Analysis
-
max time kernel
140s -
max time network
88s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
24/01/2025, 11:29
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe
-
Size
269KB
-
MD5
20f578e52bd61272430b0c5dc4539c43
-
SHA1
2db68c429efdddb98eec834c86602c324d98e304
-
SHA256
94d46e8b54da27abcf3a5e486a477bb2c153c548ec3bb1aa15c10e8a31ac4037
-
SHA512
03b1cc5fb86dbc931a8d0a9d208bb07ca8f85a5f792ff0462e2330346e6779c6b06282843e806b2d8739830ebb91a874d2f8771f6f5a44ceeaa34fc2fee9f8a4
-
SSDEEP
6144:RBzt6s0m48hTQKZ5yoYTQrAPQrlOuHBne7BzhT4X+GLWpZu:RBD48pQKZ5FYTQUQbHAVFT4X6j
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 7 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/1956-13-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/1956-16-0x0000000000400000-0x0000000000467000-memory.dmp family_cycbot behavioral1/memory/348-18-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/1956-139-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/1608-141-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/1956-320-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/1956-324-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe -
Pony family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 1572 BC0F.tmp -
Loads dropped DLL 2 IoCs
pid Process 1956 JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe 1956 JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\121.exe = "C:\\Program Files (x86)\\LP\\3356\\121.exe" JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
resource yara_rule behavioral1/memory/1956-3-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1956-13-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1956-16-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/348-17-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/348-18-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1956-139-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1608-141-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1956-320-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1956-324-0x0000000000400000-0x000000000046A000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\3356\121.exe JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe File opened for modification C:\Program Files (x86)\LP\3356\121.exe JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe File opened for modification C:\Program Files (x86)\LP\3356\BC0F.tmp JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BC0F.tmp -
Modifies registry class 5 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1956 JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe 1956 JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe 1956 JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe 1956 JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe 1956 JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe 1956 JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe 1956 JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe 1956 JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe 1956 JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe 1956 JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe 1956 JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe 1956 JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe 1956 JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe 1956 JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1992 explorer.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeRestorePrivilege 2248 msiexec.exe Token: SeTakeOwnershipPrivilege 2248 msiexec.exe Token: SeSecurityPrivilege 2248 msiexec.exe Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe Token: 33 3056 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3056 AUDIODG.EXE Token: 33 3056 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3056 AUDIODG.EXE Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe -
Suspicious use of FindShellTrayWindow 24 IoCs
pid Process 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1956 wrote to memory of 348 1956 JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe 30 PID 1956 wrote to memory of 348 1956 JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe 30 PID 1956 wrote to memory of 348 1956 JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe 30 PID 1956 wrote to memory of 348 1956 JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe 30 PID 1956 wrote to memory of 1608 1956 JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe 32 PID 1956 wrote to memory of 1608 1956 JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe 32 PID 1956 wrote to memory of 1608 1956 JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe 32 PID 1956 wrote to memory of 1608 1956 JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe 32 PID 1956 wrote to memory of 1572 1956 JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe 36 PID 1956 wrote to memory of 1572 1956 JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe 36 PID 1956 wrote to memory of 1572 1956 JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe 36 PID 1956 wrote to memory of 1572 1956 JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe 36 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe startC:\Users\Admin\AppData\Roaming\607C6\1CE33.exe%C:\Users\Admin\AppData\Roaming\607C62⤵
- System Location Discovery: System Language Discovery
PID:348
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe startC:\Program Files (x86)\C6F3E\lvvm.exe%C:\Program Files (x86)\C6F3E2⤵
- System Location Discovery: System Language Discovery
PID:1608
-
-
C:\Program Files (x86)\LP\3356\BC0F.tmp"C:\Program Files (x86)\LP\3356\BC0F.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1572
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2248
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1992
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x53c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3056
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD58cbbfd0a3ca22d6b83017b2a1486f3ff
SHA1ee3cf823b78719b3cdcd67cf9b077d57373ae5bd
SHA25668133355f029a720a8dafa031707cd771276335947527d0b265303a2f9738093
SHA5122e8a2958ba1209430aa1c19a4fb4181e3ba81ac1be601baaf257d9b7b9cb91e4daf4cec45896f93003c838c0f9ae40ee13bab793af422a4c6c4cf2ab144b5b64
-
Filesize
600B
MD5349e8f6d71ed6325f86b3d505d0d11ba
SHA1dfecf290f618874a6e99da0976d970778e19bf18
SHA2562df3220da40b1cca60bc9d02295abecf380e1b5c5f97d662aef0a5ac22139d34
SHA512017a14fae6a204efe25cedecffdb88e453bfef35b931b1e786cc344005e5c3952371408cc67a2884f6817b3bb741d58621b5c309dd42d739cc0b53620bb4edce
-
Filesize
1KB
MD5ebcbe510b634a2dc5dad13d783239275
SHA13172d2a5fc298ac42012848a710b86df0eec249c
SHA2562c76f6ed35d31884756c9471a85288eb95237e70f1f7d98ed97099f030b77e0f
SHA5121758b6e90678829ce4f0ee1ed4f0f9fff69adc1bf673f62b9ffee45b453c82b33f630e066779d12bfb48e5e1d3b30e304f0eeee5a49284910bf22af184cb8535
-
Filesize
97KB
MD5fcfe93b1b3b15dc8dafeb7148f34970e
SHA1de8d032d32ff24d1b4288ec068e55327f0fcf744
SHA2560dcfb60d186d6ec07c04824394a9959d430ec31939b303a5e557eb55e71ce04f
SHA512f0472a0f516beb0ee929c94b8fdc4d0dc85fffb104350a976e69ccbce8724177b86a814a8b169cab49f68930c385f172cf9b80841801ba3b444932712356e2f0