cycbot | 3c518733118588fc8537354050ca65ba692aa8e71d5a0e47501e18f458a2d2c0

Analysis

max time kernel
3s
max time network
4s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
10/12/2024, 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe
Size

373KB
MD5

dc2add2fbbd7e5f591d1382bde4b2fc5
SHA1

18cced85eb0764d8ec0aee5ca7e4bacc179ddfca
SHA256

3c518733118588fc8537354050ca65ba692aa8e71d5a0e47501e18f458a2d2c0
SHA512

b73f399e1d9b0d046351c6b6434885cded0c74e28daef9d6fde345aaf4c61a0f3a586ae79326e8fc8e955799b14ca322a49616e0576de0f3907445795b30d31f
SSDEEP

6144:2bNnomzX2lumVTz/EkFgr9prdZ1jjLjOBvqAAXFpNXzWRl9tH27MC78MJfzDd:oom43/OrrrFjLKElXFphCRlDHoYMH

Score

10^/10

cycbot backdoor bootkit discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 1 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2868-81-0x0000000000400000-0x0000000000449000-memory.dmp	family_cycbot

Executes dropped EXE 5 IoCs

pid	Process
1132	ctfmon.exe
2724	2 Gansta.exe
2696	3IC.exe
2460	R2R.exe
2868	R2R.exe

Loads dropped DLL 24 IoCs

pid	Process
2828	dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe
2828	dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe
1132	ctfmon.exe
1132	ctfmon.exe
1132	ctfmon.exe
2828	dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe
2828	dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe
2828	dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe
2828	dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe
2828	dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe
2828	dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe
2696	3IC.exe
2696	3IC.exe
2696	3IC.exe
2724	2 Gansta.exe
2724	2 Gansta.exe
2724	2 Gansta.exe
2460	R2R.exe
2460	R2R.exe
2460	R2R.exe
2460	R2R.exe
2868	R2R.exe
2868	R2R.exe
2868	R2R.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Program Files (x86)\\Internet Explorer\\lvvm.exe"	R2R.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\physicaldrive0	3IC.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000016d66-17.dat	upx
behavioral1/memory/2828-18-0x0000000000820000-0x000000000082A000-memory.dmp	upx
behavioral1/memory/2868-81-0x0000000000400000-0x0000000000449000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\lvvm.exe	R2R.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	R2R.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	R2R.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3IC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2 Gansta.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2696	3IC.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 1132	2828	dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe	30
PID 2828 wrote to memory of 1132	2828	dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe	30
PID 2828 wrote to memory of 1132	2828	dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe	30
PID 2828 wrote to memory of 1132	2828	dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe	30
PID 2828 wrote to memory of 1132	2828	dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe	30
PID 2828 wrote to memory of 1132	2828	dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe	30
PID 2828 wrote to memory of 1132	2828	dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe	30
PID 2828 wrote to memory of 2724	2828	dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe	31
PID 2828 wrote to memory of 2724	2828	dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe	31
PID 2828 wrote to memory of 2724	2828	dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe	31
PID 2828 wrote to memory of 2724	2828	dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe	31
PID 2828 wrote to memory of 2724	2828	dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe	31
PID 2828 wrote to memory of 2724	2828	dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe	31
PID 2828 wrote to memory of 2724	2828	dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe	31
PID 2828 wrote to memory of 2696	2828	dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe	32
PID 2828 wrote to memory of 2696	2828	dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe	32
PID 2828 wrote to memory of 2696	2828	dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe	32
PID 2828 wrote to memory of 2696	2828	dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe	32
PID 2828 wrote to memory of 2696	2828	dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe	32
PID 2828 wrote to memory of 2696	2828	dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe	32
PID 2828 wrote to memory of 2696	2828	dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe	32
PID 2828 wrote to memory of 2460	2828	dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe	33
PID 2828 wrote to memory of 2460	2828	dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe	33
PID 2828 wrote to memory of 2460	2828	dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe	33
PID 2828 wrote to memory of 2460	2828	dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe	33
PID 2828 wrote to memory of 2460	2828	dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe	33
PID 2828 wrote to memory of 2460	2828	dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe	33
PID 2828 wrote to memory of 2460	2828	dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe	33
PID 2460 wrote to memory of 2868	2460	R2R.exe	34
PID 2460 wrote to memory of 2868	2460	R2R.exe	34
PID 2460 wrote to memory of 2868	2460	R2R.exe	34
PID 2460 wrote to memory of 2868	2460	R2R.exe	34
PID 2460 wrote to memory of 2868	2460	R2R.exe	34
PID 2460 wrote to memory of 2868	2460	R2R.exe	34
PID 2460 wrote to memory of 2868	2460	R2R.exe	34

C:\Users\Admin\AppData\Local\Temp\dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc2add2fbbd7e5f591d1382bde4b2fc5_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Users\Admin\AppData\Local\Temp\nsy6376.tmp\ctfmon.exe
  "C:\Users\Admin\AppData\Local\Temp\nsy6376.tmp\ctfmon.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1132
- C:\Users\Admin\AppData\Local\Temp\nsy6376.tmp\2 Gansta.exe
  "C:\Users\Admin\AppData\Local\Temp\nsy6376.tmp\2 Gansta.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2724
- C:\Users\Admin\AppData\Local\Temp\nsy6376.tmp\3IC.exe
  "C:\Users\Admin\AppData\Local\Temp\nsy6376.tmp\3IC.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2696
- C:\Users\Admin\AppData\Local\Temp\nsy6376.tmp\R2R.exe
  "C:\Users\Admin\AppData\Local\Temp\nsy6376.tmp\R2R.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Users\Admin\AppData\Local\Temp\nsy6376.tmp\R2R.exe
    C:\Users\Admin\AppData\Local\Temp\nsy6376.tmp\R2R.exe startC:\Users\Admin\AppData\Roaming\conhost.exe%C:\Users\Admin\AppData\Roaming
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsy6376.tmp\2 Gansta.exe

Filesize
6KB

MD5
bee76c79e2e63e198038e01f0d571038

SHA1
fcffdd6bb030f516a46e9d303ebae2ab33af222e

SHA256
50a3c7134460bfe5f2840bd8dc957edfaa76da5beaaff70f8da5e0fef80ae876

SHA512
dd2e9488ad365c02722e1a2466acffb8beaf4dbb68d7093e01c50cd915418ca0642cb6bdd43f2f2b014455803f3c69dec24ca9dfee11bdf7790379181cd2f6f9

Download Submit
\Users\Admin\AppData\Local\Temp\nsy6376.tmp\3IC.exe

Filesize
219KB

MD5
db592037b5526080b12b57dde54ccbc8

SHA1
8d5472e088c07641e26ade451d251745c7030fd8

SHA256
d6b46a9ea3a5843e53e7a90d389f9e6061ebecfb197b7da6248f2876d15d6007

SHA512
dd12ee9eb37d59004111ba28c47ff0470e6dbacf047f1af1af99b932ed7172be8cfa3df3f1550eda3d3448cd976395a4a8f46059a094d93be07dfebf8da00b32

Download Submit
\Users\Admin\AppData\Local\Temp\nsy6376.tmp\R2R.exe

Filesize
170KB

MD5
db5499ebbfe3df8ef3f407422fab6f68

SHA1
9fc65b5092099782b80280e6cdaf109a89a16cfe

SHA256
f7644bab8ce7f0927f045c6c0ff84cbe45eb471d071c0eada673e9af06e8d7a0

SHA512
e132462dd5ac0eb36feb2bd92c004056dc164cd96546455d5202da7621436e06a811d94d8c440e71d429acce7dd8d18bcdf6c92aedc251745bda9342af7aa260

Download Submit
\Users\Admin\AppData\Local\Temp\nsy6376.tmp\ctfmon.exe

Filesize
3KB

MD5
46e07fd3a40760fda18cf6b4fc691742

SHA1
53ee1a754bf5e94fa88a6ab8bb6120b4011afcfa

SHA256
bd7ca609d2fb63e14d08acab1091579c23e298b4fa2ac1e8d2daaff94fc107be

SHA512
ce13f6527cbd13002dca00b71ab38ab12e3f3f7138ada0780ad3f40e7c49946c018a00782ec957b1fd123fb439aabc0d9b3660829dabf10ddcebba08d6e2fbbd

Download Submit
memory/2696-63-0x0000000000230000-0x0000000000295000-memory.dmp

Filesize
404KB

Download
memory/2696-53-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2724-65-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/2724-64-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/2828-18-0x0000000000820000-0x000000000082A000-memory.dmp

Filesize
40KB

Download
memory/2828-34-0x0000000002E60000-0x0000000002EC5000-memory.dmp

Filesize
404KB

Download
memory/2828-32-0x0000000002E60000-0x0000000002EC5000-memory.dmp

Filesize
404KB

Download
memory/2868-81-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads