Overview

overview

10

Static

static

3

JaffaCakes...4e.exe

windows10-2004-x64

10

Resubmissions

08/04/2025, 16:02

250408-tgznaswwcx 10

29/03/2025, 17:03

250329-vknkwayvav 10

Analysis

  • max time kernel
    29s
  • max time network
    46s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/04/2025, 16:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_8b98031d68d8ed28f7dd32ac5b648a4e.exe

  • Size

    315KB

  • MD5

    8b98031d68d8ed28f7dd32ac5b648a4e

  • SHA1

    5b95ac17daaba2e0627657a186032c88de05e2e4

  • SHA256

    17c0cd538a1ab2296e626d49cc25076a8647ad3c8550f8a25e3ad69de17558b8

  • SHA512

    04107d23a3c02d420cbbfc280896f199c2ea3cc50ca88f678dbaaf2bf85bce33f668b0956e7adf7b75303dbfe678325b6ec1dde356e8395fe4ff5919b09ef55b

  • SSDEEP

    6144:t/BOPNymMiR6k47ySQON/fiHmK3tGQpD3lipW0KdL:sy7u6kIf/6HmK3tzgpox

Score
10/10
cycbotbackdoordefense_evasiondiscoverypersistenceratupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 7 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies security service 2 TTPs 1 IoCs
    defense_evasion
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    defense_evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 4 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 27 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 39 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 23 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 2 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b98031d68d8ed28f7dd32ac5b648a4e.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b98031d68d8ed28f7dd32ac5b648a4e.exe"
    1⤵
    • Modifies security service
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2404
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b98031d68d8ed28f7dd32ac5b648a4e.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b98031d68d8ed28f7dd32ac5b648a4e.exe startC:\Users\Admin\AppData\Roaming\2C715\F03AF.exe%C:\Users\Admin\AppData\Roaming\2C715
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4440
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b98031d68d8ed28f7dd32ac5b648a4e.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b98031d68d8ed28f7dd32ac5b648a4e.exe startC:\Program Files (x86)\15DA1\lvvm.exe%C:\Program Files (x86)\15DA1
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2096
    • C:\Program Files (x86)\LP\AF32\9DE.tmp
      "C:\Program Files (x86)\LP\AF32\9DE.tmp"
      2⤵
        PID:4128
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4432
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\LP\AF32\06B.exe
      1⤵
        PID:4640
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:5884
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:960
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:5648
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
          PID:660
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
            PID:5380
          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
            1⤵
              PID:1924
            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
                PID:4348
              • C:\Windows\explorer.exe
                explorer.exe
                1⤵
                  PID:212
                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                  1⤵
                    PID:6104
                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                    1⤵
                      PID:5524
                    • C:\Windows\explorer.exe
                      explorer.exe
                      1⤵
                        PID:3040
                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                        1⤵
                          PID:4468
                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                          1⤵
                            PID:2828
                          • C:\Windows\explorer.exe
                            explorer.exe
                            1⤵
                              PID:6000
                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                              1⤵
                                PID:5360

                              Network

                              MITRE ATT&CK Enterprise v16

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Program Files (x86)\LP\AF32\9DE.tmp
                                Filesize

                                107KB

                                MD5

                                e7cab4aa4304bfbc54b9723fca9bd57a

                                SHA1

                                19d2cc42fd30ab58a8e03569777f4a9ef8fd531d

                                SHA256

                                0624d004147b8549387ff54f23f50b84096b94671caa471bae5fb138ee23daff

                                SHA512

                                518e32b0cbbe185fdc284195c44559fff73ab0b013efcf8f413ef63cc653f7fcba839d29edcb6034c63b6c7204d2bce3329a7146b6a0b013b063852d4b2a10c2

                                Download Submit

                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
                                Filesize

                                471B

                                MD5

                                f25dcdc613a8e29d6f29372622ac2ced

                                SHA1

                                68d18e7a4b3013fabd9d8fad383e9bec45dbd3ad

                                SHA256

                                f0a1ff2488b1b4ffbb7aa9fd0108763a6f535d6e485c0c3fceae202b63079d20

                                SHA512

                                ec023970b3020d6f7fe462ad2bdbeca910a3efff5db6987c62dbab95c54f14107f16513cbe627f9bd4a9e1973d81ebdd089d3c2403e70a6606bb9965b905d2a2

                                Download Submit

                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
                                Filesize

                                412B

                                MD5

                                0fca34936fc49e1b43a2885d96a52a52

                                SHA1

                                a099813ff86f5b56d0e71ec277d9474ba7423251

                                SHA256

                                76346da6c290f562827e58ac1cf2330833ff96059596749e8908c2bf2fda60fb

                                SHA512

                                3e4c922e2c44f3a3a821aa8bac2eaa14763f644cf96caaa181c29f554c19f831743ae02735b270aceb44bdf4e790b53de203582e14fded8bf6f03b61a52492d0

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\917WYNDL\microsoft.windows[1].xml
                                Filesize

                                97B

                                MD5

                                468d308673768883fbdab8c821174a66

                                SHA1

                                431bb79b0ef41aac8664e813bbab0d655f1af68a

                                SHA256

                                51d44ac3d6a72793fd9898120f53ef05261ed573f0334c94cbfaa6c4bee4578a

                                SHA512

                                1ebb52420b91c4440fee556bdaa23fe5a36656ba925d05a725e45ecbd5934f9984e0c7513a2a00ab854409ec0044ce4aa6aa72cf419992a441d5e9256e948f65

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\2C715\5DA1.C71
                                Filesize

                                996B

                                MD5

                                a7cf31d5e7c4301d30eae2668795dc03

                                SHA1

                                4260a6771b0284606b56201c7da548466148f60b

                                SHA256

                                d4766b1dcc7541bc62c8898f6ca52e3cb7d047eb81629e6792cabdc4e28858bd

                                SHA512

                                097cc4b8c56d196aea2419d450cc633ba47d2edb78f26ad72a855ed85a1fac09c08e7f317f0e48c1c29885c17088a4a4b870a65d34c965b7ebd1cf1de814f3e0

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\2C715\5DA1.C71
                                Filesize

                                600B

                                MD5

                                dd4daed8a5277cbbf6af864abf235b9c

                                SHA1

                                1074c5ddb3d83cfbcec89abce8b2b11d41f2ef3b

                                SHA256

                                949964e86f54cc77157ee7e5efdcd45d3031dba2592748f021e7ae9fdb24d993

                                SHA512

                                08dc53c75d96cc000e2a969663703ecf0b9fa8532ac084dbe2cdb45dc7835c96995762ba5619ea0b936e80b3a408296a3831e6ba70700ba3f8d377ca446f73b5

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\2C715\5DA1.C71
                                Filesize

                                1KB

                                MD5

                                4080908af9868dfe11e4faf6571ad91a

                                SHA1

                                ea9976d6c96729e38949dcacd48d3ee0a093c397

                                SHA256

                                c6b9154260894a251b178d3b69168334c9dee179ee6ae38c0f14b0a8eb14d88a

                                SHA512

                                7f7704aef896d180dfb9770d3678ffc68844d9a5c34c209f2617f88b44a9b69a19af11a589d84aae10b2235f37622e6e72fd5c8ecc4b1687678e52246fb7fb2b

                                Download Submit

                              • memory/212-456-0x0000000003710000-0x0000000003711000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2096-125-0x0000000000400000-0x000000000046D000-memory.dmp

                                Filesize

                                436KB

                                Download

                              • memory/2096-124-0x0000000000400000-0x000000000046D000-memory.dmp

                                Filesize

                                436KB

                                Download

                              • memory/2404-0-0x0000000000400000-0x000000000046D000-memory.dmp

                                Filesize

                                436KB

                                Download

                              • memory/2404-122-0x0000000000400000-0x000000000046D000-memory.dmp

                                Filesize

                                436KB

                                Download

                              • memory/2404-2-0x0000000000400000-0x000000000046A000-memory.dmp

                                Filesize

                                424KB

                                Download

                              • memory/2404-3-0x0000000000400000-0x000000000046D000-memory.dmp

                                Filesize

                                436KB

                                Download

                              • memory/2404-14-0x0000000000400000-0x000000000046A000-memory.dmp

                                Filesize

                                424KB

                                Download

                              • memory/2404-604-0x0000000000400000-0x000000000046D000-memory.dmp

                                Filesize

                                436KB

                                Download

                              • memory/2404-13-0x0000000000400000-0x000000000046D000-memory.dmp

                                Filesize

                                436KB

                                Download

                              • memory/2828-607-0x000001DBB4900000-0x000001DBB4A00000-memory.dmp

                                Filesize

                                1024KB

                                Download

                              • memory/2828-606-0x000001DBB4900000-0x000001DBB4A00000-memory.dmp

                                Filesize

                                1024KB

                                Download

                              • memory/2828-610-0x000001DBB59C0000-0x000001DBB59E0000-memory.dmp

                                Filesize

                                128KB

                                Download

                              • memory/2828-630-0x000001DBB5980000-0x000001DBB59A0000-memory.dmp

                                Filesize

                                128KB

                                Download

                              • memory/2828-642-0x000001DBB5D90000-0x000001DBB5DB0000-memory.dmp

                                Filesize

                                128KB

                                Download

                              • memory/3040-603-0x0000000003FF0000-0x0000000003FF1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/4128-600-0x0000000000400000-0x000000000041D000-memory.dmp

                                Filesize

                                116KB

                                Download

                              • memory/4348-312-0x000002027C1F0000-0x000002027C210000-memory.dmp

                                Filesize

                                128KB

                                Download

                              • memory/4348-301-0x000002027B100000-0x000002027B200000-memory.dmp

                                Filesize

                                1024KB

                                Download

                              • memory/4348-300-0x000002027B100000-0x000002027B200000-memory.dmp

                                Filesize

                                1024KB

                                Download

                              • memory/4348-304-0x000002027C230000-0x000002027C250000-memory.dmp

                                Filesize

                                128KB

                                Download

                              • memory/4348-299-0x000002027B100000-0x000002027B200000-memory.dmp

                                Filesize

                                1024KB

                                Download

                              • memory/4348-325-0x000002027C600000-0x000002027C620000-memory.dmp

                                Filesize

                                128KB

                                Download

                              • memory/4440-17-0x0000000000400000-0x000000000046D000-memory.dmp

                                Filesize

                                436KB

                                Download

                              • memory/4440-16-0x0000000000400000-0x000000000046D000-memory.dmp

                                Filesize

                                436KB

                                Download

                              • memory/5380-297-0x0000000002F50000-0x0000000002F51000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/5524-458-0x000001BD04500000-0x000001BD04600000-memory.dmp

                                Filesize

                                1024KB

                                Download

                              • memory/5524-477-0x000001BD052A0000-0x000001BD052C0000-memory.dmp

                                Filesize

                                128KB

                                Download

                              • memory/5524-488-0x000001BD058C0000-0x000001BD058E0000-memory.dmp

                                Filesize

                                128KB

                                Download

                              • memory/5524-457-0x000001BD04500000-0x000001BD04600000-memory.dmp

                                Filesize

                                1024KB

                                Download

                              • memory/5524-462-0x000001BD052E0000-0x000001BD05300000-memory.dmp

                                Filesize

                                128KB

                                Download