Overview

overview

10

Static

static

3

JaffaCakes...e2.exe

windows7-x64

10

JaffaCakes...e2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    112s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    29/03/2025, 02:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_8b125d0a76255af76c50f50aa2e038e2.exe

  • Size

    281KB

  • MD5

    8b125d0a76255af76c50f50aa2e038e2

  • SHA1

    470f3059b16664f3d1afe98f68fb3c74bc69a2a3

  • SHA256

    33c2feff987d0c0ed7539c9b13157df28c5cc7e19393852c4cfa5e3c3a81738a

  • SHA512

    0f9bb6acd6ca7562b49dc8ca3564f8823e5482f326af89fb958abbc885af184e48639dee15a94b9e9ba9b3d72f720464afe3cd3cc010f9ed7bba1d342cd61817

  • SSDEEP

    6144:+u6Uz378LjeuIEPg7DRGqMl0T6ok6p/tJBmHe7Zc:aI2cnRGqMyTzTJBm+

Score
10/10
cycbotponybackdoorcredential_accessdefense_evasiondiscoverypersistenceratspywarestealerupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 9 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies security service 2 TTPs 1 IoCs
    defense_evasion
  • Pony family
    pony
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    defense_evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 39 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 56 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b125d0a76255af76c50f50aa2e038e2.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b125d0a76255af76c50f50aa2e038e2.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2804
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b125d0a76255af76c50f50aa2e038e2.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b125d0a76255af76c50f50aa2e038e2.exe startC:\Users\Admin\AppData\Roaming\D9F57\B080A.exe%C:\Users\Admin\AppData\Roaming\D9F57
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2956
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b125d0a76255af76c50f50aa2e038e2.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b125d0a76255af76c50f50aa2e038e2.exe startC:\Program Files (x86)\572BB\lvvm.exe%C:\Program Files (x86)\572BB
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1204
    • C:\Program Files (x86)\LP\0AFD\D308.tmp
      "C:\Program Files (x86)\LP\0AFD\D308.tmp"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2612
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2496
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2392
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2572
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Modify Registry

4
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Query Registry

2
T1012

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\LP\0AFD\D308.tmp
    Filesize

    100KB

    MD5

    bc4366d0a577f23038c4078b9daa6529

    SHA1

    057b8992c93e8eb027190cddf22b4953b2038418

    SHA256

    a5b375d932be3fa254012d6a15047dbdde68744fb323cada056bf1056a36a627

    SHA512

    e29f546c1d978e3663872c8a532ec8f4c05c06b14554f06f6403cd049d202a9c6cdc73f8955ba0e8215e5ef1dbdbf40f61d6ed6ccdfaa70f8033c18c346ca274

    Download Submit

  • C:\Users\Admin\AppData\Roaming\D9F57\72BB.9F5
    Filesize

    1KB

    MD5

    85bba4ad5e949c99deb4230c43b64f96

    SHA1

    c46784ca5b12a293f3c735131da9b1f91f0a4760

    SHA256

    afda7e53c7fb343fd89174c050b0a7f1b0b17fbfde1fc749b78084ae2e47d79f

    SHA512

    6b69ef4b6d2e57655ef66c414410e2c9f5989c87b77bc8e5f2a3285eae78d92fc93a216690abd59a5e55a74a94ee4e6ad7ac1ea1112a85725ca97a7273be65ca

    Download Submit

  • C:\Users\Admin\AppData\Roaming\D9F57\72BB.9F5
    Filesize

    600B

    MD5

    cf936afbdbd87a41bcaab24ce75bf673

    SHA1

    9a4dc7db82d9c375e6dbd7f5a8be6f5e27eebf94

    SHA256

    26e40b9b0816eb69922edfb5170454db2ef93797ea1abf09b27bc0d628a37252

    SHA512

    72b235437cf95f438f65b5e6acc5fe9db45ca2210ff069022196fb669f8fd4e4c69cbeaa2a94599f7e91306f9506d82eadbc62b3dd73a35df0ee20bd70b75785

    Download Submit

  • C:\Users\Admin\AppData\Roaming\D9F57\72BB.9F5
    Filesize

    1KB

    MD5

    8960a6913ab219f516828a7c4ff36403

    SHA1

    88f28a0a6ef54396343f9cc73f1cf4712d33d430

    SHA256

    b9d24d8a0af00b6f6483fda4c75d30517446307103c4f9569396b6f6424426a7

    SHA512

    45497532bd779fb9f265638986fab6312a0bcc51e9498c6630150175d121b0e8be6ddf3e215c544187eb49557715517478b97f27ba108a8a124d11d267eab750

    Download Submit

  • memory/1204-73-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2572-174-0x0000000004750000-0x0000000004751000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2612-171-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2804-74-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2804-5-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2804-16-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2804-6-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2804-3-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2804-1-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2804-2-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2804-172-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2804-176-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2956-14-0x0000000001D70000-0x0000000001E70000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2956-15-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download