Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
27-01-2025 17:42
General
-
Target
JaffaCakes118_42295816978b4c1162f604b8cc98e211.exe
-
Size
841KB
-
MD5
42295816978b4c1162f604b8cc98e211
-
SHA1
c63183321b3ef906b62569d901b6fc61530b42c2
-
SHA256
77305518a1b2d8a76f3adaf7959dc850b5ed90ded43792ad26fb23d725505abd
-
SHA512
6c28c638883f72e672c1796d243a77b80ff1be1d392b58fb236f8351ed002101f7066064d00ec6c127781e835eadad133cd4b11a0032df227ce5d7ee9aabb91f
-
SSDEEP
24576:Y1ckXnJDH7oH1haz/5qgxuLh62tLqazx5QwLzyUSSykQ59aIkPTr:Y1v3Jz8H1hU/5qgQ62Bqad5g0yksxkrr
Malware Config
Signatures
-
Cycbot
Cycbot is a backdoor and trojan written in C++..
-
Cycbot family
-
Detects Cycbot payload 3 IoCs
Cycbot is a backdoor and trojan written in C++.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies security service 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Modiloader family
-
Pony family
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
ModiLoader Second Stage 9 IoCs
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
-
Executes dropped EXE 13 IoCs
-
Loads dropped DLL 17 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 53 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
-
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
UPX packed file 17 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of FindShellTrayWindow 28 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of UnmapMainImage
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42295816978b4c1162f604b8cc98e211.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42295816978b4c1162f604b8cc98e211.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42295816978b4c1162f604b8cc98e211.exeJaffaCakes118_42295816978b4c1162f604b8cc98e211.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\miGRu6Gcu2.exeC:\Users\Admin\miGRu6Gcu2.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\qucih.exe"C:\Users\Admin\qucih.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del miGRu6Gcu2.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\alhost.exeC:\Users\Admin\alhost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\alhost.exealhost.exe4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\blhost.exeC:\Users\Admin\blhost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\blhost.exeblhost.exe4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\clhost.exeC:\Users\Admin\clhost.exe3⤵
- Modifies security service
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\clhost.exeC:\Users\Admin\clhost.exe startC:\Users\Admin\AppData\Roaming\7C0B3\3CD43.exe%C:\Users\Admin\AppData\Roaming\7C0B34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\clhost.exeC:\Users\Admin\clhost.exe startC:\Program Files (x86)\B3E25\lvvm.exe%C:\Program Files (x86)\B3E254⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\LP\43C7\41F0.tmp"C:\Program Files (x86)\LP\43C7\41F0.tmp"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\dlhost.exeC:\Users\Admin\dlhost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\elhost.exeC:\Users\Admin\elhost.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del JaffaCakes118_42295816978b4c1162f604b8cc98e211.exe3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
300B
MD538ec974621cc0c4184b08b4b1dda972c
SHA1bc5c15d4162f4c2503ba10e5ad6d94619b9876c2
SHA256827ab447cf20a2da1929c8a59dac2f263ff23df090f6d643f892a05f520c0998
SHA512abe3ddbd5405935b02bcb024dc8918bf1321122aff0b80fe73fddc2f7cb7729159316d946534d3680951843be6a448b0304911b93d842148f76370f965a982f6
-
Filesize
600B
MD5ee899a070f0cb1e797b0b508a338412a
SHA11e0f7dbd5e149fd4013c1daf22a7131c408d0a5a
SHA25602aac911ceac90713bd6cca2e2c0648f5f1d145f30e0ce671e88ea6bd7865035
SHA5127c323f3b5f5dcfa6ae78a38a436fc855affafe925cc81d6f97f4750af3cd2618a8f3808d6558db4714fbfbde92d3db3b0371a97d28071e8ef7115ee45f93e346
-
Filesize
996B
MD57d23a552840f48c2cb15a714d1b8b199
SHA1ba198a4b7a610d83987b7dda43d045966340ecfe
SHA256e06fd5f0dbd9ca13b3f17b88e15a366baa104181ef97f27a7296428fc4596fd8
SHA512f2acedba56e2489f339eff52b43b04de19abdbe405de417c9166accb757f399261a271c4fd160a8726db70cf23beda7f7eb8d97198e516a55c574dd7957c4b93
-
Filesize
1KB
MD52cc1c42d10722dc119bc5ce3a7dd6805
SHA1d09216b3269b1a214ff1a0d0a5d5529ad09008c2
SHA256f0bfcc7124610c34b9f8d0ea1dbb484d71c5542cc810fc03623642f3c602539e
SHA512e687b88981551adb463b7b2a68a5cadf45d3535aff3afd2340d3d3033cfb667362d1a6e46e7acb9cf89954248545d8afe121d111ba8d3846393e2fc04aa2de87
-
Filesize
236KB
MD5ccee7bbbd52e9e3d551451e54f85489a
SHA17f72be25a00d4e667f17fa106bf024fac3eb9886
SHA25624d5bac9c9a2d7e77dc8f79ad7fe3333283028dbec964effd9020dd6473e3290
SHA5123e2fd0abfc61741698570a600aa4f845503410bc9bef9906dced2df27e5f38c7bb06eefb653a0e199eec88044725e2c0f0238253c73979fcceecb992e3b73af4
-
Filesize
32KB
MD500a9df0a178efb6f4f44aa392186c492
SHA1d3c3039ca41481525815bca5301d9d00f5725667
SHA256c505d1c76b1e886de65c6b7b171a9d56870a320532c7561f7f8b162920602b18
SHA512ae0cbce9119ec561a8084610a42f30f60ed29d6bde908dedb7394dbcd8cd24456c85a543b72aa797705130ccce851a348a5171baf1c8a2499ad599b345283a3f
-
Filesize
192KB
MD5869d4fbc9194f74e9815f487d245fcff
SHA166ac3d8d447558f6389e3a8e203c1b60634af873
SHA256b7bc5a05d5190e33bcf35bc06107881990caf3fd99643c50eb855ca8505d7113
SHA51257700b710c9c42ed07f1959c7a17d592a5bfafadb340eaec33d769a788cb5b84de7d84b4ff5b865df9fedd966d7dc8b5a2534811e1de52f488a31a5548d4d6ce
-
Filesize
192KB
MD5c08e40062fa334f7ba0e1003f384a7a5
SHA182b232f3e981d8f83c0ea257461caefeb34222ca
SHA2564ac4a1077ed9c841c7d72b692e36fee3dd4a5294d35d78afcefb557635d4455f
SHA512d4bb3925f30f2c196b4bce2ee63551719123aa65e7a0100b492b3a5a026bbd6fd79e60df2c601e22105e3c3343f34993dd11ee879c85cbb8754905ce4379499f
-
Filesize
53KB
MD563e99b675a1337db6d8430195ea3efd2
SHA11baead2bf8f433dc82f9b2c03fd65ce697a92155
SHA2566616179477849205eb4075b75a042056d196f45d67f78929dbb3317a35ccbea9
SHA512f5b986eafa38dbc9ad7759784ac887ecbb9c8d8009a3f33e91b9c9ceeaf043ed3e4ddab8e6b6b77e54aed9fcecab02442c8ff253f2136ea06996d05ddd68199f
-
Filesize
2KB
MD5bb9d77852535842d67195d8d0bbffaa3
SHA13cc1270ae15abcc7578a961662f5d3636cc7df09
SHA25677f487043fec23ec7cf7abeadde4e0136bee7cae550b6d8af48d51bdfa996142
SHA512108bad14e0156712df99e98503287f5278b53cc70626322cb5de927872560daf496ab797057facb51ca324eb80c37eb995d17ba162fb340f624cb0b8aa204191
-
Filesize
99KB
MD50f322aa9f0ab8f4d2ac9dc7c1f67789b
SHA1bd0abad1aa3edd06bd176282c9ec3fa528ccf5f8
SHA256b788fc4b83fc9e83f3dd7a14e25c251434f5a3389750e380ea32a93662525863
SHA512736af7f378d4f05576010d4cd732ea02dd7e31999cd8e4ad7037686623a0a7a7a45e0376024327943e8a5ba9d090a1f4b2a6e7bc4366b05631abf371070cc6c9
-
Filesize
126KB
MD5f9482a349a998f5c9cb842705e67fea7
SHA1196794ddf71cab834c7029dbf1c27009b06754b2
SHA2569e5b1531710c57fad4e07c5888db6823e6634384a5ebe9d7f40b54cb9a163b44
SHA51271ced1fbd460b833d1f422a80d5a27a893e18f7a6286cb61b1283a2c843f8fc77a68b30cba33fe988063f5db3893cb7fd8f677e023960b1999386c18389c9536
-
Filesize
283KB
MD578b038f42b4e2490672f9a35a42674b5
SHA1ca8972f311b9dab6aa917b65cfb9726447fb44f8
SHA25699125e2bff877025e5687aa5928061cc7da65a944afcd81a66f556bf5d48730d
SHA51213826dd7b9b1de6b08189c814487fcf6dd369059be8f70d5ba7ef6e9339a56be6f04a424e11238cc49a932e7d2988630c102109a861cb4adb5382f9e883ae515
-
Filesize
244KB
MD5682907092bb50419e5b28cf99466e124
SHA1622962a69e71cf4192f860be74249be205e9ce13
SHA2569e08b47ad6498e8f7173eb8a9e2ce2c4aaa36d0c69cfb3365ba76938d037f98e
SHA512cced9e3ec516c2e07182ecf012749b9b123bd70d6204d5f82afa4c0a8a8f110da8690c816e7c8d97f9a283e8e4961fbe0afa60badd4b57d21a8decfa1b527799
-
Filesize
4KB
MD5758f90d425814ea5a1d2694e44e7e295
SHA164d61731255ef2c3060868f92f6b81b4c9b5fe29
SHA256896221147d8172197cbbf06c45d461141ce6b4af38027c1a22d57c1165026433
SHA51211858e498309f611ee6241c026a402d6d979bffe28d4cbf7c9d5a89c3f3de25e1d253ab552ef7bc7cc43dd056307bd625e2e4f09beb21f0214c3946113b97ca9
-
Filesize
424KB
-
Filesize
10.7MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
4KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
96KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
96KB
-
Filesize
220KB
-
Filesize
220KB
-
Filesize
220KB
-
Filesize
220KB
-
Filesize
220KB
-
Filesize
220KB
-
Filesize
220KB
-
Filesize
220KB
-
Filesize
244KB
-
Filesize
244KB
-
Filesize
244KB
-
Filesize
244KB
-
Filesize
244KB
-
Filesize
376KB
-
Filesize
100KB