Overview

overview

10

Static

static

3

JaffaCakes...c8.exe

windows7-x64

10

JaffaCakes...c8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-01-2025 15:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_eea45da83d4f099c953c9746fc517ec8.exe

  • Size

    273KB

  • MD5

    eea45da83d4f099c953c9746fc517ec8

  • SHA1

    4646cdb9bbfaa87c1fa8d779a496defd289f64d0

  • SHA256

    2e440997e79b15a6ccbe9c314377880bb89294a2ca038a850ae45ec103930dcc

  • SHA512

    67ffe5d445c3487b955c1f8a7a372f9a1f88de2275c0d335e81f86c4e4670a140ca1b6939719c8b57b629fa911d234283dc4eb16bbcb95320b653904f344bbe3

  • SSDEEP

    6144:1OnQo+qIyKf8yP/4xORFzzQGiRpFif4UX6OT03+:aQo+quEqI8x4Qf4UKS7

Score
10/10
cycbotponybackdoorcredential_accessdefense_evasiondiscoverypersistenceratspywarestealerupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 7 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies security service 2 TTPs 1 IoCs
    defense_evasion
  • Pony family
    pony
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    defense_evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eea45da83d4f099c953c9746fc517ec8.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eea45da83d4f099c953c9746fc517ec8.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1048
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eea45da83d4f099c953c9746fc517ec8.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eea45da83d4f099c953c9746fc517ec8.exe startC:\Users\Admin\AppData\Roaming\FEDD0\6AC2C.exe%C:\Users\Admin\AppData\Roaming\FEDD0
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2248
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eea45da83d4f099c953c9746fc517ec8.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eea45da83d4f099c953c9746fc517ec8.exe startC:\Program Files (x86)\D0240\lvvm.exe%C:\Program Files (x86)\D0240
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2168
    • C:\Program Files (x86)\LP\2C0F\FD62.tmp
      "C:\Program Files (x86)\LP\2C0F\FD62.tmp"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2176
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2212
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Modify Registry

4
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Query Registry

2
T1012

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\FEDD0\0240.EDD
    Filesize

    996B

    MD5

    7c2909c6f5860b749a2ef9d0c4c57211

    SHA1

    7194328864196a967ded4b90817221d8e92471af

    SHA256

    268ad230cb9fb47d3aa9b59d72f9f54da344e6c36c0bc3c7187c2fa2eed7feac

    SHA512

    9f44bad09fdbd97f993c8b2522281597f2cf8a13ce4a9ec90b0c84771abb1f99fa191f7727ecfb30ee9d9fc029d58ea6f070f84afda85e06e3ded9c95155a3e2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\FEDD0\0240.EDD
    Filesize

    600B

    MD5

    16ccdf327a27a3c0fa3fe28b006b0454

    SHA1

    bbd1db07d96bc501db5d1da3bfa5f2b8aea6cbdd

    SHA256

    8e868dcb31b1022f4499cf763e8ff4a2d06a80cd7e7f5f53e66a3126a9b3a3d8

    SHA512

    0961e799a1f705b03d065683dea7ef06639a820c0281caf066d66d0ce9673be19077470efe06a6401ce6f37f51012ec9e520c1753bd1455abd9e7f5520526649

    Download Submit

  • C:\Users\Admin\AppData\Roaming\FEDD0\0240.EDD
    Filesize

    1KB

    MD5

    7d106f158d9b02f3c13946be1611fd92

    SHA1

    ee1ddb042796e92a46528790a3ed4e5987e96d7f

    SHA256

    2ad3f6de354ce17ce4f7969ed9b6bd3bcad06592e3ed4a1ddd48b7afee361160

    SHA512

    5ced4d069ecb4a66b43e306155dabc1478691b48ac3fc3667a8cef24f9c3dd92839f59fe9df12847fa32526e662cc960586bedac0c69a31b35e25c97d98354b1

    Download Submit

  • \Program Files (x86)\LP\2C0F\FD62.tmp
    Filesize

    96KB

    MD5

    a26219a94cdad7b6977c8d8e8464c262

    SHA1

    41b54268d8f67973e640395f1940238e915e4521

    SHA256

    7acab258a6879bf9bb647ead7beb4d32e36334d16c49fc0642ac61cf25413866

    SHA512

    4cf35e7c7211a4fe7b210b70394a31a812f9663a516c9eb54c9c1b73acee18bd37fffe2abe54149e6b450b9adbbe89cff53a3ef1b1ff1a90d39d09b16de1d75d

    Download Submit

  • memory/1048-16-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

    Download

  • memory/1048-0-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1048-122-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1048-13-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1048-3-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1048-2-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

    Download

  • memory/1048-309-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1048-313-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2168-124-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2168-126-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2176-310-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2248-15-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2248-17-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download