cycbot | 77d59c32ed5adbfdc7ced9dd6438bd787af7ad69ac6e6ba53726893d7cdf0a80

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/01/2025, 23:39 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
Size

314KB
MD5

11fa3d2a79204be85855d65b269533bf
SHA1

4b0d0e9f31cab8d907dd9f0f88e6d5235badbef4
SHA256

77d59c32ed5adbfdc7ced9dd6438bd787af7ad69ac6e6ba53726893d7cdf0a80
SHA512

6e1d3cd65857bb31528b2d8961320b86479e6b02eb633c23ac2ef86add295aa780dbd7cbd5d8ec9375d6d797f3a280f7b012d1a4d97f714a1d2915c2ca8cd90f
SSDEEP

6144:z/L3iwgsfDSMj41UKL6dkONAAFPocl1m0wn83OFLOwLOu:z/ngsrSMkJLtSNFgcl1m0w8+x

Score

10^/10

cycbot pony backdoor credential_access defense_evasion discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 8 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1624-4-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/1624-5-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/864-18-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/1624-19-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/2612-181-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/1624-183-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/1624-292-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/1624-294-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot

Modifies security service 2 TTPs 1 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

Pony family
pony
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
defense_evasion

Executes dropped EXE 1 IoCs

pid	Process
1924	361E.tmp

Loads dropped DLL 2 IoCs

pid	Process
1624	JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
1624	JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\826.exe = "C:\\Program Files (x86)\\LP\\B669\\826.exe"	JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1624-3-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1624-4-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1624-5-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/864-18-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1624-19-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2612-181-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1624-183-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1624-292-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1624-294-0x0000000000400000-0x000000000046C000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\LP\B669\826.exe	JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
File opened for modification	C:\Program Files (x86)\LP\B669\361E.tmp	JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
File created	C:\Program Files (x86)\LP\B669\826.exe	JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	361E.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1624	JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
1624	JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
1624	JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
1624	JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
1624	JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
1624	JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
1624	JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
1624	JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
1624	JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
1624	JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
1624	JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
1624	JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
1624	JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
1624	JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2988	explorer.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeRestorePrivilege	684	msiexec.exe
Token: SeTakeOwnershipPrivilege	684	msiexec.exe
Token: SeSecurityPrivilege	684	msiexec.exe
Token: SeShutdownPrivilege	2988	explorer.exe
Token: SeShutdownPrivilege	2988	explorer.exe
Token: SeShutdownPrivilege	2988	explorer.exe
Token: SeShutdownPrivilege	2988	explorer.exe
Token: SeShutdownPrivilege	2988	explorer.exe
Token: SeShutdownPrivilege	2988	explorer.exe
Token: SeShutdownPrivilege	2988	explorer.exe
Token: SeShutdownPrivilege	2988	explorer.exe
Token: SeShutdownPrivilege	2988	explorer.exe
Token: SeShutdownPrivilege	2988	explorer.exe
Token: SeShutdownPrivilege	2988	explorer.exe
Token: SeShutdownPrivilege	2988	explorer.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 864	1624	JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe	33
PID 1624 wrote to memory of 864	1624	JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe	33
PID 1624 wrote to memory of 864	1624	JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe	33
PID 1624 wrote to memory of 864	1624	JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe	33
PID 1624 wrote to memory of 1924	1624	JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe	36
PID 1624 wrote to memory of 1924	1624	JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe	36
PID 1624 wrote to memory of 1924	1624	JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe	36
PID 1624 wrote to memory of 1924	1624	JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe	36
PID 1624 wrote to memory of 2612	1624	JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe	37
PID 1624 wrote to memory of 2612	1624	JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe	37
PID 1624 wrote to memory of 2612	1624	JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe	37
PID 1624 wrote to memory of 2612	1624	JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe	37

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe"
1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1624
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe startC:\Users\Admin\AppData\Roaming\923A1\FBEB6.exe%C:\Users\Admin\AppData\Roaming\923A1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:864
- C:\Program Files (x86)\LP\B669\361E.tmp
  "C:\Program Files (x86)\LP\B669\361E.tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1924
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe startC:\Program Files (x86)\A1E2F\lvvm.exe%C:\Program Files (x86)\A1E2F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2612

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2988

Network

DNS

crl.microsoft.com

Remote address:

8.8.8.8:53

Request

crl.microsoft.com

IN A

Response

crl.microsoft.com

IN CNAME

crl.www.ms.akadns.net

crl.www.ms.akadns.net

IN CNAME

a1363.dscg.akamai.net

a1363.dscg.akamai.net

IN A

2.18.121.28

a1363.dscg.akamai.net

IN A

2.18.121.20
GET

http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

Remote address:

2.18.121.28:80

Request

GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 26 Sep 2024 02:21:11 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com

Response

HTTP/1.1 200 OK

Content-Length: 1036
Content-Type: application/octet-stream
Content-MD5: +oTkvMkqpdtzWrUHEQQM3g==
Last-Modified: Thu, 12 Dec 2024 00:06:56 GMT
ETag: 0x8DD1A40E476D877
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 69a1d30e-d01e-004b-02fe-56abb9000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Wed, 22 Jan 2025 23:39:30 GMT
Connection: keep-alive
DNS

www.microsoft.com

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

Remote address:

8.8.8.8:53

Request

www.microsoft.com

IN A

Response

www.microsoft.com

IN CNAME

www.microsoft.com-c-3.edgekey.net

www.microsoft.com-c-3.edgekey.net

IN CNAME

www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

IN CNAME

e13678.dscb.akamaiedge.net

e13678.dscb.akamaiedge.net

IN A

23.200.189.225
DNS

www.microsoft.com

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

Remote address:

8.8.8.8:53

Request

www.microsoft.com

IN A
DNS

www.microsoft.com

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

Remote address:

8.8.8.8:53

Request

www.microsoft.com

IN A
GET

http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

Remote address:

23.200.189.225:80

Request

GET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sun, 18 Aug 2024 00:23:49 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.microsoft.com

Response

HTTP/1.1 200 OK

Content-Length: 1078
Content-Type: application/octet-stream
Content-MD5: HqJzZuA065RHozzmOcAUiQ==
Last-Modified: Tue, 14 Jan 2025 20:41:31 GMT
ETag: 0x8DD34DBD43549F4
x-ms-request-id: 32c10f85-101e-0044-1fcc-66ddd5000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Wed, 22 Jan 2025 23:39:37 GMT
Connection: keep-alive
TLS_version: UNKNOWN
ms-cv: CASMicrosoftCV403d0778.0
ms-cv-esi: CASMicrosoftCV403d0778.0
X-RTag: RT
DNS

3-j48.regremotehelper.com

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

Remote address:

8.8.8.8:53

Request

3-j48.regremotehelper.com

IN A

Response
DNS

3-j48.regremotehelper.com

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

Remote address:

8.8.8.8:53

Request

3-j48.regremotehelper.com

IN A
DNS

cdn.adventofdeception.com

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

Remote address:

8.8.8.8:53

Request

cdn.adventofdeception.com

IN A

Response

cdn.adventofdeception.com

IN A

199.59.243.228
DNS

cdn.adventofdeception.com

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

Remote address:

8.8.8.8:53

Request

cdn.adventofdeception.com

IN A
GET

http://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame6.png?sv=47&tq=gwY92w4ACTZIjMVdNVnhYzPhqG9hHOC%2FrtFUWv3boHJVtbcs6D4W5OC8BHocq2frfpP%2F00Mt62JuReII%2BuVq9%2F0XZFYG5VWJ9kYuKSWjhnCd3cD6BdllONP6ZL1qf0OhuoJn%2FR8EFidoGd0JqYQORA5sqenPCZx7Z9Iz76laNwAYnqD%2Fho%2Bvxhc20IW8KPmfnp%2Fa

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

Remote address:

199.59.243.228:80

Request

GET /wp-content/uploads/2011/06/frame6.png?sv=47&tq=gwY92w4ACTZIjMVdNVnhYzPhqG9hHOC%2FrtFUWv3boHJVtbcs6D4W5OC8BHocq2frfpP%2F00Mt62JuReII%2BuVq9%2F0XZFYG5VWJ9kYuKSWjhnCd3cD6BdllONP6ZL1qf0OhuoJn%2FR8EFidoGd0JqYQORA5sqenPCZx7Z9Iz76laNwAYnqD%2Fho%2Bvxhc20IW8KPmfnp%2Fa HTTP/1.0
Connection: close
Host: cdn.adventofdeception.com
Accept: */*
User-Agent: chrome/9.0

Response

HTTP/1.1 200 OK

date: Wed, 22 Jan 2025 23:39:47 GMT
content-type: text/html; charset=utf-8
content-length: 1734
x-request-id: 9e95b77c-e450-427b-a011-25a7a661ecde
cache-control: no-store, max-age=0
accept-ch: sec-ch-prefers-color-scheme
critical-ch: sec-ch-prefers-color-scheme
vary: sec-ch-prefers-color-scheme
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_gRBH9KswfkxIznIKGXMFqtYKmvLjgHiRIcdVdXj+AR57t/K7fHOifQ+Qe9eFbmluBGM1bo6mWoL4eu+s3HUzSA==
set-cookie: parking_session=9e95b77c-e450-427b-a011-25a7a661ecde; expires=Wed, 22 Jan 2025 23:54:47 GMT; path=/
connection: close
DNS

g61n5dh2.faststorageonline.com

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

Remote address:

8.8.8.8:53

Request

g61n5dh2.faststorageonline.com

IN A

Response
DNS

3x8g7zpy.regremotehelper.com

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

Remote address:

8.8.8.8:53

Request

3x8g7zpy.regremotehelper.com

IN A

Response
DNS

www.microsoft.com

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

Remote address:

8.8.8.8:53

Request

www.microsoft.com

IN A

Response

www.microsoft.com

IN CNAME

www.microsoft.com-c-3.edgekey.net

www.microsoft.com-c-3.edgekey.net

IN CNAME

www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

IN CNAME

e13678.dscb.akamaiedge.net

e13678.dscb.akamaiedge.net

IN A

23.200.189.225
DNS

www.microsoft.com

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

Remote address:

8.8.8.8:53

Request

www.microsoft.com

IN A
DNS

www.microsoft.com

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

Remote address:

8.8.8.8:53

Request

www.microsoft.com

IN A
DNS

www.microsoft.com

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

Remote address:

8.8.8.8:53

Request

www.microsoft.com

IN A
DNS

TRANSERSDATAFORME.COM

361E.tmp

Remote address:

8.8.8.8:53

Request

TRANSERSDATAFORME.COM

IN A

Response
DNS

tx3a.regremotehelper.com

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

Remote address:

8.8.8.8:53

Request

tx3a.regremotehelper.com

IN A

Response
DNS

tx3a.regremotehelper.com

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

Remote address:

8.8.8.8:53

Request

tx3a.regremotehelper.com

IN A
DNS

tx3a.regremotehelper.com

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

Remote address:

8.8.8.8:53

Request

tx3a.regremotehelper.com

IN A
DNS

csc3-2004-crl.verisign.com

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

Remote address:

8.8.8.8:53

Request

csc3-2004-crl.verisign.com

IN A

Response
DNS

www.google.com

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

142.250.179.228
DNS

www.google.com

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A
DNS

www.google.com

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A
GET

http://www.google.com/

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

Remote address:

142.250.179.228:80

Request

GET / HTTP/1.0
Connection: close
Host: www.google.com
Accept: */*

Response

HTTP/1.0 302 Found

Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGICExrwGIjAU0UXpMdPvS38zW1Hq80iqGg-bgTcrN0PtThS5Z4qBQ161XAshBlwPpFfU1ywBxHwyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
x-hallmonitor-challenge: CgsIgYTGvAYQ2oXrWBIEtdewUw
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-8QWRPt-9kVKMVdA2XBZXKw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Wed, 22 Jan 2025 23:40:49 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AZ6Zc-VArZT3M0OjOK6Tet5-UOc9y638uc2EHkMflkH7gZbf0DRPXvU_FQ; expires=Mon, 21-Jul-2025 23:40:49 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
GET

http://www.google.com/

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

Remote address:

142.250.179.228:80

Request

GET / HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com

Response

HTTP/1.1 302 Found

Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGIKExrwGIjDtuISHlPdz3sRWXHTEtQWbo2c6BGKvYykwD6xGBkq2hkeLhvdITOp91GdHfQ7nYhsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
x-hallmonitor-challenge: CgsIg4TGvAYQqIjfKBIEtdewUw
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-wICvN96waEZGEdySlIh0oA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Wed, 22 Jan 2025 23:40:51 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AZ6Zc-V0xt6OMGRMoHz46DQxdZual6k79WE0GIFCjPqrGtPY2gwEccWRVQ; expires=Mon, 21-Jul-2025 23:40:51 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Connection: close
GET

http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGIKExrwGIjDtuISHlPdz3sRWXHTEtQWbo2c6BGKvYykwD6xGBkq2hkeLhvdITOp91GdHfQ7nYhsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

Remote address:

142.250.179.228:80

Request

GET /sorry/index?continue=http://www.google.com/&q=EgS117BTGIKExrwGIjDtuISHlPdz3sRWXHTEtQWbo2c6BGKvYykwD6xGBkq2hkeLhvdITOp91GdHfQ7nYhsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com

Response

HTTP/1.1 429 Too Many Requests

Date: Wed, 22 Jan 2025 23:40:51 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/html
Server: HTTP server (unknown)
Content-Length: 3086
X-XSS-Protection: 0
Connection: close

2.18.121.28:80

http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

http

543 B
1.6kB
7
3

HTTP Request

GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

HTTP Response

200
23.200.189.225:80

http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

http

792 B
1.8kB
8
5

HTTP Request

GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

HTTP Response

200
199.59.243.228:80

http://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame6.png?sv=47&tq=gwY92w4ACTZIjMVdNVnhYzPhqG9hHOC%2FrtFUWv3boHJVtbcs6D4W5OC8BHocq2frfpP%2F00Mt62JuReII%2BuVq9%2F0XZFYG5VWJ9kYuKSWjhnCd3cD6BdllONP6ZL1qf0OhuoJn%2FR8EFidoGd0JqYQORA5sqenPCZx7Z9Iz76laNwAYnqD%2Fho%2Bvxhc20IW8KPmfnp%2Fa

http

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

1.1kB
2.7kB
8
7

HTTP Request

GET http://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame6.png?sv=47&tq=gwY92w4ACTZIjMVdNVnhYzPhqG9hHOC%2FrtFUWv3boHJVtbcs6D4W5OC8BHocq2frfpP%2F00Mt62JuReII%2BuVq9%2F0XZFYG5VWJ9kYuKSWjhnCd3cD6BdllONP6ZL1qf0OhuoJn%2FR8EFidoGd0JqYQORA5sqenPCZx7Z9Iz76laNwAYnqD%2Fho%2Bvxhc20IW8KPmfnp%2Fa

HTTP Response

200
127.0.0.1:63192
127.0.0.1:63192
127.0.0.1:63192
127.0.0.1:63192
127.0.0.1:63192
127.0.0.1:63192
127.0.0.1:63192
127.0.0.1:63192
127.0.0.1:63192
127.0.0.1:63192
127.0.0.1:63192
127.0.0.1:63192
127.0.0.1:63192
127.0.0.1:63192
142.250.179.228:80

http://www.google.com/

http

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

512 B
1.5kB
8
5

HTTP Request

GET http://www.google.com/

HTTP Response

302
142.250.179.228:80

http://www.google.com/

http

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

522 B
1.5kB
8
6

HTTP Request

GET http://www.google.com/

HTTP Response

302
127.0.0.1:63192

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
127.0.0.1:63192

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe
142.250.179.228:80

http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGIKExrwGIjDtuISHlPdz3sRWXHTEtQWbo2c6BGKvYykwD6xGBkq2hkeLhvdITOp91GdHfQ7nYhsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

http

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

868 B
3.7kB
8
8

HTTP Request

GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGIKExrwGIjDtuISHlPdz3sRWXHTEtQWbo2c6BGKvYykwD6xGBkq2hkeLhvdITOp91GdHfQ7nYhsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

HTTP Response

429

8.8.8.8:53

crl.microsoft.com

dns

63 B
162 B
1
1

DNS Request

crl.microsoft.com

DNS Response

2.18.121.28

2.18.121.20
8.8.8.8:53

www.microsoft.com

dns

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

189 B
230 B
3
1

DNS Request

www.microsoft.com

DNS Request

www.microsoft.com

DNS Request

www.microsoft.com

DNS Response

23.200.189.225
8.8.8.8:53

3-j48.regremotehelper.com

dns

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

142 B
144 B
2
1

DNS Request

3-j48.regremotehelper.com

DNS Request

3-j48.regremotehelper.com
8.8.8.8:53

cdn.adventofdeception.com

dns

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

142 B
87 B
2
1

DNS Request

cdn.adventofdeception.com

DNS Request

cdn.adventofdeception.com

DNS Response

199.59.243.228
8.8.8.8:53

g61n5dh2.faststorageonline.com

dns

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

76 B
149 B
1
1

DNS Request

g61n5dh2.faststorageonline.com
8.8.8.8:53

3x8g7zpy.regremotehelper.com

dns

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

74 B
147 B
1
1

DNS Request

3x8g7zpy.regremotehelper.com
8.8.8.8:53

www.microsoft.com

dns

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

252 B
230 B
4
1

DNS Request

www.microsoft.com

DNS Request

www.microsoft.com

DNS Request

www.microsoft.com

DNS Request

www.microsoft.com

DNS Response

23.200.189.225
8.8.8.8:53

TRANSERSDATAFORME.COM

dns

361E.tmp

67 B
140 B
1
1

DNS Request

TRANSERSDATAFORME.COM
8.8.8.8:53

tx3a.regremotehelper.com

dns

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

210 B
143 B
3
1

DNS Request

tx3a.regremotehelper.com

DNS Request

tx3a.regremotehelper.com

DNS Request

tx3a.regremotehelper.com
8.8.8.8:53

csc3-2004-crl.verisign.com

dns

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

72 B
127 B
1
1

DNS Request

csc3-2004-crl.verisign.com
8.8.8.8:53

www.google.com

dns

JaffaCakes118_11fa3d2a79204be85855d65b269533bf.exe

180 B
76 B
3
1

DNS Request

www.google.com

DNS Request

www.google.com

DNS Request

www.google.com

DNS Response

142.250.179.228

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\923A1\1E2F.23A

Filesize
1KB

MD5
0cabe0edff7028ef1ef6ec2769a7fa4f

SHA1
e381f7bda44a3274eeffc363b1a18ef54f8b5f2b

SHA256
f13d1390b04e05b926f6790f47974fe8e360c3e2ff1008f2509e52f49f141554

SHA512
1e350b4c4f4571640c93052ed6ddbecd5cb8024015c4477bcc124b7e9dda3d151b47dec43e0ee749d30fedc6999ac14ef74aead947115c69049f3689522a1869

Download Submit
C:\Users\Admin\AppData\Roaming\923A1\1E2F.23A

Filesize
600B

MD5
49643fc97c84f88bffe0ad040f953fd9

SHA1
ecc019987b13b5b87dc433d34bb91d2babff1a95

SHA256
ee0aa3c9b7baff907c9d3336366e04f0e4b7f63bc4bd0025472005e46d2fdf8c

SHA512
4d12d026d682cbedf81180770e211090d71d40a56491922273b0da307687cae9d18befbfee811da357407fdfc9562a92e1a26ed65d452349303677d92dd6fee0

Download Submit
C:\Users\Admin\AppData\Roaming\923A1\1E2F.23A

Filesize
1KB

MD5
75a67549735b9d85f07e36a74e20eee4

SHA1
0d68f11c98ecdf3b1e058eed28970b84751410e7

SHA256
42c43f43c2ab756449aaced2dceb470f26d80af7ce1c023f7ab37e4bf3a52270

SHA512
d36132f02f95e7955128f91e23f60ed130054b728f31a432a94653cfa7890d39e5a645d99339d49da9de7d07f1a26c4a33cf5f28a7b7c577b4a56d14b10cc95d

Download Submit
C:\Users\Admin\AppData\Roaming\923A1\1E2F.23A

Filesize
897B

MD5
1b93e829ad58df01247545d3bbcba237

SHA1
20199f3afa00e4521de5d7cabde4d5474379e2be

SHA256
417726a2a2ade76749bccbebf5a1f1544a2566c4c61ed19a7af376638204c55b

SHA512
c8a23c9bda734d5714e1d3a8f3c62d1835859bb46e2e5b48b23a46dcffa4f00cb43b03b205e12a63ad5d318554c6f14850c80c82d7598b021cd26b2cdf4096eb

Download Submit
\Program Files (x86)\LP\B669\361E.tmp

Filesize
107KB

MD5
ebec172b21c1a8032a34cbaee1517f52

SHA1
a34b5c4cded0d80e9ced4fb9b33ecb142060de55

SHA256
4972245901de570e2f6db848ac371d3aa85676596698611f2349758cd9765353

SHA512
e8517f20a836d95815e4d4fe7100cc9ae8cc13e8ab23f7b3f44525742b9552aff5a24948c05ff95cf232c854bd05756271211685583a9e01451d12e256951ff9

Download Submit
memory/864-18-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1624-5-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1624-19-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1624-0-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1624-4-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1624-3-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1624-183-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1624-2-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1624-292-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1624-294-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1924-184-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2612-181-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.