cycbot | 4d742321425e275185847a05e052e7a163615d2b2d25eaf5e418133a6c4fe715

Resubmissions

19-12-2024 03:36

241219-d5y4nsxjal 10

19-12-2024 03:18

241219-dtp2mavpax 10

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 03:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe394925e5b4175238a536bc3a4ba7c1_JaffaCakes118.exe
Size

184KB
MD5

fe394925e5b4175238a536bc3a4ba7c1
SHA1

e3fb230fc1e5ba65ac4b2fc7b238b2dd7af17929
SHA256

4d742321425e275185847a05e052e7a163615d2b2d25eaf5e418133a6c4fe715
SHA512

8cd5f4fcadd85a1ee7e0d56a57cc321f6290302a508319f20afd1351b445eceb52db2a5118827640c9a9f7ca3fb7718d26e966140ec608688b201de919684bd9
SSDEEP

3072:RgNUlyQrT2GI2o0tUvJKj4QajGarN6ggjZ5LAqRWBxz0W3IYsxFs:2sCGNzmvk4nHrNngjZ5Re3IvxFs

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/2100-14-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/1264-15-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/1264-16-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/1884-83-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/1264-182-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1264-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2100-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2100-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1264-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1264-16-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/1884-83-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1264-182-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe394925e5b4175238a536bc3a4ba7c1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe394925e5b4175238a536bc3a4ba7c1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe394925e5b4175238a536bc3a4ba7c1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 2100	1264	fe394925e5b4175238a536bc3a4ba7c1_JaffaCakes118.exe	84
PID 1264 wrote to memory of 2100	1264	fe394925e5b4175238a536bc3a4ba7c1_JaffaCakes118.exe	84
PID 1264 wrote to memory of 2100	1264	fe394925e5b4175238a536bc3a4ba7c1_JaffaCakes118.exe	84
PID 1264 wrote to memory of 1884	1264	fe394925e5b4175238a536bc3a4ba7c1_JaffaCakes118.exe	93
PID 1264 wrote to memory of 1884	1264	fe394925e5b4175238a536bc3a4ba7c1_JaffaCakes118.exe	93
PID 1264 wrote to memory of 1884	1264	fe394925e5b4175238a536bc3a4ba7c1_JaffaCakes118.exe	93

C:\Users\Admin\AppData\Local\Temp\fe394925e5b4175238a536bc3a4ba7c1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe394925e5b4175238a536bc3a4ba7c1_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Users\Admin\AppData\Local\Temp\fe394925e5b4175238a536bc3a4ba7c1_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fe394925e5b4175238a536bc3a4ba7c1_JaffaCakes118.exe startC:\Program Files (x86)\LP\DF66\5CE.exe%C:\Program Files (x86)\LP\DF66
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2100
- C:\Users\Admin\AppData\Local\Temp\fe394925e5b4175238a536bc3a4ba7c1_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fe394925e5b4175238a536bc3a4ba7c1_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\60B74\932DF.exe%C:\Users\Admin\AppData\Roaming\60B74
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\60B74\4CEF.0B7

Filesize
1KB

MD5
7154cbc5a58c7697ec4884d290bc3363

SHA1
7bb617f66168bb871c97fc3a71f3bfe318aaa884

SHA256
f891b627414fe29dcbc02d5530d5ae9e524642d8387f8e8c40a4cfc86b2a0c01

SHA512
0005ed429f907c3e1bc5e739b96d33c5d69ee152fa17157498efb3d256f56331ba9a0099673d14bcec485cea1bba124315fc26f0f7bdbfca67d2b6b8373a1f15

Download Submit
C:\Users\Admin\AppData\Roaming\60B74\4CEF.0B7

Filesize
600B

MD5
faa5daba3140549367d2d01f7cbd73aa

SHA1
8b71ec921c2e37bfca4bc3301f6305777ada979e

SHA256
96340473e8e04e9518329045592056f54ee3846c5c095c68918e201b76c6a907

SHA512
8007362df9521bb1c6e762be4ae18e5d8dde16133dea34143e449add18e17ed801fde187b4a47d06ec0d53087df65f12ef1b31ec0fe2c85bb3f657cfa3b9da50

Download Submit
C:\Users\Admin\AppData\Roaming\60B74\4CEF.0B7

Filesize
996B

MD5
c6dfc475c9112b1446e0368de3a67c33

SHA1
9a801302ac3239440482be0d1733513d2c5925d9

SHA256
5af70ec9cc0c0d6ef145d74ad1ebbf1020a3f345012902db4d4dfb21ab5885ef

SHA512
71ec5d7283ee001fadea855e17aa21165608963625faa8d3178ae4b61b6f21b5d9b5e8948db5aa59296df42aadbb0ef094777842842326e529f1c24545285dfe

Download Submit
memory/1264-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1264-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1264-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1264-16-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1264-182-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1884-83-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2100-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2100-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2100-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download