Analysis
-
max time kernel
140s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/01/2025, 18:57
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe
-
Size
173KB
-
MD5
d032b2a990bafb82e3472c97101b14f3
-
SHA1
35f5baa21c642933065fc32f862ff36d43f8c74b
-
SHA256
16efd532684c4624f8a73b14930d2ea72b291caa15b099331ab397a9c73bf752
-
SHA512
7dc3f7080084b3f325a07111f84bf1516b7bfa8ccad0a0cb3af6249ae05a5c04b166454781aadb8c543d82a897e73e1db9d09f0a44a2431a7a160795c649606e
-
SSDEEP
3072:bZh60ADfBVq4vl/PzAqKc135bdpZ+4vX57jNlzLNmyyIz1ifHJKy/crb5gGb/:bZbCz/NntKc135bvZ+4vX13zBmjIwpKv
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2556-15-0x0000000000400000-0x000000000046D000-memory.dmp family_cycbot behavioral1/memory/2392-16-0x0000000000400000-0x000000000046D000-memory.dmp family_cycbot behavioral1/memory/2392-75-0x0000000000400000-0x000000000046D000-memory.dmp family_cycbot behavioral1/memory/2160-79-0x0000000000400000-0x000000000046D000-memory.dmp family_cycbot behavioral1/memory/2392-186-0x0000000000400000-0x000000000046D000-memory.dmp family_cycbot -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\2844E\\6DED3.exe" JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2392-2-0x0000000000400000-0x000000000046D000-memory.dmp upx behavioral1/memory/2556-15-0x0000000000400000-0x000000000046D000-memory.dmp upx behavioral1/memory/2556-13-0x0000000000400000-0x000000000046D000-memory.dmp upx behavioral1/memory/2392-16-0x0000000000400000-0x000000000046D000-memory.dmp upx behavioral1/memory/2392-75-0x0000000000400000-0x000000000046D000-memory.dmp upx behavioral1/memory/2160-78-0x0000000000400000-0x000000000046D000-memory.dmp upx behavioral1/memory/2160-79-0x0000000000400000-0x000000000046D000-memory.dmp upx behavioral1/memory/2392-186-0x0000000000400000-0x000000000046D000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2392 wrote to memory of 2556 2392 JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe 31 PID 2392 wrote to memory of 2556 2392 JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe 31 PID 2392 wrote to memory of 2556 2392 JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe 31 PID 2392 wrote to memory of 2556 2392 JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe 31 PID 2392 wrote to memory of 2160 2392 JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe 33 PID 2392 wrote to memory of 2160 2392 JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe 33 PID 2392 wrote to memory of 2160 2392 JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe 33 PID 2392 wrote to memory of 2160 2392 JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe"1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe startC:\Program Files (x86)\Internet Explorer\D3A2\728.exe%C:\Program Files (x86)\Internet Explorer\D3A22⤵
- System Location Discovery: System Language Discovery
PID:2556
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe startC:\Users\Admin\AppData\Local\Temp\lvvm.exe%C:\Users\Admin\AppData\Local\Temp2⤵
- System Location Discovery: System Language Discovery
PID:2160
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51ce90c2d3de42198a2aeab494d775d4c
SHA13b616613e5b32e848ac194c3b902ae23f10991d4
SHA256c8193146037fdff50bff268a5de0823692fcfe9beefd0a7e0470b52ef5d6575e
SHA5129616f2c1ca7bff64a7139db1965959d3cf55a3b68fb8d5df5a0ad644efc472c10b6e4da5acb4b444158c355aa8c510f8efd6e8685ca0908bb360fa06a478b68a
-
Filesize
600B
MD51886fbc77df825bb4f6569966dc7e6fa
SHA191432decd69a1520d0ad338ff9a6a673d8dd1fe8
SHA25692aa306dba6eefa165a9acf1e26127b01230ec6d97aace4f6b7b1d893c800907
SHA512051974175fe8abb0cc750bfa7002699ac644aa6e5d239c295ecbd127b68b81ed77908937df9acfcda3257f04feb2abd0eb88b0b1f259084d8facef7502c1bdc2
-
Filesize
996B
MD58eb1d366d74884c16af86a26f28738e4
SHA10402c0179c2b915410975f03dbf81a389d004d18
SHA256d36a4cf1189990ae20d7824d08cbf7f773f8c94993b366185ef6af7b1e386c71
SHA512a9327dc73c969c741a2eaefdd4e9aad7feb7e2d257b17f7dc7d106291e6a5e7ac460df7e89f79723791a4a5d326ab07f181fe46898f8968cef7d40f00cbe208d