Overview

overview

10

Static

static

3

d7436960f4...18.exe

windows7-x64

10

d7436960f4...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-12-2024 13:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d7436960f4fb8d235fd3e27ea00e2d24_JaffaCakes118.exe

  • Size

    484KB

  • MD5

    d7436960f4fb8d235fd3e27ea00e2d24

  • SHA1

    f040879a93ef59371f2977db3de6f5cbd790c961

  • SHA256

    b942240b63244224d0d3ac6f2ce8aae06105effd59f03c0be59eae1d5e681564

  • SHA512

    01131c0ebeeafb3d9c903cf2f441c53b7bef33ff5e9da229d70bc5d61c93349ac32e0662fce1753c38f6fa5896ece28ba42e0cf6e83cc070531ea61517afaaff

  • SSDEEP

    12288:tP9GBWQch+L/ZgHP+v7xK0DmFwUfIp7JVyvWt1aBnSFAPHzeO:tPoBHch+uudKNffiv1aVSaPTeO

Score
10/10
cycbotbackdoordiscoveryevasionpersistenceratupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 5 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Adds Run key to start application 2 TTPs 53 IoCs
    persistence
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of SetThreadContext 4 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d7436960f4fb8d235fd3e27ea00e2d24_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d7436960f4fb8d235fd3e27ea00e2d24_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:372
    • C:\Users\Admin\AppData\Local\Temp\d7436960f4fb8d235fd3e27ea00e2d24_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\d7436960f4fb8d235fd3e27ea00e2d24_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2152
      • C:\Users\Admin\V6oUpCF0mC.exe
        C:\Users\Admin\V6oUpCF0mC.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4736
        • C:\Users\Admin\guaep.exe
          "C:\Users\Admin\guaep.exe"
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:2268
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del V6oUpCF0mC.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2104
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1572
      • C:\Users\Admin\ayhost.exe
        C:\Users\Admin\ayhost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1564
        • C:\Users\Admin\ayhost.exe
          "C:\Users\Admin\ayhost.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:3164
      • C:\Users\Admin\byhost.exe
        C:\Users\Admin\byhost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4436
        • C:\Users\Admin\byhost.exe
          "C:\Users\Admin\byhost.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1940
          • C:\Windows\explorer.exe
            000000D4*
            5⤵
              PID:3668
        • C:\Users\Admin\cyhost.exe
          C:\Users\Admin\cyhost.exe
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4192
          • C:\Users\Admin\cyhost.exe
            C:\Users\Admin\cyhost.exe startC:\Users\Admin\AppData\Roaming\conhost.exe%C:\Users\Admin\AppData\Roaming
            4⤵
            • Executes dropped EXE
            PID:3304
          • C:\Users\Admin\cyhost.exe
            C:\Users\Admin\cyhost.exe startC:\Users\Admin\AppData\Local\Temp\dwm.exe%C:\Users\Admin\AppData\Local\Temp
            4⤵
            • Executes dropped EXE
            PID:2064
        • C:\Users\Admin\dyhost.exe
          C:\Users\Admin\dyhost.exe
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2848
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del d7436960f4fb8d235fd3e27ea00e2d24_JaffaCakes118.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1316
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1624

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\19B1.B48
      Filesize

      996B

      MD5

      9958ee40b7d9728c20aff199e0ffcaa8

      SHA1

      267af5327c77d101894d87fb9babb9d5068b0ff7

      SHA256

      29d86b1f98b4421b745288d52ddab84919c5bc6ed811349b6ab4ff035213d7ad

      SHA512

      6e632ffdd8d7d71a9e7fca0a197dddc3f62b7bad4e5a879a73c5b9261c90f1cc927ce8e418e3b2f51c220f87040b7a39b88e56f28670f9355d605a03a4a92538

      Download Submit

    • C:\Users\Admin\AppData\Roaming\19B1.B48
      Filesize

      1KB

      MD5

      9e2cc72bacf3678f934e518374a2cff3

      SHA1

      444f0999406d3f715bef034097b8e611d3c51382

      SHA256

      22dcaf878964c75d27d1a575efa84ac491613c6a24a8a53e5aa35acc04d71707

      SHA512

      3a1d46dab6cf58663105eac6bd5df2e1509fa843ce22dd0546a274c6c651e39fbf46d99ec1d3b52ec3bb1316847c4b42c34d2f4645ac5cf57530a17a348c0c08

      Download Submit

    • C:\Users\Admin\AppData\Roaming\19B1.B48
      Filesize

      600B

      MD5

      405d96a4c776514ea80c959b7fba3ee4

      SHA1

      87643c92fff4ffd094e200fbe67913625a1a8565

      SHA256

      14ec9d099c4d498ecacb5ac5e7e475ef982da83f590162201236dc2c57ef2792

      SHA512

      ccf1bf78cc1f571a5e763e53dd006198973926b8b1e4407b5c917837923d15e82a875e4c400655f6e9be1803b2e81ec866814a4696ddc5ccfd75f1115d1a72dc

      Download Submit

    • C:\Users\Admin\V6oUpCF0mC.exe
      Filesize

      332KB

      MD5

      b96dc0230580570446ab648e20a7e3b3

      SHA1

      27483df87ef7093d51062fb2d2fc9944f94c23fb

      SHA256

      2c65220c1c3ec6cb3282759e1d583b598ad43bf09484239325ae06b961bf0af0

      SHA512

      b8dd8743eb45f9dcc0d74b5cf450ef2950482e5c33dcdb5ab9494ad2e396d7ea5ebd80d477fca52a25a46cede6e2c31eb2647612090fda72d7e61e49913c042f

      Download Submit

    • C:\Users\Admin\ayhost.exe
      Filesize

      68KB

      MD5

      2c7c2d4e9c03a1818621def0e1281a81

      SHA1

      c92b29a7f6e9998c7a86b9b57cff15f28647a127

      SHA256

      9fb6cf502b6a872ed2e58666672db9fdc0eb57e6ff5a5677b6dbc8de42193f3e

      SHA512

      431cadf9b1d4de1dd0c5efebd5bae2af2ac0f6c98a2d71a5f7bc72e2421ecf77d67616d805bb643680192de6c8921e894a48a538276492567524c4267a4e4a66

      Download Submit

    • C:\Users\Admin\byhost.exe
      Filesize

      136KB

      MD5

      1d0f81b6e185ec95e716d2a0b2ba69a1

      SHA1

      09399ffa69ae8bfd9794104bc4b7b4f481980e3a

      SHA256

      abe89315434ce50001a90c9bdd662a0c42fa90d95acdf5baed5823d760e4f878

      SHA512

      6c4ecc1346bfc9952d7a1a2cb30ed5076bec24db099bb3fe20a248b19f56c075ff592d03100a1a3660ad5f47dfaff6a64b6b2bebe1bcbc7ce747f968a4c7e6b1

      Download Submit

    • C:\Users\Admin\cyhost.exe
      Filesize

      168KB

      MD5

      234bf3937f8fe09351acc53c059b40d2

      SHA1

      256f162b65eacc7a1fee35722fbfdbd55bba93c7

      SHA256

      86c568452305c3943eb7d1530cef65c75f6fac39d178082783db8b12fc8eef2b

      SHA512

      6c768729abebd0b9bde9712ee827262c433ac928bb638b9176ef7f4085c2d2b4fdfa3cacffdb7da477d23a1e0ce32e63cba2ab9ace1f45dfcc8109b2c68812b7

      Download Submit

    • C:\Users\Admin\dyhost.exe
      Filesize

      24KB

      MD5

      9814ec05c8857737f599ba75b1610fb1

      SHA1

      aa9d9b016c2feda03cf6ad1bbca332070eb9b295

      SHA256

      a68f44fa166ade605dfd2e5827a8ca3fa21141eda423c096d1f41d9bf172e597

      SHA512

      c9daf5d8015ab4d5e0c333b986e04a917a596aef6d61baf43f53e5da346e3e665cd16eb5da35726713689dca991a03fbfa137b7f3f879c77779a477a89a0268d

      Download Submit

    • C:\Users\Admin\guaep.exe
      Filesize

      332KB

      MD5

      09223b3ce191d5d0b4dd651e689fc0b4

      SHA1

      d4d091640a04803dc65b9ecc107fc3209bfcf1b8

      SHA256

      5c034a7f4d1fddb5e94fcfab59dc425561d37767d6b792ca8290790ba7af06c1

      SHA512

      8ca2f820801230596390427624c395e040489e7d144aae4576dfddde4906b9f1c398e34275bb0811f5a5b9153540e7c74b84cd582180d9c63c92aca6293abec6

      Download Submit

    • memory/1940-67-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1940-65-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2064-163-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

      Download

    • memory/2152-5-0x0000000000400000-0x00000000004BE000-memory.dmp

      Filesize

      760KB

      Download

    • memory/2152-4-0x0000000000400000-0x00000000004BE000-memory.dmp

      Filesize

      760KB

      Download

    • memory/2152-280-0x0000000000400000-0x00000000004BE000-memory.dmp

      Filesize

      760KB

      Download

    • memory/2152-88-0x0000000000400000-0x00000000004BE000-memory.dmp

      Filesize

      760KB

      Download

    • memory/2152-279-0x0000000000400000-0x00000000004BE000-memory.dmp

      Filesize

      760KB

      Download

    • memory/2152-7-0x0000000000400000-0x00000000004BE000-memory.dmp

      Filesize

      760KB

      Download

    • memory/3164-55-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/3164-58-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/3164-57-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/3304-86-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

      Download

    • memory/4192-156-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

      Download

    • memory/4192-169-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

      Download

    • memory/4192-283-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

      Download

    • memory/4436-69-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

      Download