cycbot | 92824d639e6d56922ebe05235329dabcb3b96a82dd7950dc01b787511b85c010

Analysis

max time kernel
140s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffed977c76f042fccb3ae104a60e55c3_JaffaCakes118.exe
Size

178KB
MD5

ffed977c76f042fccb3ae104a60e55c3
SHA1

361189ae98d921bc53fe585ecda4c07b9152474e
SHA256

92824d639e6d56922ebe05235329dabcb3b96a82dd7950dc01b787511b85c010
SHA512

062fca573be024b724eaf6d0a1a455234de3417b774e837ddfcc6c42cd10aeed22067a76dcf718ed42dd68f037b174b159a1168aac3ea53c217168cbb7842ac4
SSDEEP

3072:Sd+8HtiltxypIcQV96ERNfXDZxcrazq0V0PBEq0fhjByNiazwqTEkbuZVQwwLfug:o+itiltkpIcC6E3fXlOpwISByNiQzTE+

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/5000-13-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/832-14-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/3632-129-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/832-305-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5000-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/832-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3632-129-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/832-305-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ffed977c76f042fccb3ae104a60e55c3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 5000	832	ffed977c76f042fccb3ae104a60e55c3_JaffaCakes118.exe	84
PID 832 wrote to memory of 5000	832	ffed977c76f042fccb3ae104a60e55c3_JaffaCakes118.exe	84
PID 832 wrote to memory of 5000	832	ffed977c76f042fccb3ae104a60e55c3_JaffaCakes118.exe	84
PID 832 wrote to memory of 3632	832	ffed977c76f042fccb3ae104a60e55c3_JaffaCakes118.exe	89
PID 832 wrote to memory of 3632	832	ffed977c76f042fccb3ae104a60e55c3_JaffaCakes118.exe	89
PID 832 wrote to memory of 3632	832	ffed977c76f042fccb3ae104a60e55c3_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\ffed977c76f042fccb3ae104a60e55c3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ffed977c76f042fccb3ae104a60e55c3_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:832
- C:\Users\Admin\AppData\Local\Temp\ffed977c76f042fccb3ae104a60e55c3_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ffed977c76f042fccb3ae104a60e55c3_JaffaCakes118.exe startC:\Program Files (x86)\LP\42CB\FF2.exe%C:\Program Files (x86)\LP\42CB
  2⤵
  PID:5000
- C:\Users\Admin\AppData\Local\Temp\ffed977c76f042fccb3ae104a60e55c3_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ffed977c76f042fccb3ae104a60e55c3_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\B202A\98442.exe%C:\Users\Admin\AppData\Roaming\B202A
  2⤵
  PID:3632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\B202A\ABAB.202

Filesize
996B

MD5
76860c4be28dbe5b62e80aad3d9fbd81

SHA1
4e9f9edd2eb9be12d33597ff62fee7f653d8e43f

SHA256
5be2723a03fdbe68d85e70c0b3b4c7488a0d25af50613cab07ed580c4473084e

SHA512
d8646bd32eccbede7027a7a90759444563348722751be4d49fa9dd994a2d86da17b4b198706766f6adc4e2d5974fe1c0d7953a620cc92f5891d4eb546ef672a7

Download Submit
C:\Users\Admin\AppData\Roaming\B202A\ABAB.202

Filesize
600B

MD5
b1f8c70864aa6e94bc0834fb66d7651e

SHA1
35e2a4c507d990e19b7fb751dd71e6d919c13878

SHA256
4a3bae940e905e76b8db84891cbdf0d5bcbaf2fb27699b149ac078b39b6058c8

SHA512
4adbbca8c3409fd2ddf25caf7c69c5943f23121c14a0807b49e94e52489eacf19832aecec464810debd0d73f1033636ab0d217d706f64a48fda5caad902bcf9d

Download Submit
C:\Users\Admin\AppData\Roaming\B202A\ABAB.202

Filesize
1KB

MD5
557dbf05e78a3baa976db1e672899177

SHA1
89b912488bf1a975eb43c602e846a5a9c368a80d

SHA256
5177b18dcd17ad0d5fb9cf0e6603709c3ad6370590c3a4574d7edd8c669de85a

SHA512
092ea5aa2c892d74474a608bb9f07da86c2c5be70d6c0773f2743963d648a75fd2d0372eca83eb47ce400c13e2785f264ad547f75d158bc8a09043711b43e9fd

Download Submit
memory/832-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/832-2-0x00007FFE90390000-0x00007FFE90585000-memory.dmp

Filesize
2.0MB

Download
memory/832-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/832-15-0x00007FFE90390000-0x00007FFE90585000-memory.dmp

Filesize
2.0MB

Download
memory/832-305-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3632-130-0x00007FFE90390000-0x00007FFE90585000-memory.dmp

Filesize
2.0MB

Download
memory/3632-129-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/5000-12-0x00007FFE90390000-0x00007FFE90585000-memory.dmp

Filesize
2.0MB

Download
memory/5000-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download