Analysis

  • max time kernel
    141s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/01/2025, 18:41

General

  • Target

    JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe

  • Size

    179KB

  • MD5

    cfd2b8d0aee4f09a5da6df079689f964

  • SHA1

    804b4d0028bc6a26e76200e2c4afcc4d450dd916

  • SHA256

    16531f09b5377d22c63c4e8b0f57d13656ada9b7f388e09063d9b6d4af1022c0

  • SHA512

    92264e37b659c763bdd120a3e335f132d1901d75482f9a3bd2dc7995cd23fc3668c8c15ca8f3fd2b50aa56e93c782199e65a0ea4578b3446b3df46ee55d3c2b7

  • SSDEEP

    3072:PHGy2UeUeYyIkOFvxdbkXdJbVMALYdsRkCU/lbMlcqJ66Gk+flaXB:PGy4UeaGXd/LKfCcMlRJqvfgXB

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 5 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5020
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe startC:\Program Files (x86)\LP\00B3\B2F.exe%C:\Program Files (x86)\LP\00B3
      2⤵
      • System Location Discovery: System Language Discovery
      PID:224
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe startC:\Users\Admin\AppData\Roaming\37B60\3CE00.exe%C:\Users\Admin\AppData\Roaming\37B60
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4868

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\37B60\0AFD.7B6

          Filesize

          597B

          MD5

          4f35c593a40c164af68f67a73edd9a84

          SHA1

          4e3b7567a0c047660eb40b4d92082217c2efcbbe

          SHA256

          2db557598ade1e24d3f6153f4f8fb3e17f23c366d563af3dd0d7c796a0f06136

          SHA512

          0a9e46e33c9c45237bb92313609846bda390f0dddcf3a80fa6e4735e438efdf294f3500520c70a352ea4f228bb1809f737ae7f0f2f163f7c573feb95df7ee95b

        • C:\Users\Admin\AppData\Roaming\37B60\0AFD.7B6

          Filesize

          1KB

          MD5

          c00a7bb79e4c69c1ebc857cbc6d3fe04

          SHA1

          856a6b50054c5bcab6143f3dbc9c95d994bbdded

          SHA256

          deb65c65b9570bf468ee3d11df740ca015e8fff9ce205e131451c9a71c00ed3b

          SHA512

          84b95fd97142dfe3a57bdd82c28a20edeaaf952fb6d918fbf424afb43baa5ed8edba3287a28214ba616d419ced2eaa79184aee8530e75ea9b78db2194dbd8447

        • C:\Users\Admin\AppData\Roaming\37B60\0AFD.7B6

          Filesize

          897B

          MD5

          6cf640c0c71d498200f64fa5d99a328a

          SHA1

          8265f2c456a2d2f3ff8ddfcf0941e8fcebca08f5

          SHA256

          79ed62d1c7e0f5a7195910b1b2a929bced5614045d07ca63d5328e44f2ff107d

          SHA512

          7f37a85b1e1de1924a1bca288834c18c477b4b4a1ce5644bb93a1f3be34729fee11fc0de044393a40450495e7fa9bddcb6dfe66077531f9be1c504e2342059a5

        • C:\Users\Admin\AppData\Roaming\37B60\0AFD.7B6

          Filesize

          1KB

          MD5

          e015883c702f3a624e4cf17489de559a

          SHA1

          b1a5a743d676ea691a9efcd1777c9746d491c54d

          SHA256

          b25c7ed160916b8a651f96ccf7b2641b04ca71c92cc7266f0465d79c77ee874a

          SHA512

          872132e12de8a5090f953f6cdcb477aadf4ee6007005df792421a14a89d1837db3a5d6c1bfba503b2eb35886d910487d95ad824a09fed51b49b2774db499853c

        • memory/224-19-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

        • memory/224-18-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

        • memory/224-20-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

        • memory/4868-156-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

        • memory/5020-3-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

        • memory/5020-21-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

        • memory/5020-22-0x0000000000400000-0x0000000000452000-memory.dmp

          Filesize

          328KB

        • memory/5020-0-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

        • memory/5020-2-0x0000000000400000-0x0000000000452000-memory.dmp

          Filesize

          328KB

        • memory/5020-295-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB