Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
28-01-2025 20:46
General
-
Target
JaffaCakes118_4f24516e547adfa671129c5cbaddf8c3.exe
-
Size
273KB
-
MD5
4f24516e547adfa671129c5cbaddf8c3
-
SHA1
b0c6a2a5e7b341dd0c7382b877718c4a71e3301e
-
SHA256
e4b280f967fd682ba32c6d8e771e87b63408f451fcf89f72833d6553dd70616f
-
SHA512
841a2c1665643e469631eae5b9609af8a84f49165ceb233cf47c8cb3fdc951dd576d48fd29a86c9c313d7684493ab670222e4b60b975f8dea3f471fbc6107070
-
SSDEEP
6144:LrxdBQou5X55Jnsf/zDHfxb7nPWa8UfzYceHpBwgUQn:LbBQogEHfxtr8JBwgUQ
Malware Config
Signatures
-
Cycbot
Cycbot is a backdoor and trojan written in C++..
-
Cycbot family
-
Detects Cycbot payload 7 IoCs
Cycbot is a backdoor and trojan written in C++.
-
Modifies security service 2 TTPs 1 IoCs
-
Pony family
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
UPX packed file 10 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of FindShellTrayWindow 28 IoCs
-
Suspicious use of SendNotifyMessage 22 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4f24516e547adfa671129c5cbaddf8c3.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4f24516e547adfa671129c5cbaddf8c3.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4f24516e547adfa671129c5cbaddf8c3.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4f24516e547adfa671129c5cbaddf8c3.exe startC:\Users\Admin\AppData\Roaming\43F15\AAF5E.exe%C:\Users\Admin\AppData\Roaming\43F152⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4f24516e547adfa671129c5cbaddf8c3.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4f24516e547adfa671129c5cbaddf8c3.exe startC:\Program Files (x86)\15F30\lvvm.exe%C:\Program Files (x86)\15F302⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\LP\5E14\338E.tmp"C:\Program Files (x86)\LP\5E14\338E.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD5fcc4e5e7ecf25e282c1f3ab7faa2a44e
SHA1c21e390ab52660a80f59580783433ac38a03814e
SHA256d893321af078973b08af30d67b850966cf94ac68b9eee588b50e1cbd7c0a21f9
SHA512d1ffffaeae3782ac84cf05a96142cd64ea7c9e4a99ba261775f8aa0d60f5ce97e247ebb049ee6080934efbbf3aa412bc83c11265efd6f7d9d967ae014e066f39
-
Filesize
600B
MD5a1cbc53b490d5b63f43b28bd74754707
SHA1507ecbe10720e5af7d7010ce030072c9de4cc25a
SHA2568c9f4eea324b67af40860c7170a2c708858d76c9879514b31a4cef4dc5249ac4
SHA512fd0e9cd04f8fd52b6fffff1ad2dcef2586da8b62665acf274ef155ca0392dd8cfbac48315a82e380ea4db61a499636a62f0dd81538a7b04fd5eb50fcb073f2e6
-
Filesize
96KB
MD59a4ece2a7c23a5c6104b82f7e62df786
SHA14875e29eeaac4d956f83e7c2dcf42b056c632158
SHA256367e8d51be11c0e5865f8e525b4e223a088ff00ef1f51b64fa14b6651503fab0
SHA5124d64068765738c8a14e090b7a6d57674c0798c0f855b5e1a121c714e381c0a056e0bf6621b18af12c70426f70bb84a79346aee22721757ead4cad7be1d4cd055
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
108KB
-
Filesize
108KB
-
Filesize
412KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
412KB
-
Filesize
424KB