Analysis Overview
SHA256
16531f09b5377d22c63c4e8b0f57d13656ada9b7f388e09063d9b6d4af1022c0
Threat Level: Known bad
The file JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964 was found to be: Known bad.
Malicious Activity Summary
Detects Cycbot payload
Cycbot
Cycbot family
Reads user/profile data of web browsers
UPX packed file
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-19 18:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-19 18:41
Reported
2025-01-19 18:44
Platform
win7-20240903-en
Max time kernel
140s
Max time network
120s
Command Line
Signatures
Cycbot
Cycbot family
Detects Cycbot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe startC:\Program Files (x86)\LP\24FC\9F7.exe%C:\Program Files (x86)\LP\24FC
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe startC:\Users\Admin\AppData\Roaming\C8F8B\93024.exe%C:\Users\Admin\AppData\Roaming\C8F8B
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | complaintsboard.com | udp |
| US | 104.25.182.41:80 | complaintsboard.com | tcp |
| US | 8.8.8.8:53 | qea6.randomasystems.com | udp |
| US | 8.8.8.8:53 | yz4.randomasystems.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | 9rk.yourfreshstorage.com | udp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| N/A | 127.0.0.1:61535 | tcp | |
| N/A | 127.0.0.1:61535 | tcp |
Files
memory/2124-0-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2124-2-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2124-3-0x0000000000400000-0x0000000000454000-memory.dmp
C:\Users\Admin\AppData\Roaming\C8F8B\BF08.8F8
| MD5 | 6fd6fe7029d68e3165ba639fbd75c13b |
| SHA1 | 0321f5472f49c02eb850fe3fcf8031f889083bde |
| SHA256 | bbf639d6cfe348763611cb8896ec95ff64b6a28c03b4845b0a38464ff87cad4a |
| SHA512 | a773cd133251b82874ae5863594610f5a76cd3d258e56f2a5721fef427869754c2ea5a6ee1b2205684eeb5d55823acf72f1a5efe006df3c214e7087dad49a0c0 |
memory/2776-18-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2776-20-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2124-21-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2124-22-0x0000000000400000-0x0000000000452000-memory.dmp
C:\Users\Admin\AppData\Roaming\C8F8B\BF08.8F8
| MD5 | 3fe0ce014d5c90e9fa4a791fbdf17815 |
| SHA1 | faec1004e5277f60e4d0fc23a73113131c99954d |
| SHA256 | d94ad2e4eaf00575aff0c9f63f132c632aa7ab1e4b0aa0deb1be2f3af80c8e64 |
| SHA512 | 922c41d9048c32063a1aae9a6de4ecc0a6236e72dc99a6727a21d9efcb96c2a7f365176e3bdeeda5a892ccbc4ac674078d2b7e84ac27558afb29366226e2b1af |
memory/1964-124-0x0000000000400000-0x0000000000454000-memory.dmp
C:\Users\Admin\AppData\Roaming\C8F8B\BF08.8F8
| MD5 | 531dbae5ebf8ff0df18232bc4457db1e |
| SHA1 | 059496a1ffc167900d76bafcdcd40d1e4e7735d0 |
| SHA256 | 6a3bbfa26ca1b6cffe0cf4a671bb6f674c866b3829dcf82c65e7f392d4d31935 |
| SHA512 | 8c1fcfb37cad132b05e1cc6b53e2088bf580f4d74c89c00d292fa942752fff442dd83297c16c3fe6c3a1d0a28cc8412817c144f86a7e8e310be94fc8a6b6d5c7 |
C:\Users\Admin\AppData\Roaming\C8F8B\BF08.8F8
| MD5 | e9d6249805bb84b4e9c067bbfd844daf |
| SHA1 | 7497afc8489ef902dcdd6a7d014dcb65e9b1570c |
| SHA256 | 6eecd8792d33800c4e32cf4c799db6d881426d2d51acdfe3bf00dc5a7d1c67f6 |
| SHA512 | fef7b9fe03a026f8001d3aabbfd825bfe641f6c95734a90537453b27c5dc8d31a4fd496c60dc05f214dadf8703cb59bec5bfdaccc5df493c7d123b2b90493107 |
memory/2124-287-0x0000000000400000-0x0000000000454000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-19 18:41
Reported
2025-01-19 18:53
Platform
win10v2004-20241007-en
Max time kernel
141s
Max time network
137s
Command Line
Signatures
Cycbot
Cycbot family
Detects Cycbot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe startC:\Program Files (x86)\LP\00B3\B2F.exe%C:\Program Files (x86)\LP\00B3
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfd2b8d0aee4f09a5da6df079689f964.exe startC:\Users\Admin\AppData\Roaming\37B60\3CE00.exe%C:\Users\Admin\AppData\Roaming\37B60
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.131.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | highspeedinternetlosangeles.webnode.com | udp |
| DE | 18.185.25.67:80 | highspeedinternetlosangeles.webnode.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 67.25.185.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | laf3.yourfreshstorage.com | udp |
| US | 8.8.8.8:53 | xsfd.randomasystems.com | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:53677 | tcp | |
| US | 8.8.8.8:53 | t0cke.datastoreplus.com | udp |
| US | 8.8.8.8:53 | 21.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| N/A | 127.0.0.1:53677 | tcp | |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| N/A | 127.0.0.1:53677 | tcp | |
| N/A | 127.0.0.1:53677 | tcp | |
| US | 8.8.8.8:53 | 134.130.81.91.in-addr.arpa | udp |
| N/A | 127.0.0.1:53677 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/5020-0-0x0000000000400000-0x0000000000454000-memory.dmp
memory/5020-2-0x0000000000400000-0x0000000000452000-memory.dmp
memory/5020-3-0x0000000000400000-0x0000000000454000-memory.dmp
C:\Users\Admin\AppData\Roaming\37B60\0AFD.7B6
| MD5 | 4f35c593a40c164af68f67a73edd9a84 |
| SHA1 | 4e3b7567a0c047660eb40b4d92082217c2efcbbe |
| SHA256 | 2db557598ade1e24d3f6153f4f8fb3e17f23c366d563af3dd0d7c796a0f06136 |
| SHA512 | 0a9e46e33c9c45237bb92313609846bda390f0dddcf3a80fa6e4735e438efdf294f3500520c70a352ea4f228bb1809f737ae7f0f2f163f7c573feb95df7ee95b |
memory/224-19-0x0000000000400000-0x0000000000454000-memory.dmp
memory/224-18-0x0000000000400000-0x0000000000454000-memory.dmp
memory/224-20-0x0000000000400000-0x0000000000454000-memory.dmp
memory/5020-21-0x0000000000400000-0x0000000000454000-memory.dmp
memory/5020-22-0x0000000000400000-0x0000000000452000-memory.dmp
C:\Users\Admin\AppData\Roaming\37B60\0AFD.7B6
| MD5 | 6cf640c0c71d498200f64fa5d99a328a |
| SHA1 | 8265f2c456a2d2f3ff8ddfcf0941e8fcebca08f5 |
| SHA256 | 79ed62d1c7e0f5a7195910b1b2a929bced5614045d07ca63d5328e44f2ff107d |
| SHA512 | 7f37a85b1e1de1924a1bca288834c18c477b4b4a1ce5644bb93a1f3be34729fee11fc0de044393a40450495e7fa9bddcb6dfe66077531f9be1c504e2342059a5 |
memory/4868-156-0x0000000000400000-0x0000000000454000-memory.dmp
C:\Users\Admin\AppData\Roaming\37B60\0AFD.7B6
| MD5 | c00a7bb79e4c69c1ebc857cbc6d3fe04 |
| SHA1 | 856a6b50054c5bcab6143f3dbc9c95d994bbdded |
| SHA256 | deb65c65b9570bf468ee3d11df740ca015e8fff9ce205e131451c9a71c00ed3b |
| SHA512 | 84b95fd97142dfe3a57bdd82c28a20edeaaf952fb6d918fbf424afb43baa5ed8edba3287a28214ba616d419ced2eaa79184aee8530e75ea9b78db2194dbd8447 |
C:\Users\Admin\AppData\Roaming\37B60\0AFD.7B6
| MD5 | e015883c702f3a624e4cf17489de559a |
| SHA1 | b1a5a743d676ea691a9efcd1777c9746d491c54d |
| SHA256 | b25c7ed160916b8a651f96ccf7b2641b04ca71c92cc7266f0465d79c77ee874a |
| SHA512 | 872132e12de8a5090f953f6cdcb477aadf4ee6007005df792421a14a89d1837db3a5d6c1bfba503b2eb35886d910487d95ad824a09fed51b49b2774db499853c |
memory/5020-295-0x0000000000400000-0x0000000000454000-memory.dmp