Analysis

  • max time kernel
    140s
  • max time network
    88s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    24/01/2025, 11:29

General

  • Target

    JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe

  • Size

    269KB

  • MD5

    20f578e52bd61272430b0c5dc4539c43

  • SHA1

    2db68c429efdddb98eec834c86602c324d98e304

  • SHA256

    94d46e8b54da27abcf3a5e486a477bb2c153c548ec3bb1aa15c10e8a31ac4037

  • SHA512

    03b1cc5fb86dbc931a8d0a9d208bb07ca8f85a5f792ff0462e2330346e6779c6b06282843e806b2d8739830ebb91a874d2f8771f6f5a44ceeaa34fc2fee9f8a4

  • SSDEEP

    6144:RBzt6s0m48hTQKZ5yoYTQrAPQrlOuHBne7BzhT4X+GLWpZu:RBD48pQKZ5FYTQUQbHAVFT4X6j

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 7 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies security service 2 TTPs 1 IoCs
  • Pony family
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Disables taskbar notifications via registry modification
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 24 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1956
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe startC:\Users\Admin\AppData\Roaming\607C6\1CE33.exe%C:\Users\Admin\AppData\Roaming\607C6
      2⤵
      • System Location Discovery: System Language Discovery
      PID:348
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20f578e52bd61272430b0c5dc4539c43.exe startC:\Program Files (x86)\C6F3E\lvvm.exe%C:\Program Files (x86)\C6F3E
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1608
    • C:\Program Files (x86)\LP\3356\BC0F.tmp
      "C:\Program Files (x86)\LP\3356\BC0F.tmp"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1572
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2248
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1992
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x53c
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3056

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\607C6\6F3E.07C

    Filesize

    996B

    MD5

    8cbbfd0a3ca22d6b83017b2a1486f3ff

    SHA1

    ee3cf823b78719b3cdcd67cf9b077d57373ae5bd

    SHA256

    68133355f029a720a8dafa031707cd771276335947527d0b265303a2f9738093

    SHA512

    2e8a2958ba1209430aa1c19a4fb4181e3ba81ac1be601baaf257d9b7b9cb91e4daf4cec45896f93003c838c0f9ae40ee13bab793af422a4c6c4cf2ab144b5b64

  • C:\Users\Admin\AppData\Roaming\607C6\6F3E.07C

    Filesize

    600B

    MD5

    349e8f6d71ed6325f86b3d505d0d11ba

    SHA1

    dfecf290f618874a6e99da0976d970778e19bf18

    SHA256

    2df3220da40b1cca60bc9d02295abecf380e1b5c5f97d662aef0a5ac22139d34

    SHA512

    017a14fae6a204efe25cedecffdb88e453bfef35b931b1e786cc344005e5c3952371408cc67a2884f6817b3bb741d58621b5c309dd42d739cc0b53620bb4edce

  • C:\Users\Admin\AppData\Roaming\607C6\6F3E.07C

    Filesize

    1KB

    MD5

    ebcbe510b634a2dc5dad13d783239275

    SHA1

    3172d2a5fc298ac42012848a710b86df0eec249c

    SHA256

    2c76f6ed35d31884756c9471a85288eb95237e70f1f7d98ed97099f030b77e0f

    SHA512

    1758b6e90678829ce4f0ee1ed4f0f9fff69adc1bf673f62b9ffee45b453c82b33f630e066779d12bfb48e5e1d3b30e304f0eeee5a49284910bf22af184cb8535

  • \Program Files (x86)\LP\3356\BC0F.tmp

    Filesize

    97KB

    MD5

    fcfe93b1b3b15dc8dafeb7148f34970e

    SHA1

    de8d032d32ff24d1b4288ec068e55327f0fcf744

    SHA256

    0dcfb60d186d6ec07c04824394a9959d430ec31939b303a5e557eb55e71ce04f

    SHA512

    f0472a0f516beb0ee929c94b8fdc4d0dc85fffb104350a976e69ccbce8724177b86a814a8b169cab49f68930c385f172cf9b80841801ba3b444932712356e2f0

  • memory/348-15-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/348-17-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/348-18-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/1572-321-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/1608-141-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/1956-139-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/1956-13-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/1956-2-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

  • memory/1956-0-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/1956-3-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/1956-320-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/1956-16-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

  • memory/1956-324-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB