General
-
Target
JaffaCakes118_e48218aff0d087ef1ade550686dbe8fa
-
Size
269KB
-
Sample
250503-p5ektabm8v
-
MD5
e48218aff0d087ef1ade550686dbe8fa
-
SHA1
0600694b7ebb00f79ae3b6023ad9bb5372a81978
-
SHA256
00d7201238e4a26a656e08b7788da89af0b22ab07fd1892307a251956d55fedd
-
SHA512
0b240c6d8a2a5d94a3d360aaf876bd9dd094bd6da71978e4aa5d31169dc660054abf479bda7f618196bb6c54c3d2faec82aff2f74037dbd57ca2ffb3859a9dd3
-
SSDEEP
6144:pWFLa71LBbPzJAIwSxoa0o/EKelV3XIlAlLLX51VciOooQvL:pOa7xBPTaue7IOlL750i7tv
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_e48218aff0d087ef1ade550686dbe8fa.exe
Resource
win11-20250502-en
Malware Config
Extracted
cycbot
http://renamesys5.com
http://givishoolstome.com
http://limfoklubs.com
http://regfeedbackaccess.com
http://umbrella-systems1.com
http://monymouses.com
http://onlinepdahelpforyou.com
http://remarkreddomas.com
http://transfersakkonline.com
http://backupdomaintolevel.com
-
payload_url
http://armoredlegion.com/305986.png
http://armoredlegion.com/16354.png
http://armoredlegion.com/716354_m61.png
http://mektek.net/thelab/wiley.jpg
http://knowledgesutra.com/img/temp/hi.cgi
http://knowledgesutra.com/img/temp/head.png
http://battleon.com/134.gif
http://battleon.com/132.gif
http://battleon.com/133.gif
http://browsermmorpg.com/images/cpc.png
http://browsermmorpg.com/images/cpc2.png
http://browsermmorpg.com/img/intel.gif
http://browsermmorpg.com/img/intel.jpg
http://012webpages.com/christian12.jpg
http://012webpages.com/christian13.jpg
http://012webpages.com/christian14.jpg
http://tri-countymech.com/g/livechat.png
http://tri-countymech.com/g/logo.png
http://tri-countymech.com/g/133.jpg
http://tri-countymech.com/g/134.jpg
http://electronicstheory.com/pics/valley.png
http://electronicstheory.com/pics/sun.png
http://classicbattletech.com/lhous3.gif
http://classicbattletech.com/lhous4.gif
http://classicbattletech.com/lhous5.gif
http://classicbattletech.com/lhous6.gif
http://engineeringcrossing.com/images/misc/23525.png
http://engineeringcrossing.com/images/misc/64646.png
http://%s/s.php?c=121&id=%s
http://xprstats.com/images/logo.png
Targets
-
-
Target
JaffaCakes118_e48218aff0d087ef1ade550686dbe8fa
-
Size
269KB
-
MD5
e48218aff0d087ef1ade550686dbe8fa
-
SHA1
0600694b7ebb00f79ae3b6023ad9bb5372a81978
-
SHA256
00d7201238e4a26a656e08b7788da89af0b22ab07fd1892307a251956d55fedd
-
SHA512
0b240c6d8a2a5d94a3d360aaf876bd9dd094bd6da71978e4aa5d31169dc660054abf479bda7f618196bb6c54c3d2faec82aff2f74037dbd57ca2ffb3859a9dd3
-
SSDEEP
6144:pWFLa71LBbPzJAIwSxoa0o/EKelV3XIlAlLLX51VciOooQvL:pOa7xBPTaue7IOlL750i7tv
-
Cycbot family
-
Detects Cycbot payload
Cycbot is a backdoor and trojan written in C++.
-
Pony family
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables taskbar notifications via registry modification
-
Executes dropped EXE
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3