Malware Analysis Report

2025-08-05 23:32

Sample ID 250119-xl8zba1qgr
Target JaffaCakes118_d032b2a990bafb82e3472c97101b14f3
SHA256 16efd532684c4624f8a73b14930d2ea72b291caa15b099331ab397a9c73bf752
Tags
cycbot backdoor discovery persistence rat spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

16efd532684c4624f8a73b14930d2ea72b291caa15b099331ab397a9c73bf752

Threat Level: Known bad

The file JaffaCakes118_d032b2a990bafb82e3472c97101b14f3 was found to be: Known bad.

Malicious Activity Summary

cycbot backdoor discovery persistence rat spyware stealer upx

Cycbot

Cycbot family

Detects Cycbot payload

Modifies WinLogon for persistence

Reads user/profile data of web browsers

UPX packed file

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-19 18:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-19 18:57

Reported

2025-01-19 19:00

Platform

win7-20240903-en

Max time kernel

140s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe"

Signatures

Cycbot

backdoor rat cycbot

Cycbot family

cycbot

Detects Cycbot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\2844E\\6DED3.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2392 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe
PID 2392 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe
PID 2392 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe
PID 2392 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe
PID 2392 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe
PID 2392 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe
PID 2392 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe
PID 2392 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe startC:\Program Files (x86)\Internet Explorer\D3A2\728.exe%C:\Program Files (x86)\Internet Explorer\D3A2

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe startC:\Users\Admin\AppData\Local\Temp\lvvm.exe%C:\Users\Admin\AppData\Local\Temp

Network

Country Destination Domain Proto
US 8.8.8.8:53 armoredlegion.com udp
US 104.21.94.246:80 armoredlegion.com tcp
US 8.8.8.8:53 onlinehelptoall.com udp
US 8.8.8.8:53 onlinefilepanel.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
N/A 127.0.0.1:50606 tcp
N/A 127.0.0.1:50606 tcp
GB 142.250.187.196:80 www.google.com tcp

Files

memory/2392-1-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2392-2-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2556-12-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2556-15-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2556-13-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2392-16-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Users\Admin\AppData\Roaming\2844E\EBED.844

MD5 1886fbc77df825bb4f6569966dc7e6fa
SHA1 91432decd69a1520d0ad338ff9a6a673d8dd1fe8
SHA256 92aa306dba6eefa165a9acf1e26127b01230ec6d97aace4f6b7b1d893c800907
SHA512 051974175fe8abb0cc750bfa7002699ac644aa6e5d239c295ecbd127b68b81ed77908937df9acfcda3257f04feb2abd0eb88b0b1f259084d8facef7502c1bdc2

memory/2392-75-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2160-78-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2160-77-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2160-79-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Users\Admin\AppData\Roaming\2844E\EBED.844

MD5 8eb1d366d74884c16af86a26f28738e4
SHA1 0402c0179c2b915410975f03dbf81a389d004d18
SHA256 d36a4cf1189990ae20d7824d08cbf7f773f8c94993b366185ef6af7b1e386c71
SHA512 a9327dc73c969c741a2eaefdd4e9aad7feb7e2d257b17f7dc7d106291e6a5e7ac460df7e89f79723791a4a5d326ab07f181fe46898f8968cef7d40f00cbe208d

C:\Users\Admin\AppData\Roaming\2844E\EBED.844

MD5 1ce90c2d3de42198a2aeab494d775d4c
SHA1 3b616613e5b32e848ac194c3b902ae23f10991d4
SHA256 c8193146037fdff50bff268a5de0823692fcfe9beefd0a7e0470b52ef5d6575e
SHA512 9616f2c1ca7bff64a7139db1965959d3cf55a3b68fb8d5df5a0ad644efc472c10b6e4da5acb4b444158c355aa8c510f8efd6e8685ca0908bb360fa06a478b68a

memory/2392-186-0x0000000000400000-0x000000000046D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-19 18:57

Reported

2025-01-19 19:00

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe"

Signatures

Cycbot

backdoor rat cycbot

Cycbot family

cycbot

Detects Cycbot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\45D25\\00ED3.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe startC:\Program Files (x86)\Internet Explorer\D3A4\BBE.exe%C:\Program Files (x86)\Internet Explorer\D3A4

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe startC:\Users\Admin\AppData\Local\Temp\lvvm.exe%C:\Users\Admin\AppData\Local\Temp

Network

Country Destination Domain Proto
US 8.8.8.8:53 classicbattletech.com udp
US 72.52.178.23:80 classicbattletech.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 23.178.52.72.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 skymediaportal.com udp
US 8.8.8.8:53 skymediaportal.com udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
N/A 127.0.0.1:64727 tcp
US 8.8.8.8:53 yourmediaspace.com udp
US 66.96.162.149:80 yourmediaspace.com tcp
US 8.8.8.8:53 149.162.96.66.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
N/A 127.0.0.1:64727 tcp
GB 142.250.187.196:80 www.google.com tcp
N/A 127.0.0.1:64727 tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 204.27.101.95.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
N/A 127.0.0.1:64727 tcp
N/A 127.0.0.1:64727 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp

Files

memory/4556-1-0x0000000000400000-0x000000000046D000-memory.dmp

memory/4556-2-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2388-12-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2388-13-0x0000000000400000-0x000000000046D000-memory.dmp

memory/4556-14-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Users\Admin\AppData\Roaming\45D25\5796.5D2

MD5 38ec6431981f58cd5d01e506606c5b1c
SHA1 fc616d2c88cc424518b376edd81375a0224810a4
SHA256 1d9a16f4dde8561ec7f2828e0d9da011e561d275f3b704b691a6007a2cb7207b
SHA512 22c682ddb0e4e7878324eb5ba2d52b14080cad6bac519e75f056f1346df146c5a7ff5f6fd1a13c1b9f409f57f31e2c67084f7ee6233788255729826c1e4c4542

memory/4556-77-0x0000000000400000-0x000000000046D000-memory.dmp

memory/776-79-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Users\Admin\AppData\Roaming\45D25\5796.5D2

MD5 e89800e70cb94d7736d10604f211897c
SHA1 b17bf1f9f0b4ad60f47a6913dee848c0307cf3c8
SHA256 5b09a4929c3b2c31ce3bfce9add25df2167d3e0f4a7f302aebbec839e3b6572a
SHA512 b0ab40b39c2f351ba541a6840a82db6eaf85b8c61501e8a8b2e182cbf8567ec0a98d8fe05d12e93efcf45feb7660ef14e7c03165c0ab19a77918026e40556c1a

C:\Users\Admin\AppData\Roaming\45D25\5796.5D2

MD5 977fae99c83d680dabb0ebc44d85dc3c
SHA1 ab55d09efdefb494d92a66361ca0bbbdb530a4ed
SHA256 e99ed20aeb5bc173288199a3274604192cc54fbd0f73b496ca4cca0b34df492e
SHA512 cd53d005d2bbde9f5e415945c66beba915addf1ef783b1551f12a19fdb227bfb7dc1c44043e70b23be1ab89e39425d518b15ad413739641bde78af50a2232d70

memory/4556-186-0x0000000000400000-0x000000000046D000-memory.dmp