cycbot | 8c88cc06cc2f5dd0d2998de7c13795d2c341cba5040312432f009d8a0eb6da14

Analysis

max time kernel
2s
max time network
3s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe
Size

520KB
MD5

5422b11c5c918cb79d2e9b7525097352
SHA1

ed52c3b9238afa61c6f4ec5d66c6ac51e5ec8db5
SHA256

8c88cc06cc2f5dd0d2998de7c13795d2c341cba5040312432f009d8a0eb6da14
SHA512

b8dbbbb493fa2093680db0492dedd2ac7d02f24f161ae778e3533b72c4ba71d7efb873965966790b6e81e01567e778873c6394392066aa8dc14d1d853d6c95bf
SSDEEP

12288:DcUoJs1qoWOFZCjOdvUgyLr/Jh4QWfP8S:q21q4C6z+r/IQsP8S

Score

10^/10

cycbot backdoor bootkit discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 1 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/764-118-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot

Executes dropped EXE 7 IoCs

pid	Process
2088	ic7.exe
2272	3IC.exe
2472	2 Gansta.exe
2860	5tbp.exe
2816	R2R.exe
2608	2 Gansta.exe
764	R2R.exe

Loads dropped DLL 37 IoCs

pid	Process
2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe
2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe
2088	ic7.exe
2088	ic7.exe
2088	ic7.exe
2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe
2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe
2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe
2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe
2472	2 Gansta.exe
2472	2 Gansta.exe
2472	2 Gansta.exe
2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe
2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe
2272	3IC.exe
2272	3IC.exe
2272	3IC.exe
2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe
2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe
2860	5tbp.exe
2860	5tbp.exe
2860	5tbp.exe
2816	R2R.exe
2816	R2R.exe
2816	R2R.exe
1880	rundll32.exe
1880	rundll32.exe
1880	rundll32.exe
1880	rundll32.exe
2472	2 Gansta.exe
2608	2 Gansta.exe
2608	2 Gansta.exe
2608	2 Gansta.exe
2816	R2R.exe
764	R2R.exe
764	R2R.exe
764	R2R.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xgalejamiyu = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\nCECrf.dll\",Startup"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	R2R.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\physicaldrive0	3IC.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2472 set thread context of 2608	2472	2 Gansta.exe	36

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2608-89-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2608-82-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2608-87-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2608-84-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2608-97-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2608-96-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2608-95-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2608-90-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/764-118-0x0000000000400000-0x000000000044B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	R2R.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2 Gansta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ic7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2 Gansta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3IC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5tbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	R2R.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2272	3IC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2860	5tbp.exe
1880	rundll32.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2088	2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe	30
PID 2384 wrote to memory of 2088	2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe	30
PID 2384 wrote to memory of 2088	2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe	30
PID 2384 wrote to memory of 2088	2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe	30
PID 2384 wrote to memory of 2088	2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe	30
PID 2384 wrote to memory of 2088	2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe	30
PID 2384 wrote to memory of 2088	2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe	30
PID 2384 wrote to memory of 2272	2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe	31
PID 2384 wrote to memory of 2272	2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe	31
PID 2384 wrote to memory of 2272	2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe	31
PID 2384 wrote to memory of 2272	2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe	31
PID 2384 wrote to memory of 2272	2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe	31
PID 2384 wrote to memory of 2272	2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe	31
PID 2384 wrote to memory of 2272	2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe	31
PID 2384 wrote to memory of 2472	2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe	32
PID 2384 wrote to memory of 2472	2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe	32
PID 2384 wrote to memory of 2472	2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe	32
PID 2384 wrote to memory of 2472	2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe	32
PID 2384 wrote to memory of 2472	2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe	32
PID 2384 wrote to memory of 2472	2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe	32
PID 2384 wrote to memory of 2472	2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe	32
PID 2384 wrote to memory of 2860	2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe	33
PID 2384 wrote to memory of 2860	2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe	33
PID 2384 wrote to memory of 2860	2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe	33
PID 2384 wrote to memory of 2860	2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe	33
PID 2384 wrote to memory of 2860	2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe	33
PID 2384 wrote to memory of 2860	2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe	33
PID 2384 wrote to memory of 2860	2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe	33
PID 2384 wrote to memory of 2816	2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe	34
PID 2384 wrote to memory of 2816	2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe	34
PID 2384 wrote to memory of 2816	2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe	34
PID 2384 wrote to memory of 2816	2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe	34
PID 2384 wrote to memory of 2816	2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe	34
PID 2384 wrote to memory of 2816	2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe	34
PID 2384 wrote to memory of 2816	2384	JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe	34
PID 2860 wrote to memory of 1880	2860	5tbp.exe	35
PID 2860 wrote to memory of 1880	2860	5tbp.exe	35
PID 2860 wrote to memory of 1880	2860	5tbp.exe	35
PID 2860 wrote to memory of 1880	2860	5tbp.exe	35
PID 2860 wrote to memory of 1880	2860	5tbp.exe	35
PID 2860 wrote to memory of 1880	2860	5tbp.exe	35
PID 2860 wrote to memory of 1880	2860	5tbp.exe	35
PID 2472 wrote to memory of 2608	2472	2 Gansta.exe	36
PID 2472 wrote to memory of 2608	2472	2 Gansta.exe	36
PID 2472 wrote to memory of 2608	2472	2 Gansta.exe	36
PID 2472 wrote to memory of 2608	2472	2 Gansta.exe	36
PID 2472 wrote to memory of 2608	2472	2 Gansta.exe	36
PID 2472 wrote to memory of 2608	2472	2 Gansta.exe	36
PID 2472 wrote to memory of 2608	2472	2 Gansta.exe	36
PID 2472 wrote to memory of 2608	2472	2 Gansta.exe	36
PID 2472 wrote to memory of 2608	2472	2 Gansta.exe	36
PID 2472 wrote to memory of 2608	2472	2 Gansta.exe	36
PID 2472 wrote to memory of 2608	2472	2 Gansta.exe	36
PID 2816 wrote to memory of 764	2816	R2R.exe	37
PID 2816 wrote to memory of 764	2816	R2R.exe	37
PID 2816 wrote to memory of 764	2816	R2R.exe	37
PID 2816 wrote to memory of 764	2816	R2R.exe	37
PID 2816 wrote to memory of 764	2816	R2R.exe	37
PID 2816 wrote to memory of 764	2816	R2R.exe	37
PID 2816 wrote to memory of 764	2816	R2R.exe	37

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5422b11c5c918cb79d2e9b7525097352.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\nsyB1C4.tmp\ic7.exe
  "C:\Users\Admin\AppData\Local\Temp\nsyB1C4.tmp\ic7.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2088
- C:\Users\Admin\AppData\Local\Temp\nsyB1C4.tmp\3IC.exe
  "C:\Users\Admin\AppData\Local\Temp\nsyB1C4.tmp\3IC.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Users\Admin\AppData\Local\Temp\nsyB1C4.tmp\2 Gansta.exe
  "C:\Users\Admin\AppData\Local\Temp\nsyB1C4.tmp\2 Gansta.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Users\Admin\AppData\Local\Temp\nsyB1C4.tmp\2 Gansta.exe
    "C:\Users\Admin\AppData\Local\Temp\nsyB1C4.tmp\2 Gansta.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2608
- C:\Users\Admin\AppData\Local\Temp\nsyB1C4.tmp\5tbp.exe
  "C:\Users\Admin\AppData\Local\Temp\nsyB1C4.tmp\5tbp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\nCECrf.dll",Startup
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1880
- C:\Users\Admin\AppData\Local\Temp\nsyB1C4.tmp\R2R.exe
  "C:\Users\Admin\AppData\Local\Temp\nsyB1C4.tmp\R2R.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Users\Admin\AppData\Local\Temp\nsyB1C4.tmp\R2R.exe
    C:\Users\Admin\AppData\Local\Temp\nsyB1C4.tmp\R2R.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsyB1C4.tmp\3IC.exe

Filesize
224KB

MD5
bb2f6d3c0d76c09b6a543090615dcbdf

SHA1
a05dceb2ab6c2fe47f0506b025542f6f8ea1b39c

SHA256
fa0ae5238a1e5193a696af175adf145989ff09723dfff26f20173a788ebd8223

SHA512
49f9149d056dbf2b5a3a5af65ea85c3b7d1767e9a7433cd91ec633c135e5f15a89c65c913962fa0b731ffee9bd68fcac19c4e80d48710938420edd8811e79e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyB1C4.tmp\ic7.exe

Filesize
3KB

MD5
46e07fd3a40760fda18cf6b4fc691742

SHA1
53ee1a754bf5e94fa88a6ab8bb6120b4011afcfa

SHA256
bd7ca609d2fb63e14d08acab1091579c23e298b4fa2ac1e8d2daaff94fc107be

SHA512
ce13f6527cbd13002dca00b71ab38ab12e3f3f7138ada0780ad3f40e7c49946c018a00782ec957b1fd123fb439aabc0d9b3660829dabf10ddcebba08d6e2fbbd

Download Submit
\Users\Admin\AppData\Local\Temp\nsyB1C4.tmp\2 Gansta.exe

Filesize
95KB

MD5
40a8954e5d5796aef2e6e00d96c12ee0

SHA1
f703035eec111ffb31ea347f3010c35652bec612

SHA256
f21fdfba45f7f88a0f76a2f58ccf951788b175e6947744d62046fe17152ba160

SHA512
888a6db559dc74ca01f82c93508779592943393607047935bb95fdca86cba27cabc5dafeeec57a391404a4d0dd64b88f09a0dccfe38eaefe5d0f84612eff2445

Download Submit
\Users\Admin\AppData\Local\Temp\nsyB1C4.tmp\5tbp.exe

Filesize
108KB

MD5
03b927c7c418bb244c2080e40bc7c20e

SHA1
f8abf451378cbc13ec4c336456d0ba096ed64459

SHA256
317d95ad3f8b58b6e7d7623e4ead965aea9eff10934280ca3cfa104f3d176f48

SHA512
329102dee848ed482c07e3d7cd528088a7526179382d72cf9c5a8325519fe40a5adbb1f8bb560ccd4a8e876f4ca3f0e893f8983195ad775249844dcdf4e39747

Download Submit
\Users\Admin\AppData\Local\Temp\nsyB1C4.tmp\R2R.exe

Filesize
176KB

MD5
fe4a2c026c4e35fa381bca4729529eb4

SHA1
2a01a96f96fab921d8ee819219d69b034e3461b0

SHA256
228a37f572738e60895ccaf9e2399065341bdb19ecab2e25422981de1098d453

SHA512
dabad527ef72213b47a88128c4def4c5871775df45036647807918a3fba3a0af23d274d62bcf2667b66ec5e3e70a62e711989f2c2ae3ceaf398e0a09efd383db

Download Submit
\Users\Admin\AppData\Local\nCECrf.dll

Filesize
108KB

MD5
7d7679b1493c32da08daae1949e9724c

SHA1
32da402420f912e637f2a54c73d54d31c73d4912

SHA256
5f73756e6fafd121ddff05750d8c21a4d9a29d319b8022591787451af7766aa5

SHA512
6a57805aa0d0df5020b0290d4b0121621a278dc97f31c93dfd64420a597d90212037e7559fe5550d2f68e850714fbfc326a887ec48651e3617725edf5258d15d

Download Submit
memory/764-118-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1880-77-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2608-97-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2608-80-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2608-86-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2608-89-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2608-82-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2608-87-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2608-84-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2608-96-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2608-95-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2608-90-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2860-71-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2860-63-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads