Analysis

  • max time kernel
    140s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    21-01-2025 02:20

General

  • Target

    JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe

  • Size

    277KB

  • MD5

    015e06819449a0aba6b2aa3a5c05e4fc

  • SHA1

    1a9cfd1445d5e220b15afc1b3cc87c692306bd4d

  • SHA256

    1b3176504812227a816d0905092ecc6d9703b9bd677d159669bcd090df2cac83

  • SHA512

    0e4fda2845e0f120a4ca78545fb33807f4b44b5b9e3916a62c3554275050114de41e2d9871d54a7b9adaddc273ab212c24d7da6b8cb291b80cea47a82ffe0daf

  • SSDEEP

    6144:4t0XPlWWZwrjVNVa4pKpo5YuKMQEWBe1t186ctjqr:4WXJZwfVNwTuYuTkEW4

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 7 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies security service 2 TTPs 1 IoCs
  • Pony family
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Disables taskbar notifications via registry modification
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 24 IoCs
  • Suspicious use of SendNotifyMessage 16 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2368
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe startC:\Users\Admin\AppData\Roaming\D21FA\92554.exe%C:\Users\Admin\AppData\Roaming\D21FA
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2348
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_015e06819449a0aba6b2aa3a5c05e4fc.exe startC:\Program Files (x86)\FAE1A\lvvm.exe%C:\Program Files (x86)\FAE1A
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1976
    • C:\Program Files (x86)\LP\542D\5080.tmp
      "C:\Program Files (x86)\LP\542D\5080.tmp"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2192
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2548
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2976

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\D21FA\AE1A.21F

    Filesize

    600B

    MD5

    328b17365c6b1f0362e95d9c4f1bf605

    SHA1

    fd3de4bd9c126c962a3b69decb796827d34ce7f1

    SHA256

    5112d523ceafb8a884bbd2ea225c0ebb739fef16bd99f4141146280b49e4379f

    SHA512

    e69cc3e84935cb8a7e2a9041090f08eedf110438387c2bc62996a9182a73bdca0a7de85576bae929d0637e1a4e663dc3cd6da91a735c5be7763d3af50dbb537d

  • C:\Users\Admin\AppData\Roaming\D21FA\AE1A.21F

    Filesize

    1KB

    MD5

    23ca5b46e6c8dc1b1708262e358474e8

    SHA1

    d4f20b44ae88a776e27d51ebb3e2b63324183588

    SHA256

    a9e89e8d38df07018e9bfa464092dfc645a7eb81039821a8c73b300db4d0c471

    SHA512

    228ec7d3c980c6329584c4fd1c89060af52f3258a063d10c373d06541caf46fe5d5e42a04c8e865e524bbb5a7d1e2ccf46a586793bdd78fffbab7eba476d73fc

  • C:\Users\Admin\AppData\Roaming\D21FA\AE1A.21F

    Filesize

    996B

    MD5

    86be6650c16cb7b8724f33714108d55d

    SHA1

    05d2964a6ce9d1d56de173146231d77d6732420b

    SHA256

    6977976692528f1f7d4e058d700bd77bcdf7a2508459c9db44b4efcf2abfc2dd

    SHA512

    5f368ce28cec89af15d4844a08a9295698ebd734b6ffee9580dc89319452ccbbcdd921704aca0ab1bc76caf01ad4b01d453d12602592f5bdec236a097d5824d0

  • \Program Files (x86)\LP\542D\5080.tmp

    Filesize

    98KB

    MD5

    452ca0be44887092384b55fbb84d79c7

    SHA1

    c51135c52fdff98dacc66b1bbb5dd215b90d3a8b

    SHA256

    fe1aa7fbb7f031ee7e5213dd6656d1502f127f6ddbd5b9aab8f6d880031ea688

    SHA512

    9fb18a250f93fba63cf40e8efe58ef687ad197f764f1f16b23a9cbf6efc64fe60a75b523ff1c8876fa70f597f8149139410396c03db58294fce5019ea627ff07

  • memory/1976-73-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2192-195-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

  • memory/2348-14-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2348-15-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2368-13-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

  • memory/2368-11-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2368-71-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2368-2-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2368-1-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

  • memory/2368-194-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2368-198-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB