Analysis Overview
SHA256
16efd532684c4624f8a73b14930d2ea72b291caa15b099331ab397a9c73bf752
Threat Level: Known bad
The file JaffaCakes118_d032b2a990bafb82e3472c97101b14f3 was found to be: Known bad.
Malicious Activity Summary
Cycbot
Cycbot family
Detects Cycbot payload
Modifies WinLogon for persistence
Reads user/profile data of web browsers
UPX packed file
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-19 18:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-19 18:57
Reported
2025-01-19 19:00
Platform
win7-20240903-en
Max time kernel
140s
Max time network
119s
Command Line
Signatures
Cycbot
Cycbot family
Detects Cycbot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\2844E\\6DED3.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe startC:\Program Files (x86)\Internet Explorer\D3A2\728.exe%C:\Program Files (x86)\Internet Explorer\D3A2
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe startC:\Users\Admin\AppData\Local\Temp\lvvm.exe%C:\Users\Admin\AppData\Local\Temp
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | armoredlegion.com | udp |
| US | 104.21.94.246:80 | armoredlegion.com | tcp |
| US | 8.8.8.8:53 | onlinehelptoall.com | udp |
| US | 8.8.8.8:53 | onlinefilepanel.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| N/A | 127.0.0.1:50606 | tcp | |
| N/A | 127.0.0.1:50606 | tcp | |
| GB | 142.250.187.196:80 | www.google.com | tcp |
Files
memory/2392-1-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2392-2-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2556-12-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2556-15-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2556-13-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2392-16-0x0000000000400000-0x000000000046D000-memory.dmp
C:\Users\Admin\AppData\Roaming\2844E\EBED.844
| MD5 | 1886fbc77df825bb4f6569966dc7e6fa |
| SHA1 | 91432decd69a1520d0ad338ff9a6a673d8dd1fe8 |
| SHA256 | 92aa306dba6eefa165a9acf1e26127b01230ec6d97aace4f6b7b1d893c800907 |
| SHA512 | 051974175fe8abb0cc750bfa7002699ac644aa6e5d239c295ecbd127b68b81ed77908937df9acfcda3257f04feb2abd0eb88b0b1f259084d8facef7502c1bdc2 |
memory/2392-75-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2160-78-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2160-77-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2160-79-0x0000000000400000-0x000000000046D000-memory.dmp
C:\Users\Admin\AppData\Roaming\2844E\EBED.844
| MD5 | 8eb1d366d74884c16af86a26f28738e4 |
| SHA1 | 0402c0179c2b915410975f03dbf81a389d004d18 |
| SHA256 | d36a4cf1189990ae20d7824d08cbf7f773f8c94993b366185ef6af7b1e386c71 |
| SHA512 | a9327dc73c969c741a2eaefdd4e9aad7feb7e2d257b17f7dc7d106291e6a5e7ac460df7e89f79723791a4a5d326ab07f181fe46898f8968cef7d40f00cbe208d |
C:\Users\Admin\AppData\Roaming\2844E\EBED.844
| MD5 | 1ce90c2d3de42198a2aeab494d775d4c |
| SHA1 | 3b616613e5b32e848ac194c3b902ae23f10991d4 |
| SHA256 | c8193146037fdff50bff268a5de0823692fcfe9beefd0a7e0470b52ef5d6575e |
| SHA512 | 9616f2c1ca7bff64a7139db1965959d3cf55a3b68fb8d5df5a0ad644efc472c10b6e4da5acb4b444158c355aa8c510f8efd6e8685ca0908bb360fa06a478b68a |
memory/2392-186-0x0000000000400000-0x000000000046D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-19 18:57
Reported
2025-01-19 19:00
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Cycbot
Cycbot family
Detects Cycbot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\45D25\\00ED3.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe startC:\Program Files (x86)\Internet Explorer\D3A4\BBE.exe%C:\Program Files (x86)\Internet Explorer\D3A4
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d032b2a990bafb82e3472c97101b14f3.exe startC:\Users\Admin\AppData\Local\Temp\lvvm.exe%C:\Users\Admin\AppData\Local\Temp
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | classicbattletech.com | udp |
| US | 72.52.178.23:80 | classicbattletech.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.178.52.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | skymediaportal.com | udp |
| US | 8.8.8.8:53 | skymediaportal.com | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:64727 | tcp | |
| US | 8.8.8.8:53 | yourmediaspace.com | udp |
| US | 66.96.162.149:80 | yourmediaspace.com | tcp |
| US | 8.8.8.8:53 | 149.162.96.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| N/A | 127.0.0.1:64727 | tcp | |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| N/A | 127.0.0.1:64727 | tcp | |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | 204.27.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| N/A | 127.0.0.1:64727 | tcp | |
| N/A | 127.0.0.1:64727 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.173.189.20.in-addr.arpa | udp |
Files
memory/4556-1-0x0000000000400000-0x000000000046D000-memory.dmp
memory/4556-2-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2388-12-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2388-13-0x0000000000400000-0x000000000046D000-memory.dmp
memory/4556-14-0x0000000000400000-0x000000000046D000-memory.dmp
C:\Users\Admin\AppData\Roaming\45D25\5796.5D2
| MD5 | 38ec6431981f58cd5d01e506606c5b1c |
| SHA1 | fc616d2c88cc424518b376edd81375a0224810a4 |
| SHA256 | 1d9a16f4dde8561ec7f2828e0d9da011e561d275f3b704b691a6007a2cb7207b |
| SHA512 | 22c682ddb0e4e7878324eb5ba2d52b14080cad6bac519e75f056f1346df146c5a7ff5f6fd1a13c1b9f409f57f31e2c67084f7ee6233788255729826c1e4c4542 |
memory/4556-77-0x0000000000400000-0x000000000046D000-memory.dmp
memory/776-79-0x0000000000400000-0x000000000046D000-memory.dmp
C:\Users\Admin\AppData\Roaming\45D25\5796.5D2
| MD5 | e89800e70cb94d7736d10604f211897c |
| SHA1 | b17bf1f9f0b4ad60f47a6913dee848c0307cf3c8 |
| SHA256 | 5b09a4929c3b2c31ce3bfce9add25df2167d3e0f4a7f302aebbec839e3b6572a |
| SHA512 | b0ab40b39c2f351ba541a6840a82db6eaf85b8c61501e8a8b2e182cbf8567ec0a98d8fe05d12e93efcf45feb7660ef14e7c03165c0ab19a77918026e40556c1a |
C:\Users\Admin\AppData\Roaming\45D25\5796.5D2
| MD5 | 977fae99c83d680dabb0ebc44d85dc3c |
| SHA1 | ab55d09efdefb494d92a66361ca0bbbdb530a4ed |
| SHA256 | e99ed20aeb5bc173288199a3274604192cc54fbd0f73b496ca4cca0b34df492e |
| SHA512 | cd53d005d2bbde9f5e415945c66beba915addf1ef783b1551f12a19fdb227bfb7dc1c44043e70b23be1ab89e39425d518b15ad413739641bde78af50a2232d70 |
memory/4556-186-0x0000000000400000-0x000000000046D000-memory.dmp