cycbot | adbc69392f2228409823e74c54b07934ecd893b482e7cec9d6ef126ea9e7046f

Resubmissions

14-01-2025 03:30

250114-d2pe3avrds 10

14-01-2025 03:26

250114-dznqraxqcp 10

Analysis

max time kernel
890s
max time network
775s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-01-2025 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe
Size

180KB
MD5

3499252c1c101b70e8919d979c85def8
SHA1

be592b22639c963569a6057f99021c13ffd86907
SHA256

adbc69392f2228409823e74c54b07934ecd893b482e7cec9d6ef126ea9e7046f
SHA512

7a70b47b788cf39b8a1549525733b70e486e76d8e7b6e1fce4ffbccaad8f24d5a377c92a006aec51e9da2142c84034ef039e3e937d73e1502d3d7be2831c4d4c
SSDEEP

3072:NjUgWSg0pLFZc2JXbMpCOZNfWcDXm4kn1mt7/r3yyDe3pVRF3siM7NtUGaEBOvQH:NjUqg0pLjcIXmtNfbX9t7/r3GaiYqY4M

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 13 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/468-14-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral2/memory/4708-15-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral2/memory/4708-76-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral2/memory/2400-81-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral2/memory/4708-177-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral2/memory/3092-188-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral2/memory/3480-192-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral2/memory/4708-198-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral2/memory/4708-359-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral2/memory/656-369-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral2/memory/2152-435-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral2/memory/2604-510-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral2/memory/4940-516-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4708-2-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral2/memory/468-13-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral2/memory/468-14-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral2/memory/4708-15-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral2/memory/4708-76-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral2/memory/2400-79-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral2/memory/2400-78-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral2/memory/2400-81-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral2/memory/4708-177-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral2/memory/3092-188-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral2/memory/3480-192-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral2/memory/4708-198-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral2/memory/4708-359-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral2/memory/656-369-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral2/memory/2152-435-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral2/memory/2604-510-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral2/memory/4940-516-0x0000000000400000-0x000000000044C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe
4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe
4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe
4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe
4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe
4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe
4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe
4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe
4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe
4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe
4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe
4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe
4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe
4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe
4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe
4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4708 wrote to memory of 468	4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	83
PID 4708 wrote to memory of 468	4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	83
PID 4708 wrote to memory of 468	4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	83
PID 4708 wrote to memory of 2400	4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	93
PID 4708 wrote to memory of 2400	4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	93
PID 4708 wrote to memory of 2400	4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	93
PID 4708 wrote to memory of 3092	4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	102
PID 4708 wrote to memory of 3092	4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	102
PID 4708 wrote to memory of 3092	4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	102
PID 4708 wrote to memory of 3480	4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	103
PID 4708 wrote to memory of 3480	4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	103
PID 4708 wrote to memory of 3480	4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	103
PID 4708 wrote to memory of 656	4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	104
PID 4708 wrote to memory of 656	4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	104
PID 4708 wrote to memory of 656	4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	104
PID 4708 wrote to memory of 2152	4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	105
PID 4708 wrote to memory of 2152	4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	105
PID 4708 wrote to memory of 2152	4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	105
PID 4708 wrote to memory of 2604	4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	106
PID 4708 wrote to memory of 2604	4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	106
PID 4708 wrote to memory of 2604	4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	106
PID 4708 wrote to memory of 4940	4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	107
PID 4708 wrote to memory of 4940	4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	107
PID 4708 wrote to memory of 4940	4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	107
PID 4708 wrote to memory of 4932	4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	108
PID 4708 wrote to memory of 4932	4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	108
PID 4708 wrote to memory of 4932	4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	108
PID 4708 wrote to memory of 1088	4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	109
PID 4708 wrote to memory of 1088	4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	109
PID 4708 wrote to memory of 1088	4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	109
PID 4708 wrote to memory of 3152	4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	110
PID 4708 wrote to memory of 3152	4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	110
PID 4708 wrote to memory of 3152	4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	110
PID 4708 wrote to memory of 2464	4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	111
PID 4708 wrote to memory of 2464	4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	111
PID 4708 wrote to memory of 2464	4708	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	111

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:468
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2400
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:3092
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:3480
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:656
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2152
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:2604
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:4940
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:4932
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:1088
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:3152
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\50ED.7D2

Filesize
1KB

MD5
858a6eb831e0c83cf794c250b4a95e7a

SHA1
c165e121a534c93b5daae08a1be4bcb113555d96

SHA256
73775a731de386436cf1b04fc28221fdd000b5515a573d633cd67f698857678b

SHA512
fdf189196a3c8f701db615503a3c384922fb8f4fba265a631ab4e148a3b45a11583031872142e4ba983c08cd6bc43af736dabe1ca5ab9171ea7c3715f414f604

Download Submit
C:\Users\Admin\AppData\Roaming\50ED.7D2

Filesize
600B

MD5
dbf11bb7b6b29b0b2453609219c0de27

SHA1
5d59229cfe73f6e7e432e8d50fd4fb7efdde2436

SHA256
94f2d2b693d9343fce6b8c20cbd2b1c79e189ed41ff3e257dcb613a1ca0735a2

SHA512
36dc623152a52b13e1b56c846f095675b067a44060ee25a4392d11a05bfe5eab223234de42b26f9a8ff496ba87655212a5e86d0ce8106c832a699d83978f5807

Download Submit
C:\Users\Admin\AppData\Roaming\50ED.7D2

Filesize
1KB

MD5
a4f5cd017b6da106003a59c5ef13aac1

SHA1
19bd0d45d776ff25ec0739d1607087db8fc36005

SHA256
4b4210152af25bdccc883d75aa6b02a3e8ee1df6ab1566471b112dffaa71497b

SHA512
f5fbca1ae6bc9065eff83f6b8a54106c9a091880a61ca5ad47878d3d00e586b9f14371e42d91d804a50172775e4f772e85cf87b2c4a8a0e01f81a9f55cc5c6a0

Download Submit
C:\Users\Admin\AppData\Roaming\50ED.7D2

Filesize
2KB

MD5
0210c8d37cef94723b2e8e040e244896

SHA1
3935bc5f878509d1cdce015469384f63cbf06ebb

SHA256
42b7c44240044437caf19eafa017b52b21efa7d1e4ae59b44c78494ec121e4cf

SHA512
dbd8a67c1daa8cdf46e5beac142a28bf72375df560db271da41e31da52942b0bdad88a921566f8b33d4ce1c58a2a96e3bf181554251192ab63c583684344b954

Download Submit
C:\Users\Admin\AppData\Roaming\50ED.7D2

Filesize
2KB

MD5
68e40aa597189dbe72c07c7acd637613

SHA1
3ff2768b977f6793141c3790a03fb7dd09555ec7

SHA256
d7ea418c0f3ace588f2999880fdc70d309124c447715bd47967a577d73bf74ce

SHA512
3ac667f786186c016a8d8f886140a291f8bcda0a9d6276acc1a704461f221592530a14d341a52f810f3bfc79bea54c37286d44aadea9d6be7b77a4e7db0df2e2

Download Submit
C:\Users\Admin\AppData\Roaming\50ED.7D2

Filesize
2KB

MD5
6d9fd4a777b5e94524e6a17a2f5a96f6

SHA1
967ab1a04628b71c17db21cbe9c57515725922ed

SHA256
78959190c7d994becf8ceda09530037e5c028cdac7d7d10d954ee62aaee414ba

SHA512
70249f5fb9a768ca097883e698bbd77a1ab7e28b6b6a7afea443cfd11b4142e98c3c6be43e52b396396d544c9779ec65e4fcddd1ba9073dfcb57636d71377934

Download Submit
C:\Users\Admin\AppData\Roaming\50ED.7D2

Filesize
2KB

MD5
78518c5a30ad721b2d9148dfaaf22550

SHA1
fb83d34a703d474039f3c1ba1238569ad4747205

SHA256
04ce86c728987dbb307e515e8195533ab4a07b613f643ff4ce59ee9cedbda3b8

SHA512
9503d3f1049739c04667bc202b08739bbde21244495e775fb23f1deca5182a74e97a77774587546fe246e266a17ab914f32d131ea13e925c899c8201ebcee80e

Download Submit
C:\Users\Admin\AppData\Roaming\50ED.7D2

Filesize
996B

MD5
0db65a62665ce3a11ad28aa911f3b534

SHA1
39b4c56926531ddacd37343f2e2bebc6750d6bec

SHA256
acc403322c90be12b62b4a6cf1d3237665dc9777344d298495d551cc2d9cf824

SHA512
80f0ad60092b68f6a0103eed63c16e6208f18fab981785555ae897e0125b297e61b612bc2360d11cd42084a42e45a9de8b49a57ff674507602871cf7e45b18c2

Download Submit
memory/468-13-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/468-14-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/468-12-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/656-369-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2152-435-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2400-81-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2400-78-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2400-79-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2604-510-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3092-188-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3480-192-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4708-76-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4708-1-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4708-15-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4708-359-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4708-2-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4708-198-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4708-177-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4940-516-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download