Analysis
-
max time kernel
140s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
21-01-2025 02:20
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe
-
Size
277KB
-
MD5
015e06819449a0aba6b2aa3a5c05e4fc
-
SHA1
1a9cfd1445d5e220b15afc1b3cc87c692306bd4d
-
SHA256
1b3176504812227a816d0905092ecc6d9703b9bd677d159669bcd090df2cac83
-
SHA512
0e4fda2845e0f120a4ca78545fb33807f4b44b5b9e3916a62c3554275050114de41e2d9871d54a7b9adaddc273ab212c24d7da6b8cb291b80cea47a82ffe0daf
-
SSDEEP
6144:4t0XPlWWZwrjVNVa4pKpo5YuKMQEWBe1t186ctjqr:4WXJZwfVNwTuYuTkEW4
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 7 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2368-11-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2368-13-0x0000000000400000-0x0000000000467000-memory.dmp family_cycbot behavioral1/memory/2348-15-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2368-71-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/1976-73-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2368-194-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2368-198-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe -
Pony family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 2192 5080.tmp -
Loads dropped DLL 2 IoCs
pid Process 2368 JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe 2368 JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\19E.exe = "C:\\Program Files (x86)\\LP\\542D\\19E.exe" JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
resource yara_rule behavioral1/memory/2368-2-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2368-11-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2348-14-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2368-13-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2348-15-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2368-71-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1976-73-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2368-194-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2368-198-0x0000000000400000-0x000000000046A000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\542D\19E.exe JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe File opened for modification C:\Program Files (x86)\LP\542D\19E.exe JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe File opened for modification C:\Program Files (x86)\LP\542D\5080.tmp JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5080.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2368 JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe 2368 JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe 2368 JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe 2368 JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe 2368 JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe 2368 JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe 2368 JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe 2368 JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe 2368 JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe 2368 JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe 2368 JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe 2368 JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe 2368 JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe 2368 JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2976 explorer.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeRestorePrivilege 2548 msiexec.exe Token: SeTakeOwnershipPrivilege 2548 msiexec.exe Token: SeSecurityPrivilege 2548 msiexec.exe Token: SeShutdownPrivilege 2976 explorer.exe Token: SeShutdownPrivilege 2976 explorer.exe Token: SeShutdownPrivilege 2976 explorer.exe Token: SeShutdownPrivilege 2976 explorer.exe Token: SeShutdownPrivilege 2976 explorer.exe Token: SeShutdownPrivilege 2976 explorer.exe Token: SeShutdownPrivilege 2976 explorer.exe Token: SeShutdownPrivilege 2976 explorer.exe Token: SeShutdownPrivilege 2976 explorer.exe Token: SeShutdownPrivilege 2976 explorer.exe Token: SeShutdownPrivilege 2976 explorer.exe Token: SeShutdownPrivilege 2976 explorer.exe -
Suspicious use of FindShellTrayWindow 24 IoCs
pid Process 2976 explorer.exe 2976 explorer.exe 2976 explorer.exe 2976 explorer.exe 2976 explorer.exe 2976 explorer.exe 2976 explorer.exe 2976 explorer.exe 2976 explorer.exe 2976 explorer.exe 2976 explorer.exe 2976 explorer.exe 2976 explorer.exe 2976 explorer.exe 2976 explorer.exe 2976 explorer.exe 2976 explorer.exe 2976 explorer.exe 2976 explorer.exe 2976 explorer.exe 2976 explorer.exe 2976 explorer.exe 2976 explorer.exe 2976 explorer.exe -
Suspicious use of SendNotifyMessage 16 IoCs
pid Process 2976 explorer.exe 2976 explorer.exe 2976 explorer.exe 2976 explorer.exe 2976 explorer.exe 2976 explorer.exe 2976 explorer.exe 2976 explorer.exe 2976 explorer.exe 2976 explorer.exe 2976 explorer.exe 2976 explorer.exe 2976 explorer.exe 2976 explorer.exe 2976 explorer.exe 2976 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2368 wrote to memory of 2348 2368 JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe 32 PID 2368 wrote to memory of 2348 2368 JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe 32 PID 2368 wrote to memory of 2348 2368 JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe 32 PID 2368 wrote to memory of 2348 2368 JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe 32 PID 2368 wrote to memory of 1976 2368 JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe 34 PID 2368 wrote to memory of 1976 2368 JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe 34 PID 2368 wrote to memory of 1976 2368 JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe 34 PID 2368 wrote to memory of 1976 2368 JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe 34 PID 2368 wrote to memory of 2192 2368 JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe 37 PID 2368 wrote to memory of 2192 2368 JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe 37 PID 2368 wrote to memory of 2192 2368 JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe 37 PID 2368 wrote to memory of 2192 2368 JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe 37 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe startC:\Users\Admin\AppData\Roaming\D21FA\92554.exe%C:\Users\Admin\AppData\Roaming\D21FA2⤵
- System Location Discovery: System Language Discovery
PID:2348
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe startC:\Program Files (x86)\FAE1A\lvvm.exe%C:\Program Files (x86)\FAE1A2⤵
- System Location Discovery: System Language Discovery
PID:1976
-
-
C:\Program Files (x86)\LP\542D\5080.tmp"C:\Program Files (x86)\LP\542D\5080.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2192
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2976
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
600B
MD5328b17365c6b1f0362e95d9c4f1bf605
SHA1fd3de4bd9c126c962a3b69decb796827d34ce7f1
SHA2565112d523ceafb8a884bbd2ea225c0ebb739fef16bd99f4141146280b49e4379f
SHA512e69cc3e84935cb8a7e2a9041090f08eedf110438387c2bc62996a9182a73bdca0a7de85576bae929d0637e1a4e663dc3cd6da91a735c5be7763d3af50dbb537d
-
Filesize
1KB
MD523ca5b46e6c8dc1b1708262e358474e8
SHA1d4f20b44ae88a776e27d51ebb3e2b63324183588
SHA256a9e89e8d38df07018e9bfa464092dfc645a7eb81039821a8c73b300db4d0c471
SHA512228ec7d3c980c6329584c4fd1c89060af52f3258a063d10c373d06541caf46fe5d5e42a04c8e865e524bbb5a7d1e2ccf46a586793bdd78fffbab7eba476d73fc
-
Filesize
996B
MD586be6650c16cb7b8724f33714108d55d
SHA105d2964a6ce9d1d56de173146231d77d6732420b
SHA2566977976692528f1f7d4e058d700bd77bcdf7a2508459c9db44b4efcf2abfc2dd
SHA5125f368ce28cec89af15d4844a08a9295698ebd734b6ffee9580dc89319452ccbbcdd921704aca0ab1bc76caf01ad4b01d453d12602592f5bdec236a097d5824d0
-
Filesize
98KB
MD5452ca0be44887092384b55fbb84d79c7
SHA1c51135c52fdff98dacc66b1bbb5dd215b90d3a8b
SHA256fe1aa7fbb7f031ee7e5213dd6656d1502f127f6ddbd5b9aab8f6d880031ea688
SHA5129fb18a250f93fba63cf40e8efe58ef687ad197f764f1f16b23a9cbf6efc64fe60a75b523ff1c8876fa70f597f8149139410396c03db58294fce5019ea627ff07