cycbot | 2c178f2a3ad5342c0bde45109d924e651bf38cb2adca4b0662107086009de52d

Analysis

max time kernel
141s
max time network
67s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12-01-2025 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_1a2f6dd211fd4fad1fe16ca7a411b84d.exe
Size

395KB
MD5

1a2f6dd211fd4fad1fe16ca7a411b84d
SHA1

46e0eb473de7b3e5af7667acfcc02fa6e1f267c1
SHA256

2c178f2a3ad5342c0bde45109d924e651bf38cb2adca4b0662107086009de52d
SHA512

c6e1ec0b66a6002741f45445e01c57c560c261bc77c63bdcf222a86587a840329c59ba1a1e37f98c48eeeeaf3f5d3f4c1a2e696932108528db083b93714e47b2
SSDEEP

6144:ik+KWzcEhDDcoSzq6tsWM7F75rzqd85rjx7ntYrNlEzjJihG6K3bNH:etIoWq6tsW6TrD5Hx2puPJihGBbNH

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2896-60-0x0000000000400000-0x0000000000446000-memory.dmp	family_cycbot
behavioral1/memory/2880-65-0x0000000000400000-0x0000000000446000-memory.dmp	family_cycbot
behavioral1/memory/3036-136-0x0000000000400000-0x0000000000446000-memory.dmp	family_cycbot
behavioral1/memory/2880-138-0x0000000000400000-0x0000000000446000-memory.dmp	family_cycbot
behavioral1/memory/2880-249-0x0000000000400000-0x0000000000446000-memory.dmp	family_cycbot

Executes dropped EXE 5 IoCs

pid	Process
2488	0c36ba10.exe
2944	7bf56dbc.exe
2880	bbf0de70.exe
2896	bbf0de70.exe
3036	bbf0de70.exe

Loads dropped DLL 16 IoCs

pid	Process
2424	JaffaCakes118_1a2f6dd211fd4fad1fe16ca7a411b84d.exe
2424	JaffaCakes118_1a2f6dd211fd4fad1fe16ca7a411b84d.exe
2424	JaffaCakes118_1a2f6dd211fd4fad1fe16ca7a411b84d.exe
2424	JaffaCakes118_1a2f6dd211fd4fad1fe16ca7a411b84d.exe
2424	JaffaCakes118_1a2f6dd211fd4fad1fe16ca7a411b84d.exe
2424	JaffaCakes118_1a2f6dd211fd4fad1fe16ca7a411b84d.exe
2984	rundll32.exe
2984	rundll32.exe
2984	rundll32.exe
2984	rundll32.exe
2880	bbf0de70.exe
2880	bbf0de70.exe
1532	rundll32.exe
1532	rundll32.exe
1532	rundll32.exe
1532	rundll32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Equsuregada = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\KBUSerc.dll\",Startup"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	bbf0de70.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2880-45-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2896-60-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2880-65-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/3036-136-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2880-138-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2880-249-0x0000000000400000-0x0000000000446000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7bf56dbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bbf0de70.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1a2f6dd211fd4fad1fe16ca7a411b84d.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2984	rundll32.exe
2984	rundll32.exe
2984	rundll32.exe
2984	rundll32.exe
2984	rundll32.exe
2984	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2944	7bf56dbc.exe
2984	rundll32.exe
1532	rundll32.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2424	JaffaCakes118_1a2f6dd211fd4fad1fe16ca7a411b84d.exe
2488	0c36ba10.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2488	2424	JaffaCakes118_1a2f6dd211fd4fad1fe16ca7a411b84d.exe	29
PID 2424 wrote to memory of 2488	2424	JaffaCakes118_1a2f6dd211fd4fad1fe16ca7a411b84d.exe	29
PID 2424 wrote to memory of 2488	2424	JaffaCakes118_1a2f6dd211fd4fad1fe16ca7a411b84d.exe	29
PID 2424 wrote to memory of 2488	2424	JaffaCakes118_1a2f6dd211fd4fad1fe16ca7a411b84d.exe	29
PID 2424 wrote to memory of 2944	2424	JaffaCakes118_1a2f6dd211fd4fad1fe16ca7a411b84d.exe	30
PID 2424 wrote to memory of 2944	2424	JaffaCakes118_1a2f6dd211fd4fad1fe16ca7a411b84d.exe	30
PID 2424 wrote to memory of 2944	2424	JaffaCakes118_1a2f6dd211fd4fad1fe16ca7a411b84d.exe	30
PID 2424 wrote to memory of 2944	2424	JaffaCakes118_1a2f6dd211fd4fad1fe16ca7a411b84d.exe	30
PID 2424 wrote to memory of 2880	2424	JaffaCakes118_1a2f6dd211fd4fad1fe16ca7a411b84d.exe	31
PID 2424 wrote to memory of 2880	2424	JaffaCakes118_1a2f6dd211fd4fad1fe16ca7a411b84d.exe	31
PID 2424 wrote to memory of 2880	2424	JaffaCakes118_1a2f6dd211fd4fad1fe16ca7a411b84d.exe	31
PID 2424 wrote to memory of 2880	2424	JaffaCakes118_1a2f6dd211fd4fad1fe16ca7a411b84d.exe	31
PID 2944 wrote to memory of 2984	2944	7bf56dbc.exe	32
PID 2944 wrote to memory of 2984	2944	7bf56dbc.exe	32
PID 2944 wrote to memory of 2984	2944	7bf56dbc.exe	32
PID 2944 wrote to memory of 2984	2944	7bf56dbc.exe	32
PID 2944 wrote to memory of 2984	2944	7bf56dbc.exe	32
PID 2944 wrote to memory of 2984	2944	7bf56dbc.exe	32
PID 2944 wrote to memory of 2984	2944	7bf56dbc.exe	32
PID 2880 wrote to memory of 2896	2880	bbf0de70.exe	33
PID 2880 wrote to memory of 2896	2880	bbf0de70.exe	33
PID 2880 wrote to memory of 2896	2880	bbf0de70.exe	33
PID 2880 wrote to memory of 2896	2880	bbf0de70.exe	33
PID 2880 wrote to memory of 3036	2880	bbf0de70.exe	35
PID 2880 wrote to memory of 3036	2880	bbf0de70.exe	35
PID 2880 wrote to memory of 3036	2880	bbf0de70.exe	35
PID 2880 wrote to memory of 3036	2880	bbf0de70.exe	35
PID 2984 wrote to memory of 1532	2984	rundll32.exe	36
PID 2984 wrote to memory of 1532	2984	rundll32.exe	36
PID 2984 wrote to memory of 1532	2984	rundll32.exe	36
PID 2984 wrote to memory of 1532	2984	rundll32.exe	36
PID 2984 wrote to memory of 1532	2984	rundll32.exe	36
PID 2984 wrote to memory of 1532	2984	rundll32.exe	36
PID 2984 wrote to memory of 1532	2984	rundll32.exe	36

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1a2f6dd211fd4fad1fe16ca7a411b84d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1a2f6dd211fd4fad1fe16ca7a411b84d.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\AppData\Local\Temp\0c36ba10.exe
  C:\Users\Admin\AppData\Local\Temp\0c36ba10.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2488
- C:\Users\Admin\AppData\Local\Temp\7bf56dbc.exe
  C:\Users\Admin\AppData\Local\Temp\7bf56dbc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\KBUSerc.dll",Startup
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\KBUSerc.dll",iep
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1532
- C:\Users\Admin\AppData\Local\Temp\bbf0de70.exe
  C:\Users\Admin\AppData\Local\Temp\bbf0de70.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Users\Admin\AppData\Local\Temp\bbf0de70.exe
    C:\Users\Admin\AppData\Local\Temp\bbf0de70.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
    3⤵
    - Executes dropped EXE
    PID:2896
- - C:\Users\Admin\AppData\Local\Temp\bbf0de70.exe
    C:\Users\Admin\AppData\Local\Temp\bbf0de70.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
    3⤵
    - Executes dropped EXE
    PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\159E.AF5

Filesize
996B

MD5
0206c3cf8bddfa9d599642fc43374f96

SHA1
53b1645bbc9be9c5666c54a7833c7c6e52b91cb4

SHA256
9a79271ccb8ab86326d4f9cb019797508a27a3e0ebf6cd2b60bb25310e7b1de9

SHA512
024e7d25412dd98dd9138ab433b66a45a2e1bb0fef5d572a91d52a2522a31c608bfdb0aac369d082b2eb4fd0d79057715bd3bc977f5fdc9862aed5fbd2a461d3

Download Submit
C:\Users\Admin\AppData\Roaming\159E.AF5

Filesize
1KB

MD5
445ea8f812fa51da3ea61f1c8934f3db

SHA1
5e32aff445622a15aae38f84870cc27361604c60

SHA256
cf8c802b552bcfe7712e85760175a0f06ebba9acf3e2ff50144d48bb992aa153

SHA512
0588c800e2ead69a71573c2b8295db3416b47a21c054f5e7a3b63fd1261f41112d2b0833a76bc29f944e962552ec920707f28b570ec795992ef0439bd447e5be

Download Submit
C:\Users\Admin\AppData\Roaming\159E.AF5

Filesize
600B

MD5
42a29d5cf4a8fe6d86fb41dfd4464966

SHA1
204149360f523b99c48482f16df034ba18c44679

SHA256
9f0ab2ae7de7cd0547e066ed3fadd7e5c73c99ac4c37e9a8a30ae3e4683d52df

SHA512
2e5584b0d853fc1f5687a2f17e793aacc0548f43e75c92b4a27c519c2a12243a124078a2290dd13dd2af61cfa72b599803a7537daef4bbd34b4ba784585c85e4

Download Submit
\Users\Admin\AppData\Local\KBUSerc.dll

Filesize
120KB

MD5
3bd6790c828aca94e5a59e55ccf490aa

SHA1
1693860436086f31ba1ac307e445dd8febc550d7

SHA256
628ef24a5390f5bdc267f0faf2b4c42a1c9eee39268db9eddcd934c0d121efb7

SHA512
d99f77dd4759df623840b3752d7047da30887ce5a86f9cb415d5f2fec325f5c200e43e04b01256729728b6ca0729efc1479ea6b072621164adb26cbfbd7ecaeb

Download Submit
\Users\Admin\AppData\Local\Temp\0c36ba10.exe

Filesize
52KB

MD5
3e6c0e0a790914e48584edad6b3665f7

SHA1
c6172ab5d76ef86236cc6aec203ecc87fc85328f

SHA256
007bd364ebe3b10abfeec0ec2615dff53dfd2d9994217e545b5dd1476b198cec

SHA512
909b63e026b76335f5bd32b6caf62ec109e6e68810f56fd7e6abce824705f0a6df69797bbdebcb6360d15d1c8724ee4b09eca0c74a209e4deae9c5011c85b3cb

Download Submit
\Users\Admin\AppData\Local\Temp\7bf56dbc.exe

Filesize
120KB

MD5
50cac2ddd6a0d03ed75d63b996bf0798

SHA1
2429cae06a4362855e45311311e08537154181bf

SHA256
f3cedf3f417bd1590a6615bb315e49003ec76b4400504d5175088d9adb7eacb8

SHA512
b4844b7f9cdbc9496617ff6061357c477b698c1586684d76846112d5d715cf651e719221247f7916f245db60a23de3902783f5b052739773d303b1a7b649e399

Download Submit
\Users\Admin\AppData\Local\Temp\bbf0de70.exe

Filesize
167KB

MD5
a23a4cb686b3fce755ba7abf5e18a639

SHA1
f4898ccb547ab75827624b911ba38f1e5bb67449

SHA256
d667aa058a917018c2b10a58e1d52bbcfd43a9c8362d3ac4ec6ff480d7063c67

SHA512
edb50a7a2e5cc2bbf5690c77a8aa1b4bcc6c6270e5351faf4203b023b5fa8e1d25fc7b0fb5f222eea804388a3675f7fff47e12c6c6baa3e302a4665402841f3c

Download Submit
memory/1532-242-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2424-35-0x0000000000300000-0x0000000000366000-memory.dmp

Filesize
408KB

Download
memory/2424-0-0x0000000000300000-0x0000000000366000-memory.dmp

Filesize
408KB

Download
memory/2424-31-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2424-2-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2488-11-0x0000000000220000-0x0000000000231000-memory.dmp

Filesize
68KB

Download
memory/2488-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2488-58-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2880-45-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2880-65-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2880-249-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2880-138-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2896-60-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2944-61-0x00000000001B0000-0x00000000001F0000-memory.dmp

Filesize
256KB

Download
memory/2944-62-0x00000000001B0000-0x00000000001F0000-memory.dmp

Filesize
256KB

Download
memory/2944-25-0x00000000001B0000-0x00000000001F0000-memory.dmp

Filesize
256KB

Download
memory/2944-24-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2944-66-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2944-23-0x00000000001B0000-0x00000000001F0000-memory.dmp

Filesize
256KB

Download
memory/2984-214-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2984-42-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2984-68-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2984-63-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2984-41-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2984-64-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2984-244-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2984-43-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/3036-136-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download