Malware Analysis Report

2025-08-11 04:38

Sample ID 250119-pge7faxncr
Target JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5
SHA256 7c7d055be8d49ca1adc1d7c18b1a9f7d4946e31b1a8b083535eac9347d15e72a
Tags
cycbot backdoor discovery rat spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7c7d055be8d49ca1adc1d7c18b1a9f7d4946e31b1a8b083535eac9347d15e72a

Threat Level: Known bad

The file JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5 was found to be: Known bad.

Malicious Activity Summary

cycbot backdoor discovery rat spyware stealer upx

Cycbot family

Detects Cycbot payload

Cycbot

Reads user/profile data of web browsers

UPX packed file

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-19 12:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-19 12:17

Reported

2025-01-19 12:20

Platform

win7-20241010-en

Max time kernel

141s

Max time network

69s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe"

Signatures

Cycbot

backdoor rat cycbot

Cycbot family

cycbot

Detects Cycbot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2548 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe
PID 2548 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe
PID 2548 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe
PID 2548 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe
PID 2548 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe
PID 2548 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe
PID 2548 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe
PID 2548 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming

Network

Country Destination Domain Proto
US 8.8.8.8:53 protoolreviews.com udp
US 172.67.212.191:80 protoolreviews.com tcp
US 8.8.8.8:53 zonetf.com udp
US 76.223.54.146:80 zonetf.com tcp
US 8.8.8.8:53 zoneom.com udp
US 13.248.213.45:80 zoneom.com tcp
US 76.223.54.146:80 zonetf.com tcp
US 13.248.213.45:80 zoneom.com tcp
US 76.223.54.146:80 zonetf.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
US 13.248.213.45:80 zoneom.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
N/A 127.0.0.1:55515 tcp
N/A 127.0.0.1:55515 tcp

Files

memory/2548-1-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2548-2-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2396-5-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2396-7-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2548-16-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Roaming\FAD9.946

MD5 f589526b2097165d307309a74e414208
SHA1 5f19a2d4bf39826ec618a2688b809cc81f684bf3
SHA256 6b38b959f224447b2fc0cf78afbee950a9d1a438c96cc958011c3812adcdfb09
SHA512 021c7668ab87c5b6821b3ade3abc8665960d3a0e67bc847351895c798e3089462e9b02cfaea01fa955fe49e757b5327b6585ba0ccdc526bc117f39420ae076bb

memory/2280-92-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2280-93-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2280-95-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Roaming\FAD9.946

MD5 b31f5554f26458509d8b989d6b6b2839
SHA1 f17f33d716b4e51dcd24828cb9af5caddcf4a470
SHA256 2ab4c3894d37df5d1061e52deb697948ae554d24232d17790217da775696a09c
SHA512 779a510cf27cf539ccd05b2a55562dc7152f060f0ffd125f2352c1e733bbc57ac650f61869f47398f3d8a7756e96d8d0e721aab2fd908ee081b35b78fac8f695

C:\Users\Admin\AppData\Roaming\FAD9.946

MD5 e564d6eeec31b3cd5b6586fcd488b687
SHA1 4db0e9d1cde924264f39247a1d79425e2f8dd835
SHA256 e5d3f3c6a960b9f1bca9c4df68ff66ebb40b5bd8ac1c3d6fc4d692813aef34c9
SHA512 2181c88830cc52899eafb1d6dae5f982eead589c9ef35d6dcb566ff687de943dcda9fd93689a70aca519fabd29b45b47cb4cadebdd83376d3cb4fdbfd13fb803

C:\Users\Admin\AppData\Roaming\FAD9.946

MD5 4c513d86b1e4263a67ba082de51129be
SHA1 057d1eb197ee5155a0beb61da96ccbb5b2a1d083
SHA256 cee90d2075010261644793fb4037cc92149283e571a5bdc2c6241aa8fafc55c9
SHA512 1548674bb99ce555c10230a1676a56104bef247fc332daaa99ce4d6d0c95568a2c3c4ca2ff5011b54f55c9c9d2b644ac03bdeb06d45aee330537a2d7da56b62e

memory/2548-209-0x0000000000400000-0x000000000044D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-19 12:17

Reported

2025-01-19 12:20

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4236 -ip 4236

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 356

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 7.98.22.2.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A