Overview

overview

10

Static

static

3

JaffaCakes...9f.exe

windows7-x64

10

JaffaCakes...9f.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f

  • Size

    173KB

  • Sample

    250117-zxekystmgl

  • MD5

    975e4eb479cee6e64db95f92ba16b09f

  • SHA1

    454ed006f79e3fcd5c7cbc6990804f577e21f770

  • SHA256

    1d2eb7fcf146e5a44450a0bcabd9d236cab78e3f68b4d835447ccc3d492a9b2d

  • SHA512

    b4c3e0fe8cd2411e0b158bb99933bf1028fceabbde38de1008f9a4fc9534e441ce160bf2081b64f3901b6038ca53974d2358d431373c7b3406ec58b90cdeae1b

  • SSDEEP

    3072:mWaxnaAF8CFG+a8oaLbkTukdxNPvuOffLL9NAt412s0gWzCEwSX7fXyr:/axaU4+aHTuqvuOffLhNAS2s0dCE/LfK

Score
10/10
cycbotbackdoordiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Targets

    • Target

      JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f

    • Size

      173KB

    • MD5

      975e4eb479cee6e64db95f92ba16b09f

    • SHA1

      454ed006f79e3fcd5c7cbc6990804f577e21f770

    • SHA256

      1d2eb7fcf146e5a44450a0bcabd9d236cab78e3f68b4d835447ccc3d492a9b2d

    • SHA512

      b4c3e0fe8cd2411e0b158bb99933bf1028fceabbde38de1008f9a4fc9534e441ce160bf2081b64f3901b6038ca53974d2358d431373c7b3406ec58b90cdeae1b

    • SSDEEP

      3072:mWaxnaAF8CFG+a8oaLbkTukdxNPvuOffLL9NAt412s0gWzCEwSX7fXyr:/axaU4+aHTuqvuOffLhNAS2s0dCE/LfK

    Score
    10/10
    cycbotbackdoordiscoveryevasionpersistenceratspywarestealerupx

    • Cycbot

      Cycbot is a backdoor and trojan written in C++..

      backdoorratcycbot

    • Cycbot family

      cycbot

    • Detects Cycbot payload

      Cycbot is a backdoor and trojan written in C++.

    • Modifies security service

      evasion

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Disables taskbar notifications via registry modification

      evasion

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Modify Registry

5
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

3
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks