Overview

overview

10

Static

static

10

JaffaCakes...6d.exe

windows7-x64

10

JaffaCakes...6d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/01/2025, 14:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_ca91d7233de94df30ccbb02bcf7eb86d.exe

  • Size

    667KB

  • MD5

    ca91d7233de94df30ccbb02bcf7eb86d

  • SHA1

    7a96c6de2a629170e4bc24a81df72e24a87d77ae

  • SHA256

    1ae7b586ef1b22df289badb804323398d4672dcc9da455d89ffcf22814a31267

  • SHA512

    cd3687d7766f8fe2b80f319944cf8a128f34b243e45b3f0ad1973138445a95a4938df00941f917491dfaf379bdab9a53946426bf5a9e06d7c07a9e655c28a3f5

  • SSDEEP

    12288:WbMqmEEEb4E9F/ATyGv4XKGQi2lJLm1Giizl6oAlpxElrW1A:WIeEEb4Ev/ATEXKGVnGTzpA1Ec1A

Score
10/10
cycbotmodiloaderbackdoordiscoveryevasionpersistenceratspywarestealertrojanupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 6 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modiloader family
    modiloader
  • ModiLoader Second Stage 8 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 10 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 20 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ca91d7233de94df30ccbb02bcf7eb86d.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ca91d7233de94df30ccbb02bcf7eb86d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2404
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ca91d7233de94df30ccbb02bcf7eb86d.exe
      JaffaCakes118_ca91d7233de94df30ccbb02bcf7eb86d.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\Users\Admin\DV245F.exe
        C:\Users\Admin\DV245F.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2956
        • C:\Users\Admin\pblen.exe
          "C:\Users\Admin\pblen.exe"
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:2748
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del DV245F.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2732
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2968
      • C:\Users\Admin\aohost.exe
        C:\Users\Admin\aohost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2884
        • C:\Users\Admin\aohost.exe
          aohost.exe
          4⤵
          • Executes dropped EXE
          • Maps connected drives based on registry
          • Suspicious behavior: EnumeratesProcesses
          PID:2624
      • C:\Users\Admin\bohost.exe
        C:\Users\Admin\bohost.exe
        3⤵
        • Modifies security service
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:2068
        • C:\Users\Admin\bohost.exe
          C:\Users\Admin\bohost.exe startC:\Users\Admin\AppData\Roaming\275A7\EC9AF.exe%C:\Users\Admin\AppData\Roaming\275A7
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1720
        • C:\Users\Admin\bohost.exe
          C:\Users\Admin\bohost.exe startC:\Program Files (x86)\A71C6\lvvm.exe%C:\Program Files (x86)\A71C6
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2476
      • C:\Users\Admin\dohost.exe
        C:\Users\Admin\dohost.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2520
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del JaffaCakes118_ca91d7233de94df30ccbb02bcf7eb86d.exe
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1268
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1500
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2804
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Modify Registry

5
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Query Registry

2
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\275A7\71C6.75A
    Filesize

    600B

    MD5

    91a216851f109cf139a3b4b903a2dac0

    SHA1

    fec017110ef8c8e18104f9697f63536d34016c6a

    SHA256

    cbcceac368fb190719de120be0cbd94cef8ab700cec061b20612efb90a1a6021

    SHA512

    afc43d09d7f4048794dd6b7ba404a39c01b004fcdc16ad4ef6194983887ce9ed9405d32ba19b80fdc92df1f1048219a25eb365659a74add80875a1565094598c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\275A7\71C6.75A
    Filesize

    996B

    MD5

    1a18e180ed9b9c98726c2128621f0092

    SHA1

    8d0680d3aaa14e53bbe72cc12aca30339f9b79d6

    SHA256

    d94aef3ff9ecea67710e83495f19d4ac1eec46bf76d9046252a78dc41fa47e30

    SHA512

    4d896f319bc2b04ad134292fbbe0f01a0266028521d24995bfec1ea1eca19f7f370c7ea0e69c25656bf80078309557fc1f143e8a93df633057dd6f91554e4cb3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\275A7\71C6.75A
    Filesize

    1KB

    MD5

    0449ac6899229beefa30d5a20bfac403

    SHA1

    f3bab9eb460f88eaaab616620b2b0bdba7fe074f

    SHA256

    b4f69125f689cddab63472a35860d513767da1a781c4ea1040b2e56e32a99ab1

    SHA512

    bef6567cb566e4357a0493e553d902882cc59703258d6b2cefd2c66e61e3d6b38b39aac3b1d667751e767a64b34cbaa1d943533d6694a434369a346139280bd1

    Download Submit

  • \Users\Admin\DV245F.exe
    Filesize

    216KB

    MD5

    00b1af88e176b5fdb1b82a38cfdce35b

    SHA1

    c0f77262df92698911e0ac2f7774e93fc6b06280

    SHA256

    50f026d57fea9c00d49629484442ea59cccc0053d7db73168d68544a3bbf6f59

    SHA512

    9e55e7c440af901f9c6d0cdae619f6e964b9b75c9351c76ea64362ff161c150b12a1caabb3d2eb63353a59ae70e7159ca6b3793ed0cc11994766846ac316107f

    Download Submit

  • \Users\Admin\aohost.exe
    Filesize

    152KB

    MD5

    4401958b004eb197d4f0c0aaccee9a18

    SHA1

    50e600f7c5c918145c5a270b472b114faa72a971

    SHA256

    4c477ed134bc76fa7b912f1aad5e59d4f56f993baa16646e25fec2fdeed3bd8b

    SHA512

    f0548bdaafce2cde2f9d3bd1c26ed3c8e9321ef6d706bd372e18886d834828e5bb54ae44f19764e94574ceb4a1a2a99bdd8476e174b05114fcac9a6d4a2d58e6

    Download Submit

  • \Users\Admin\bohost.exe
    Filesize

    173KB

    MD5

    0578a41258df62b7b4320ceaafedde53

    SHA1

    50e7c0b00f8f1e5355423893f10ae8ee844d70f4

    SHA256

    18941e3030ef70437a5330e4689ec262f887f6f6f1da1cd66c0cbae2a76e75bf

    SHA512

    5870a73798bad1f92b4d79f20bf618112ec8917574f6b25ab968c47afff419a829eef57b0282fb4c53e6e636436c8cf52a01426c46bdd4a0ea948d371f0feb09

    Download Submit

  • \Users\Admin\dohost.exe
    Filesize

    24KB

    MD5

    d7390e209a42ea46d9cbfc5177b8324e

    SHA1

    eff57330de49be19d2514dd08e614afc97b061d2

    SHA256

    d2d49c37bdf2313756897245c3050494b39e824af448450eca1c0e83cf95b1e5

    SHA512

    de0eb11dd20cd9d74f47b138fb4189a299a57173fe2635150045b01629354f35b26e0575acd25501403af0db238a123b2e5a79582b47aee1d6e786f5eec1929d

    Download Submit

  • \Users\Admin\pblen.exe
    Filesize

    216KB

    MD5

    b416717f8853eaa18a08b96adcce5e41

    SHA1

    1fd43cc11da918b26d55e1afdc63de9e321cb255

    SHA256

    84ec2a4aad29d427c80786b784d7648b6d2df5351d53f40ffb9b4b1d3fc06b55

    SHA512

    5065386c4f1edd9fbf00629b5449103d4694412b2b1cb5cb235292cdf6acb2f9408a2825dbb2f78743e755075fd6ee6005e7c4f8d00b63ca924b034f99ef894b

    Download Submit

  • memory/1720-101-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2068-158-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2068-258-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2068-103-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2068-272-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2320-5-0x0000000000400000-0x00000000004CF000-memory.dmp

    Filesize

    828KB

    Download

  • memory/2320-260-0x0000000002870000-0x000000000332A000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2320-263-0x0000000000400000-0x00000000004CF000-memory.dmp

    Filesize

    828KB

    Download

  • memory/2320-0-0x0000000000400000-0x00000000004CF000-memory.dmp

    Filesize

    828KB

    Download

  • memory/2320-6-0x0000000000400000-0x00000000004CF000-memory.dmp

    Filesize

    828KB

    Download

  • memory/2320-12-0x0000000000400000-0x00000000004CF000-memory.dmp

    Filesize

    828KB

    Download

  • memory/2320-15-0x0000000000400000-0x00000000004CF000-memory.dmp

    Filesize

    828KB

    Download

  • memory/2320-77-0x0000000000400000-0x00000000004CF000-memory.dmp

    Filesize

    828KB

    Download

  • memory/2320-13-0x0000000000400000-0x00000000004CF000-memory.dmp

    Filesize

    828KB

    Download

  • memory/2320-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2320-2-0x0000000000400000-0x00000000004CF000-memory.dmp

    Filesize

    828KB

    Download

  • memory/2404-10-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2476-156-0x0000000076EA0000-0x0000000076F9A000-memory.dmp

    Filesize

    1000KB

    Download

  • memory/2476-155-0x0000000076D80000-0x0000000076E9F000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2476-154-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2624-102-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2624-54-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2624-56-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2624-60-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2624-66-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2624-67-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2624-52-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2884-63-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download