SHA1

    2fdbd7466bd8f38c9a0216b1b4cdea553a0420c5

    SHA256

    6a051aa0a73816f35e7bd8a21f6e08bd8b4434454a8024dfb8b0cb58d879c131

    SHA512

    582aca72feec9a5e20761f596cef6bcac8c39a665375c85e95a40e4539230afd6cff27fb085a3b8162b770a3924f68087a7c0432931ca6c8801bb2117c4e1d80

    Download Submit

  • C:\Users\Admin\AppData\Roaming\E251C\C87D.251
    Filesize

    597B

    MD5

    0e92a6ef92c12e00718ebc96858c00bf

    SHA1

    b180fbf5bf02a66bc9850832731c89a681bc896f

    SHA256

    9079874df00cbf91476e62bf8a1233abeb6275017df99b59a345b4e45502d110

    SHA512

    ef049715c0f413005be0389fefc0a90c58f67220816aac54cd53116ca9abc2392a44d7d059be487aed60e8606ae072d2d3b04428dc5101a1e7ef1ec6ea772979

    Download Submit

  • memory/1800-132-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/2284-0-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/2284-18-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/2284-133-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/2284-303-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/2712-17-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download