Malware Analysis Report

2025-08-05 23:32

Sample ID 250119-xb1j7azrcw
Target JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964
SHA256 16531f09b5377d22c63c4e8b0f57d13656ada9b7f388e09063d9b6d4af1022c0
Tags
cycbot backdoor discovery rat spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

16531f09b5377d22c63c4e8b0f57d13656ada9b7f388e09063d9b6d4af1022c0

Threat Level: Known bad

The file JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964 was found to be: Known bad.

Malicious Activity Summary

cycbot backdoor discovery rat spyware stealer upx

Detects Cycbot payload

Cycbot

Cycbot family

Reads user/profile data of web browsers

UPX packed file

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-19 18:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-19 18:41

Reported

2025-01-19 18:44

Platform

win7-20240903-en

Max time kernel

140s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe"

Signatures

Cycbot

backdoor rat cycbot

Cycbot family

cycbot

Detects Cycbot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe
PID 2124 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe
PID 2124 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe
PID 2124 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe
PID 2124 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe
PID 2124 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe
PID 2124 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe
PID 2124 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe startC:\Program Files (x86)\LP\24FC\9F7.exe%C:\Program Files (x86)\LP\24FC

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe startC:\Users\Admin\AppData\Roaming\C8F8B\93024.exe%C:\Users\Admin\AppData\Roaming\C8F8B

Network

Country Destination Domain Proto
US 8.8.8.8:53 complaintsboard.com udp
US 104.25.182.41:80 complaintsboard.com tcp
US 8.8.8.8:53 qea6.randomasystems.com udp
US 8.8.8.8:53 yz4.randomasystems.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 9rk.yourfreshstorage.com udp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
N/A 127.0.0.1:61535 tcp
N/A 127.0.0.1:61535 tcp

Files

memory/2124-0-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2124-2-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2124-3-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Roaming\C8F8B\BF08.8F8

MD5 6fd6fe7029d68e3165ba639fbd75c13b
SHA1 0321f5472f49c02eb850fe3fcf8031f889083bde
SHA256 bbf639d6cfe348763611cb8896ec95ff64b6a28c03b4845b0a38464ff87cad4a
SHA512 a773cd133251b82874ae5863594610f5a76cd3d258e56f2a5721fef427869754c2ea5a6ee1b2205684eeb5d55823acf72f1a5efe006df3c214e7087dad49a0c0

memory/2776-18-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2776-20-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2124-21-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2124-22-0x0000000000400000-0x0000000000452000-memory.dmp

C:\Users\Admin\AppData\Roaming\C8F8B\BF08.8F8

MD5 3fe0ce014d5c90e9fa4a791fbdf17815
SHA1 faec1004e5277f60e4d0fc23a73113131c99954d
SHA256 d94ad2e4eaf00575aff0c9f63f132c632aa7ab1e4b0aa0deb1be2f3af80c8e64
SHA512 922c41d9048c32063a1aae9a6de4ecc0a6236e72dc99a6727a21d9efcb96c2a7f365176e3bdeeda5a892ccbc4ac674078d2b7e84ac27558afb29366226e2b1af

memory/1964-124-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Roaming\C8F8B\BF08.8F8

MD5 531dbae5ebf8ff0df18232bc4457db1e
SHA1 059496a1ffc167900d76bafcdcd40d1e4e7735d0
SHA256 6a3bbfa26ca1b6cffe0cf4a671bb6f674c866b3829dcf82c65e7f392d4d31935
SHA512 8c1fcfb37cad132b05e1cc6b53e2088bf580f4d74c89c00d292fa942752fff442dd83297c16c3fe6c3a1d0a28cc8412817c144f86a7e8e310be94fc8a6b6d5c7

C:\Users\Admin\AppData\Roaming\C8F8B\BF08.8F8

MD5 e9d6249805bb84b4e9c067bbfd844daf
SHA1 7497afc8489ef902dcdd6a7d014dcb65e9b1570c
SHA256 6eecd8792d33800c4e32cf4c799db6d881426d2d51acdfe3bf00dc5a7d1c67f6
SHA512 fef7b9fe03a026f8001d3aabbfd825bfe641f6c95734a90537453b27c5dc8d31a4fd496c60dc05f214dadf8703cb59bec5bfdaccc5df493c7d123b2b90493107

memory/2124-287-0x0000000000400000-0x0000000000454000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-19 18:41

Reported

2025-01-19 18:53

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe"

Signatures

Cycbot

backdoor rat cycbot

Cycbot family

cycbot

Detects Cycbot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe startC:\Program Files (x86)\LP\00B3\B2F.exe%C:\Program Files (x86)\LP\00B3

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe startC:\Users\Admin\AppData\Roaming\37B60\3CE00.exe%C:\Users\Admin\AppData\Roaming\37B60

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 245.131.30.184.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 highspeedinternetlosangeles.webnode.com udp
DE 18.185.25.67:80 highspeedinternetlosangeles.webnode.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 67.25.185.18.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 laf3.yourfreshstorage.com udp
US 8.8.8.8:53 xsfd.randomasystems.com udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
N/A 127.0.0.1:53677 tcp
US 8.8.8.8:53 t0cke.datastoreplus.com udp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
N/A 127.0.0.1:53677 tcp
GB 142.250.187.196:80 www.google.com tcp
N/A 127.0.0.1:53677 tcp
N/A 127.0.0.1:53677 tcp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
N/A 127.0.0.1:53677 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/5020-0-0x0000000000400000-0x0000000000454000-memory.dmp

memory/5020-2-0x0000000000400000-0x0000000000452000-memory.dmp

memory/5020-3-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Roaming\37B60\0AFD.7B6

MD5 4f35c593a40c164af68f67a73edd9a84
SHA1 4e3b7567a0c047660eb40b4d92082217c2efcbbe
SHA256 2db557598ade1e24d3f6153f4f8fb3e17f23c366d563af3dd0d7c796a0f06136
SHA512 0a9e46e33c9c45237bb92313609846bda390f0dddcf3a80fa6e4735e438efdf294f3500520c70a352ea4f228bb1809f737ae7f0f2f163f7c573feb95df7ee95b

memory/224-19-0x0000000000400000-0x0000000000454000-memory.dmp

memory/224-18-0x0000000000400000-0x0000000000454000-memory.dmp

memory/224-20-0x0000000000400000-0x0000000000454000-memory.dmp

memory/5020-21-0x0000000000400000-0x0000000000454000-memory.dmp

memory/5020-22-0x0000000000400000-0x0000000000452000-memory.dmp

C:\Users\Admin\AppData\Roaming\37B60\0AFD.7B6

MD5 6cf640c0c71d498200f64fa5d99a328a
SHA1 8265f2c456a2d2f3ff8ddfcf0941e8fcebca08f5
SHA256 79ed62d1c7e0f5a7195910b1b2a929bced5614045d07ca63d5328e44f2ff107d
SHA512 7f37a85b1e1de1924a1bca288834c18c477b4b4a1ce5644bb93a1f3be34729fee11fc0de044393a40450495e7fa9bddcb6dfe66077531f9be1c504e2342059a5

memory/4868-156-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Roaming\37B60\0AFD.7B6

MD5 c00a7bb79e4c69c1ebc857cbc6d3fe04
SHA1 856a6b50054c5bcab6143f3dbc9c95d994bbdded
SHA256 deb65c65b9570bf468ee3d11df740ca015e8fff9ce205e131451c9a71c00ed3b
SHA512 84b95fd97142dfe3a57bdd82c28a20edeaaf952fb6d918fbf424afb43baa5ed8edba3287a28214ba616d419ced2eaa79184aee8530e75ea9b78db2194dbd8447

C:\Users\Admin\AppData\Roaming\37B60\0AFD.7B6

MD5 e015883c702f3a624e4cf17489de559a
SHA1 b1a5a743d676ea691a9efcd1777c9746d491c54d
SHA256 b25c7ed160916b8a651f96ccf7b2641b04ca71c92cc7266f0465d79c77ee874a
SHA512 872132e12de8a5090f953f6cdcb477aadf4ee6007005df792421a14a89d1837db3a5d6c1bfba503b2eb35886d910487d95ad824a09fed51b49b2774db499853c

memory/5020-295-0x0000000000400000-0x0000000000454000-memory.dmp