Analysis
-
max time kernel
141s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2025, 18:41
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe
-
Size
179KB
-
MD5
cfd2b8d0aee4f09a5da6df079689f964
-
SHA1
804b4d0028bc6a26e76200e2c4afcc4d450dd916
-
SHA256
16531f09b5377d22c63c4e8b0f57d13656ada9b7f388e09063d9b6d4af1022c0
-
SHA512
92264e37b659c763bdd120a3e335f132d1901d75482f9a3bd2dc7995cd23fc3668c8c15ca8f3fd2b50aa56e93c782199e65a0ea4578b3446b3df46ee55d3c2b7
-
SSDEEP
3072:PHGy2UeUeYyIkOFvxdbkXdJbVMALYdsRkCU/lbMlcqJ66Gk+flaXB:PGy4UeaGXd/LKfCcMlRJqvfgXB
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral2/memory/224-20-0x0000000000400000-0x0000000000454000-memory.dmp family_cycbot behavioral2/memory/5020-21-0x0000000000400000-0x0000000000454000-memory.dmp family_cycbot behavioral2/memory/5020-22-0x0000000000400000-0x0000000000452000-memory.dmp family_cycbot behavioral2/memory/4868-156-0x0000000000400000-0x0000000000454000-memory.dmp family_cycbot behavioral2/memory/5020-295-0x0000000000400000-0x0000000000454000-memory.dmp family_cycbot -
resource yara_rule behavioral2/memory/5020-3-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/224-19-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/224-18-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/224-20-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/5020-21-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/5020-22-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral2/memory/4868-156-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/5020-295-0x0000000000400000-0x0000000000454000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5020 wrote to memory of 224 5020 JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe 84 PID 5020 wrote to memory of 224 5020 JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe 84 PID 5020 wrote to memory of 224 5020 JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe 84 PID 5020 wrote to memory of 4868 5020 JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe 100 PID 5020 wrote to memory of 4868 5020 JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe 100 PID 5020 wrote to memory of 4868 5020 JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe startC:\Program Files (x86)\LP\00B3\B2F.exe%C:\Program Files (x86)\LP\00B32⤵
- System Location Discovery: System Language Discovery
PID:224
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe startC:\Users\Admin\AppData\Roaming\37B60\3CE00.exe%C:\Users\Admin\AppData\Roaming\37B602⤵
- System Location Discovery: System Language Discovery
PID:4868
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
597B
MD54f35c593a40c164af68f67a73edd9a84
SHA14e3b7567a0c047660eb40b4d92082217c2efcbbe
SHA2562db557598ade1e24d3f6153f4f8fb3e17f23c366d563af3dd0d7c796a0f06136
SHA5120a9e46e33c9c45237bb92313609846bda390f0dddcf3a80fa6e4735e438efdf294f3500520c70a352ea4f228bb1809f737ae7f0f2f163f7c573feb95df7ee95b
-
Filesize
1KB
MD5c00a7bb79e4c69c1ebc857cbc6d3fe04
SHA1856a6b50054c5bcab6143f3dbc9c95d994bbdded
SHA256deb65c65b9570bf468ee3d11df740ca015e8fff9ce205e131451c9a71c00ed3b
SHA51284b95fd97142dfe3a57bdd82c28a20edeaaf952fb6d918fbf424afb43baa5ed8edba3287a28214ba616d419ced2eaa79184aee8530e75ea9b78db2194dbd8447
-
Filesize
897B
MD56cf640c0c71d498200f64fa5d99a328a
SHA18265f2c456a2d2f3ff8ddfcf0941e8fcebca08f5
SHA25679ed62d1c7e0f5a7195910b1b2a929bced5614045d07ca63d5328e44f2ff107d
SHA5127f37a85b1e1de1924a1bca288834c18c477b4b4a1ce5644bb93a1f3be34729fee11fc0de044393a40450495e7fa9bddcb6dfe66077531f9be1c504e2342059a5
-
Filesize
1KB
MD5e015883c702f3a624e4cf17489de559a
SHA1b1a5a743d676ea691a9efcd1777c9746d491c54d
SHA256b25c7ed160916b8a651f96ccf7b2641b04ca71c92cc7266f0465d79c77ee874a
SHA512872132e12de8a5090f953f6cdcb477aadf4ee6007005df792421a14a89d1837db3a5d6c1bfba503b2eb35886d910487d95ad824a09fed51b49b2774db499853c