Resubmissions

03/05/2025, 12:49

250503-p2re7ssyct 10

General

  • Target

    JaffaCakes118_e48218aff0d087ef1ade550686dbe8fa

  • Size

    269KB

  • Sample

    250503-p5ektabm8v

  • MD5

    e48218aff0d087ef1ade550686dbe8fa

  • SHA1

    0600694b7ebb00f79ae3b6023ad9bb5372a81978

  • SHA256

    00d7201238e4a26a656e08b7788da89af0b22ab07fd1892307a251956d55fedd

  • SHA512

    0b240c6d8a2a5d94a3d360aaf876bd9dd094bd6da71978e4aa5d31169dc660054abf479bda7f618196bb6c54c3d2faec82aff2f74037dbd57ca2ffb3859a9dd3

  • SSDEEP

    6144:pWFLa71LBbPzJAIwSxoa0o/EKelV3XIlAlLLX51VciOooQvL:pOa7xBPTaue7IOlL750i7tv

Malware Config

Extracted

Family

cycbot

C2

http://renamesys5.com

http://givishoolstome.com

http://limfoklubs.com

http://regfeedbackaccess.com

http://umbrella-systems1.com

http://monymouses.com

http://onlinepdahelpforyou.com

http://remarkreddomas.com

http://transfersakkonline.com

http://backupdomaintolevel.com

Attributes
  • payload_url

    http://armoredlegion.com/305986.png

    http://armoredlegion.com/16354.png

    http://armoredlegion.com/716354_m61.png

    http://mektek.net/thelab/wiley.jpg

    http://knowledgesutra.com/img/temp/hi.cgi

    http://knowledgesutra.com/img/temp/head.png

    http://battleon.com/134.gif

    http://battleon.com/132.gif

    http://battleon.com/133.gif

    http://browsermmorpg.com/images/cpc.png

    http://browsermmorpg.com/images/cpc2.png

    http://browsermmorpg.com/img/intel.gif

    http://browsermmorpg.com/img/intel.jpg

    http://012webpages.com/christian12.jpg

    http://012webpages.com/christian13.jpg

    http://012webpages.com/christian14.jpg

    http://tri-countymech.com/g/livechat.png

    http://tri-countymech.com/g/logo.png

    http://tri-countymech.com/g/133.jpg

    http://tri-countymech.com/g/134.jpg

    http://electronicstheory.com/pics/valley.png

    http://electronicstheory.com/pics/sun.png

    http://classicbattletech.com/lhous3.gif

    http://classicbattletech.com/lhous4.gif

    http://classicbattletech.com/lhous5.gif

    http://classicbattletech.com/lhous6.gif

    http://engineeringcrossing.com/images/misc/23525.png

    http://engineeringcrossing.com/images/misc/64646.png

    http://%s/s.php?c=121&id=%s

    http://xprstats.com/images/logo.png

Targets

    • Target

      JaffaCakes118_e48218aff0d087ef1ade550686dbe8fa

    • Size

      269KB

    • MD5

      e48218aff0d087ef1ade550686dbe8fa

    • SHA1

      0600694b7ebb00f79ae3b6023ad9bb5372a81978

    • SHA256

      00d7201238e4a26a656e08b7788da89af0b22ab07fd1892307a251956d55fedd

    • SHA512

      0b240c6d8a2a5d94a3d360aaf876bd9dd094bd6da71978e4aa5d31169dc660054abf479bda7f618196bb6c54c3d2faec82aff2f74037dbd57ca2ffb3859a9dd3

    • SSDEEP

      6144:pWFLa71LBbPzJAIwSxoa0o/EKelV3XIlAlLLX51VciOooQvL:pOa7xBPTaue7IOlL750i7tv

    • Cycbot

      Cycbot is a backdoor and trojan written in C++..

    • Cycbot family

    • Detects Cycbot payload

      Cycbot is a backdoor and trojan written in C++.

    • Pony family

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Disables taskbar notifications via registry modification

    • Executes dropped EXE

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v16

Tasks