cycbot | 19e9e59ba2f284bc7df20c817e539b04bd76883ea85c7635b5f0bf3b35a2761b

Resubmissions

12-01-2025 13:03

250112-qawfhswjhp 10

12-01-2025 12:53

250112-p45qlssqft 10

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2025 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0f1338e1991adc7f282be7b9bf1ff834.exe
Size

188KB
MD5

0f1338e1991adc7f282be7b9bf1ff834
SHA1

1f10d0ffbe9ae4e312d7e0b435aeb4a04fd70efc
SHA256

19e9e59ba2f284bc7df20c817e539b04bd76883ea85c7635b5f0bf3b35a2761b
SHA512

792962ab530720226285324a09db8712a41a6dfbd47c0ff28a672f9ff70bd8ca764a3737033f32d809127282a44dcbd58f785fa4b58e2d278d293a45138fe5bf
SSDEEP

3072:bjNiyF5DyhIFYdZrmM4n1XvudI1V+6rdj7xE3GSo3ln+xRf2RKoUY6u//Y7KoO:XNikFyCFYdgM3dIBr5i2Sa5KQAt

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/4796-13-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/1576-14-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/1576-15-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/4084-122-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/1576-285-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1576-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4796-12-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4796-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1576-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1576-15-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/4084-120-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4084-122-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1576-285-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0f1338e1991adc7f282be7b9bf1ff834.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 4796	1576	JaffaCakes118_0f1338e1991adc7f282be7b9bf1ff834.exe	84
PID 1576 wrote to memory of 4796	1576	JaffaCakes118_0f1338e1991adc7f282be7b9bf1ff834.exe	84
PID 1576 wrote to memory of 4796	1576	JaffaCakes118_0f1338e1991adc7f282be7b9bf1ff834.exe	84
PID 1576 wrote to memory of 4084	1576	JaffaCakes118_0f1338e1991adc7f282be7b9bf1ff834.exe	99
PID 1576 wrote to memory of 4084	1576	JaffaCakes118_0f1338e1991adc7f282be7b9bf1ff834.exe	99
PID 1576 wrote to memory of 4084	1576	JaffaCakes118_0f1338e1991adc7f282be7b9bf1ff834.exe	99

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0f1338e1991adc7f282be7b9bf1ff834.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0f1338e1991adc7f282be7b9bf1ff834.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0f1338e1991adc7f282be7b9bf1ff834.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0f1338e1991adc7f282be7b9bf1ff834.exe startC:\Program Files (x86)\LP\0B07\619.exe%C:\Program Files (x86)\LP\0B07
  2⤵
  PID:4796
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0f1338e1991adc7f282be7b9bf1ff834.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0f1338e1991adc7f282be7b9bf1ff834.exe startC:\Users\Admin\AppData\Roaming\7AF6F\97B0B.exe%C:\Users\Admin\AppData\Roaming\7AF6F
  2⤵
  PID:4084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\7AF6F\FE06.AF6

Filesize
996B

MD5
5810060a3aec98a1f931f0488f6e2703

SHA1
90aa49810c14dc6acbb92d67da34e1c7cef17289

SHA256
291484c691fa54a14cb17713fc17331f9851fd487b5b927a89867650695b4467

SHA512
3053c2fa571d6846b9c9c20acb701484124d412a74ecd0f9d9be2111179bbcf1a1ac87e60132805a90e2561165a7d6e4aee3dbaed8d74c441e85a1b9bd8ea2da

Download Submit
C:\Users\Admin\AppData\Roaming\7AF6F\FE06.AF6

Filesize
600B

MD5
d5c8f26e6882453064049b53c05e598f

SHA1
4ed269846b13f7b784e46509fe987219a0cd7b11

SHA256
e2036116ceaa78ac70198a7dc607382d361a9cac421484d037a377b3219fccf7

SHA512
c123fcc00f4f8485ac835aa8d80f85a54faa2ae0078a1ec189fd6dbbdade8290004a6ab85fe50c0a100f89abcd41402ef17bbf634109ac5d4b0ba92920c20c5a

Download Submit
C:\Users\Admin\AppData\Roaming\7AF6F\FE06.AF6

Filesize
1KB

MD5
eb870133a1d582a422ce314e37421cbb

SHA1
ccfcbb7842b294d0b439b830329a4a2edb4c065b

SHA256
5b0d4c068abe589c438e70b5fb2b01c850163a6076bba5031994c68ad92bca27

SHA512
5508a4697339023ced800eb70630187eec1dd280d3c5e29b416cc3294eea23423eeabfc22ca5a6b4d6aa1121c596c02b18c4d15551d07cd23da448d952f3bcf2

Download Submit
memory/1576-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1576-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1576-285-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1576-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1576-15-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4084-122-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4084-120-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4796-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4796-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4796-11-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download