Analysis Overview
SHA256
7c7d055be8d49ca1adc1d7c18b1a9f7d4946e31b1a8b083535eac9347d15e72a
Threat Level: Known bad
The file JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5 was found to be: Known bad.
Malicious Activity Summary
Cycbot family
Detects Cycbot payload
Cycbot
Reads user/profile data of web browsers
UPX packed file
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-19 12:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-19 12:17
Reported
2025-01-19 12:20
Platform
win7-20241010-en
Max time kernel
141s
Max time network
69s
Command Line
Signatures
Cycbot
Cycbot family
Detects Cycbot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | protoolreviews.com | udp |
| US | 172.67.212.191:80 | protoolreviews.com | tcp |
| US | 8.8.8.8:53 | zonetf.com | udp |
| US | 76.223.54.146:80 | zonetf.com | tcp |
| US | 8.8.8.8:53 | zoneom.com | udp |
| US | 13.248.213.45:80 | zoneom.com | tcp |
| US | 76.223.54.146:80 | zonetf.com | tcp |
| US | 13.248.213.45:80 | zoneom.com | tcp |
| US | 76.223.54.146:80 | zonetf.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 13.248.213.45:80 | zoneom.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| N/A | 127.0.0.1:55515 | tcp | |
| N/A | 127.0.0.1:55515 | tcp |
Files
memory/2548-1-0x0000000000400000-0x000000000044D000-memory.dmp
memory/2548-2-0x0000000000400000-0x000000000044D000-memory.dmp
memory/2396-5-0x0000000000400000-0x000000000044D000-memory.dmp
memory/2396-7-0x0000000000400000-0x000000000044D000-memory.dmp
memory/2548-16-0x0000000000400000-0x000000000044D000-memory.dmp
C:\Users\Admin\AppData\Roaming\FAD9.946
| MD5 | f589526b2097165d307309a74e414208 |
| SHA1 | 5f19a2d4bf39826ec618a2688b809cc81f684bf3 |
| SHA256 | 6b38b959f224447b2fc0cf78afbee950a9d1a438c96cc958011c3812adcdfb09 |
| SHA512 | 021c7668ab87c5b6821b3ade3abc8665960d3a0e67bc847351895c798e3089462e9b02cfaea01fa955fe49e757b5327b6585ba0ccdc526bc117f39420ae076bb |
memory/2280-92-0x0000000000400000-0x000000000044D000-memory.dmp
memory/2280-93-0x0000000000400000-0x000000000044D000-memory.dmp
memory/2280-95-0x0000000000400000-0x000000000044D000-memory.dmp
C:\Users\Admin\AppData\Roaming\FAD9.946
| MD5 | b31f5554f26458509d8b989d6b6b2839 |
| SHA1 | f17f33d716b4e51dcd24828cb9af5caddcf4a470 |
| SHA256 | 2ab4c3894d37df5d1061e52deb697948ae554d24232d17790217da775696a09c |
| SHA512 | 779a510cf27cf539ccd05b2a55562dc7152f060f0ffd125f2352c1e733bbc57ac650f61869f47398f3d8a7756e96d8d0e721aab2fd908ee081b35b78fac8f695 |
C:\Users\Admin\AppData\Roaming\FAD9.946
| MD5 | e564d6eeec31b3cd5b6586fcd488b687 |
| SHA1 | 4db0e9d1cde924264f39247a1d79425e2f8dd835 |
| SHA256 | e5d3f3c6a960b9f1bca9c4df68ff66ebb40b5bd8ac1c3d6fc4d692813aef34c9 |
| SHA512 | 2181c88830cc52899eafb1d6dae5f982eead589c9ef35d6dcb566ff687de943dcda9fd93689a70aca519fabd29b45b47cb4cadebdd83376d3cb4fdbfd13fb803 |
C:\Users\Admin\AppData\Roaming\FAD9.946
| MD5 | 4c513d86b1e4263a67ba082de51129be |
| SHA1 | 057d1eb197ee5155a0beb61da96ccbb5b2a1d083 |
| SHA256 | cee90d2075010261644793fb4037cc92149283e571a5bdc2c6241aa8fafc55c9 |
| SHA512 | 1548674bb99ce555c10230a1676a56104bef247fc332daaa99ce4d6d0c95568a2c3c4ca2ff5011b54f55c9c9d2b644ac03bdeb06d45aee330537a2d7da56b62e |
memory/2548-209-0x0000000000400000-0x000000000044D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-19 12:17
Reported
2025-01-19 12:20
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
143s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c78af955fdc7475df5c2907e2aa41ef5.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4236 -ip 4236
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 356
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.98.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |