cycbot | adbc69392f2228409823e74c54b07934ecd893b482e7cec9d6ef126ea9e7046f

Resubmissions

14-01-2025 03:30

250114-d2pe3avrds 10

14-01-2025 03:26

250114-dznqraxqcp 10

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-01-2025 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe
Size

180KB
MD5

3499252c1c101b70e8919d979c85def8
SHA1

be592b22639c963569a6057f99021c13ffd86907
SHA256

adbc69392f2228409823e74c54b07934ecd893b482e7cec9d6ef126ea9e7046f
SHA512

7a70b47b788cf39b8a1549525733b70e486e76d8e7b6e1fce4ffbccaad8f24d5a377c92a006aec51e9da2142c84034ef039e3e937d73e1502d3d7be2831c4d4c
SSDEEP

3072:NjUgWSg0pLFZc2JXbMpCOZNfWcDXm4kn1mt7/r3yyDe3pVRF3siM7NtUGaEBOvQH:NjUqg0pLjcIXmtNfbX9t7/r3GaiYqY4M

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/1440-13-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral2/memory/3648-14-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral2/memory/3016-80-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral2/memory/3648-81-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral2/memory/3648-187-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral2/memory/3648-189-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3648-2-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral2/memory/1440-12-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral2/memory/1440-13-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral2/memory/3648-14-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral2/memory/3016-80-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral2/memory/3648-81-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral2/memory/3648-187-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral2/memory/3648-189-0x0000000000400000-0x000000000044C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3648 wrote to memory of 1440	3648	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	84
PID 3648 wrote to memory of 1440	3648	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	84
PID 3648 wrote to memory of 1440	3648	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	84
PID 3648 wrote to memory of 3016	3648	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	86
PID 3648 wrote to memory of 3016	3648	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	86
PID 3648 wrote to memory of 3016	3648	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	86

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3648
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:1440
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\C95B.420

Filesize
1KB

MD5
bb604e072127e56d3433b9f6fe4ecc18

SHA1
33e4bda0a79843f584f59e77f8e04c74f0175a9f

SHA256
20ec285dda12d4bbe6ffcae4ddb8642699a95c6528830a47434bc6f547b7e2c9

SHA512
b720ac89f14a0d2147e88fbdbf530055220f1a6b00f2e856c84876b53151b3e9879d8620a806fb13fffb77f7f428ccda0afa25e40e680a5b592b5a355e1a7faa

Download Submit
C:\Users\Admin\AppData\Roaming\C95B.420

Filesize
600B

MD5
d8972cbe274faff3ba9ba7d0728dcfee

SHA1
e64e917c0825f5488d6ddbb913b3239331ec3126

SHA256
437a7d1f313768ccff26652c7054429260276af60e5f014ad524a4ff4dd6c713

SHA512
dce7cbf61bd5710671991a4177c0300900966ed8c02115b7a7edd462e41a22ff74f675bd802049d4176ea3c8232834df07cc26b96941d86fc4a2d85547ad60da

Download Submit
C:\Users\Admin\AppData\Roaming\C95B.420

Filesize
996B

MD5
9294896cbeb4339b795ad8cd2bad0a64

SHA1
e606cafbd4e5b3f379cb749ff7e3216280a805b6

SHA256
88f8dd564e70b4e3d640a957ac305229607ce9ea370f002eedd04a6b232dccac

SHA512
29cb7cd5fdfdc7d9ec648d0f5887c03e88c718d566fcbb4de9dab0b2e82cb60d7c7d4ee155306140de4c585b6db60c7a39c4461fd1b1097e852b049e0249c8c9

Download Submit
memory/1440-12-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1440-13-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3016-80-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3648-1-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3648-2-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3648-14-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3648-81-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3648-187-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3648-189-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads