Overview

overview

10

Static

static

3

JaffaCakes...16.exe

windows7-x64

10

JaffaCakes...16.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_f4a299dee043b761ebda36a5d846b116

  • Size

    174KB

  • Sample

    250120-w9dmmssqgw

  • MD5

    f4a299dee043b761ebda36a5d846b116

  • SHA1

    093201cf450cd84edbc1795ae2e10fdeadc4be8d

  • SHA256

    1bd0f6b56b2962c533b700d93d47fd9d6d320068a422be7880b24b0c09eb2e10

  • SHA512

    50e5fa0a1d3fdc1f44a1261b08c88cf61b40aa2f1a91461839f91f6bc87559957bb7c94e11f5f2cdf910b5f9f50774bb899359f0cf213e7591648266a9b06b03

  • SSDEEP

    3072:N86UNmwtv6jXf0N8CeVKaQhcoh/HpDtVqECw6xjgVLLXbUPj4WZ4P2PdQLD/DbQo:ys0CzbRVX0c0/Hpb6wdVLHOf4P2PdKlj

Score
10/10
cycbotbackdoordefense_evasiondiscoverypersistenceratspywarestealerupx

Malware Config

Targets

    • Target

      JaffaCakes118_f4a299dee043b761ebda36a5d846b116

    • Size

      174KB

    • MD5

      f4a299dee043b761ebda36a5d846b116

    • SHA1

      093201cf450cd84edbc1795ae2e10fdeadc4be8d

    • SHA256

      1bd0f6b56b2962c533b700d93d47fd9d6d320068a422be7880b24b0c09eb2e10

    • SHA512

      50e5fa0a1d3fdc1f44a1261b08c88cf61b40aa2f1a91461839f91f6bc87559957bb7c94e11f5f2cdf910b5f9f50774bb899359f0cf213e7591648266a9b06b03

    • SSDEEP

      3072:N86UNmwtv6jXf0N8CeVKaQhcoh/HpDtVqECw6xjgVLLXbUPj4WZ4P2PdQLD/DbQo:ys0CzbRVX0c0/Hpb6wdVLHOf4P2PdKlj

    Score
    10/10
    cycbotbackdoordefense_evasiondiscoverypersistenceratspywarestealerupx

    • Cycbot

      Cycbot is a backdoor and trojan written in C++..

      backdoorratcycbot

    • Cycbot family

      cycbot

    • Detects Cycbot payload

      Cycbot is a backdoor and trojan written in C++.

    • Modifies security service

      defense_evasion

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Disables taskbar notifications via registry modification

      defense_evasion

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Modify Registry

5
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

3
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks