Analysis
-
max time kernel
140s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
18-01-2025 13:59
General
-
Target
JaffaCakes118_abad1d179916bad69094217be2010b58.exe
-
Size
272KB
-
MD5
abad1d179916bad69094217be2010b58
-
SHA1
2aa7e41a008ea652384a7bd7d9cf3767c14302c4
-
SHA256
1ff6c315a7135fcc10a22121552f1f089ba84ce8bac2e5423de66552fa6edeea
-
SHA512
7f8b18d21f9acc8ae59684fe03b39b14966a0aad2ea85b89202e16640492c03f180eb3f1d8671e624b5eb227b6d8c27e21f7b8a5798b39f2ab6f084760110bfb
-
SSDEEP
6144:qketg7C9wDUh0HbHlYvKC55cMngWc7QzNivNBLvmm4mXgUzcAHou:qc26DU6DlYSC55bngONsfnfztHp
Malware Config
Signatures
-
Cycbot
Cycbot is a backdoor and trojan written in C++..
-
Cycbot family
-
Detects Cycbot payload 7 IoCs
Cycbot is a backdoor and trojan written in C++.
-
Modifies security service 2 TTPs 1 IoCs
-
Pony family
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
UPX packed file 10 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of FindShellTrayWindow 28 IoCs
-
Suspicious use of SendNotifyMessage 17 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_abad1d179916bad69094217be2010b58.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_abad1d179916bad69094217be2010b58.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_abad1d179916bad69094217be2010b58.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_abad1d179916bad69094217be2010b58.exe startC:\Users\Admin\AppData\Roaming\EA9F1\BE40F.exe%C:\Users\Admin\AppData\Roaming\EA9F12⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_abad1d179916bad69094217be2010b58.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_abad1d179916bad69094217be2010b58.exe startC:\Program Files (x86)\F102F\lvvm.exe%C:\Program Files (x86)\F102F2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\LP\0FDE\4911.tmp"C:\Program Files (x86)\LP\0FDE\4911.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD5b47809ae3ce512a099749e1d573505b0
SHA1bc704746602522eb9786ba8afa115d92bcfa387e
SHA256d1616f6f50d91e91e892edf42efdc4ccf340b99e652ba208d70b7e41876d9782
SHA512d4fe0d942d8787b9f6d0fa47e0915f4291a78a73a526aa03441ec1334ed182041e5178ba950df3fa5d282d53ee29fbde0c14bd6f2678cd75a64f5b34ca725b56
-
Filesize
600B
MD5a98e73a5450d5e51c942672962cfcb03
SHA12b302f005c3965598b6d2332ae6bb3963db782ec
SHA256f32b3b41758f0d2d5e5eca8e4dba7a8e698cb08412be4e8411e2b1d74fd0057d
SHA512fc006eac777ce3cfd112cc3562e3adb2800c82866d24f15384b2fd71bbc006592bb8f09d22698a3eb8212eb656124a2ca65d641fb8abccb00177ba60386ef038
-
Filesize
96KB
MD5a26219a94cdad7b6977c8d8e8464c262
SHA141b54268d8f67973e640395f1940238e915e4521
SHA2567acab258a6879bf9bb647ead7beb4d32e36334d16c49fc0642ac61cf25413866
SHA5124cf35e7c7211a4fe7b210b70394a31a812f9663a516c9eb54c9c1b73acee18bd37fffe2abe54149e6b450b9adbbe89cff53a3ef1b1ff1a90d39d09b16de1d75d
-
Filesize
108KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB