Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-01-2025 01:21
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_9c084643ea35347f4caffb2faed788dd.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_9c084643ea35347f4caffb2faed788dd.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_9c084643ea35347f4caffb2faed788dd.exe
-
Size
188KB
-
MD5
9c084643ea35347f4caffb2faed788dd
-
SHA1
b722f3041ad0ac0140d84e0ba844621459de1e0d
-
SHA256
4f37e103fecbc46d2551227ba4057794cb25ea637c567de209d8aa2d8886eb6a
-
SHA512
f24a01459a40ed35850621e3c97b496642a8d3daeb4fa3335ce9d529c56ddc2ccd60eca0412bca47b8b05953163224fdaff2442ebdc710dc03818a7f32d5af25
-
SSDEEP
3072:TkPtPMf8xixTij41SZnzTfjAFNn1QdZM9IO6y+u9wDeJi77xCiXV5+1vt/FaVe67:TkVPM+KI1zjjPdZMxFg7hWFtYDH6WGuG
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2444-13-0x0000000000400000-0x000000000044B000-memory.dmp family_cycbot behavioral1/memory/2532-14-0x0000000000400000-0x000000000044B000-memory.dmp family_cycbot behavioral1/memory/2532-73-0x0000000000400000-0x000000000044B000-memory.dmp family_cycbot behavioral1/memory/1036-77-0x0000000000400000-0x000000000044B000-memory.dmp family_cycbot behavioral1/memory/2532-178-0x0000000000400000-0x000000000044B000-memory.dmp family_cycbot -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe" JaffaCakes118_9c084643ea35347f4caffb2faed788dd.exe -
resource yara_rule behavioral1/memory/2532-2-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2444-12-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2444-13-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2532-14-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2532-73-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1036-75-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1036-77-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2532-178-0x0000000000400000-0x000000000044B000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_9c084643ea35347f4caffb2faed788dd.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2532 wrote to memory of 2444 2532 JaffaCakes118_9c084643ea35347f4caffb2faed788dd.exe 30 PID 2532 wrote to memory of 2444 2532 JaffaCakes118_9c084643ea35347f4caffb2faed788dd.exe 30 PID 2532 wrote to memory of 2444 2532 JaffaCakes118_9c084643ea35347f4caffb2faed788dd.exe 30 PID 2532 wrote to memory of 2444 2532 JaffaCakes118_9c084643ea35347f4caffb2faed788dd.exe 30 PID 2532 wrote to memory of 1036 2532 JaffaCakes118_9c084643ea35347f4caffb2faed788dd.exe 33 PID 2532 wrote to memory of 1036 2532 JaffaCakes118_9c084643ea35347f4caffb2faed788dd.exe 33 PID 2532 wrote to memory of 1036 2532 JaffaCakes118_9c084643ea35347f4caffb2faed788dd.exe 33 PID 2532 wrote to memory of 1036 2532 JaffaCakes118_9c084643ea35347f4caffb2faed788dd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9c084643ea35347f4caffb2faed788dd.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9c084643ea35347f4caffb2faed788dd.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9c084643ea35347f4caffb2faed788dd.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9c084643ea35347f4caffb2faed788dd.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵PID:2444
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9c084643ea35347f4caffb2faed788dd.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9c084643ea35347f4caffb2faed788dd.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵PID:1036
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d7f3d3ef4ef07825036f4db272bf79c9
SHA1ee7dbce3982a30b7070244478dcec54835d59823
SHA256ae23e960361eb7785492d02d19c7a73a2accdd9dd7ccfdf341a8c7e937508bcd
SHA512c2b18f44680960ac9b6e542eabece247c24de3a8183fb18f3d6d34961a3b5e546a665ae54ea94fa292d8dcef9551c70c08616bc378943f13c6cf3413cd0f713e
-
Filesize
600B
MD5d0918416cd254a2db4d22a896e32efe9
SHA18d964473e0049e23a987a5db75526faefe37e5e6
SHA2564c03d568adff16d0683929e880f02b2e771aeaeafdca406f968c9f862abb180a
SHA512d9b88addef1e90dea4bce60c8b3abf3493f338cf36c077b38b982c712aaec2beb4f71ff5f825a51e993899b0a09277ffc13849cc651dd7e7727a09985081f937
-
Filesize
996B
MD5e3c5f298292871927d8aed487d74cb8c
SHA1c052241ec72d344a5d9ce5f99d458851bc7f8490
SHA2566928c0ea00ad8b2b0b6dd037447e4a5f1dba135f4135aa1a5ac5432fa5990e00
SHA51213aa0836481116b96c24a15dc76f5d8307c041cfda9f56d193c07be85c53620155742577bb089a47e251cc326139eee89a8ecd0cacd6bbf502b32c52c4e80180