cycbot | 26ac6522c2d76489f05bd905f4758e945a01e51e60e4dcbc5477f61e59925144

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-01-2025 06:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4ff3ef6b696bc4d00a134f153182f8cb.exe
Size

387KB
MD5

4ff3ef6b696bc4d00a134f153182f8cb
SHA1

a73170476d633cb97cda0851401f2e88bd34a77b
SHA256

26ac6522c2d76489f05bd905f4758e945a01e51e60e4dcbc5477f61e59925144
SHA512

9ab6529f8f61efba11512b6a5975fc2946f03860d5bc73b008a1ccf1281e5e0d10893595835837942d3db810bb4654ab2dcf0515da03167b35da10d66e4e3845
SSDEEP

6144:H+r46Fh3HEHcHtUNUuD3/coMpHjMtZLlAlkZehyO5WCEq2EKp:LqccHtUNU43/p2DMnLlACehxEqo

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1672-56-0x0000000000400000-0x0000000000446000-memory.dmp	family_cycbot
behavioral1/memory/2880-64-0x0000000000400000-0x0000000000446000-memory.dmp	family_cycbot
behavioral1/memory/2880-128-0x0000000000400000-0x0000000000446000-memory.dmp	family_cycbot
behavioral1/memory/2396-131-0x0000000000400000-0x0000000000446000-memory.dmp	family_cycbot
behavioral1/memory/2880-256-0x0000000000400000-0x0000000000446000-memory.dmp	family_cycbot

Executes dropped EXE 5 IoCs

pid	Process
2372	d04b0559.exe
2712	910391bd.exe
2880	44bdc883.exe
1672	44bdc883.exe
2396	44bdc883.exe

Loads dropped DLL 16 IoCs

pid	Process
2892	JaffaCakes118_4ff3ef6b696bc4d00a134f153182f8cb.exe
2892	JaffaCakes118_4ff3ef6b696bc4d00a134f153182f8cb.exe
2892	JaffaCakes118_4ff3ef6b696bc4d00a134f153182f8cb.exe
2892	JaffaCakes118_4ff3ef6b696bc4d00a134f153182f8cb.exe
2892	JaffaCakes118_4ff3ef6b696bc4d00a134f153182f8cb.exe
2892	JaffaCakes118_4ff3ef6b696bc4d00a134f153182f8cb.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2880	44bdc883.exe
2880	44bdc883.exe
1744	rundll32.exe
1744	rundll32.exe
1744	rundll32.exe
1744	rundll32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	44bdc883.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kvijowij = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\mstinsL.dll\",Startup"	rundll32.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2880-37-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1672-56-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1672-54-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2880-64-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2880-128-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2396-131-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2880-256-0x0000000000400000-0x0000000000446000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4ff3ef6b696bc4d00a134f153182f8cb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	910391bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44bdc883.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2712	910391bd.exe
2744	rundll32.exe
1744	rundll32.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2892	JaffaCakes118_4ff3ef6b696bc4d00a134f153182f8cb.exe
2372	d04b0559.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2372	2892	JaffaCakes118_4ff3ef6b696bc4d00a134f153182f8cb.exe	30
PID 2892 wrote to memory of 2372	2892	JaffaCakes118_4ff3ef6b696bc4d00a134f153182f8cb.exe	30
PID 2892 wrote to memory of 2372	2892	JaffaCakes118_4ff3ef6b696bc4d00a134f153182f8cb.exe	30
PID 2892 wrote to memory of 2372	2892	JaffaCakes118_4ff3ef6b696bc4d00a134f153182f8cb.exe	30
PID 2892 wrote to memory of 2712	2892	JaffaCakes118_4ff3ef6b696bc4d00a134f153182f8cb.exe	31
PID 2892 wrote to memory of 2712	2892	JaffaCakes118_4ff3ef6b696bc4d00a134f153182f8cb.exe	31
PID 2892 wrote to memory of 2712	2892	JaffaCakes118_4ff3ef6b696bc4d00a134f153182f8cb.exe	31
PID 2892 wrote to memory of 2712	2892	JaffaCakes118_4ff3ef6b696bc4d00a134f153182f8cb.exe	31
PID 2892 wrote to memory of 2880	2892	JaffaCakes118_4ff3ef6b696bc4d00a134f153182f8cb.exe	32
PID 2892 wrote to memory of 2880	2892	JaffaCakes118_4ff3ef6b696bc4d00a134f153182f8cb.exe	32
PID 2892 wrote to memory of 2880	2892	JaffaCakes118_4ff3ef6b696bc4d00a134f153182f8cb.exe	32
PID 2892 wrote to memory of 2880	2892	JaffaCakes118_4ff3ef6b696bc4d00a134f153182f8cb.exe	32
PID 2712 wrote to memory of 2744	2712	910391bd.exe	33
PID 2712 wrote to memory of 2744	2712	910391bd.exe	33
PID 2712 wrote to memory of 2744	2712	910391bd.exe	33
PID 2712 wrote to memory of 2744	2712	910391bd.exe	33
PID 2712 wrote to memory of 2744	2712	910391bd.exe	33
PID 2712 wrote to memory of 2744	2712	910391bd.exe	33
PID 2712 wrote to memory of 2744	2712	910391bd.exe	33
PID 2880 wrote to memory of 1672	2880	44bdc883.exe	34
PID 2880 wrote to memory of 1672	2880	44bdc883.exe	34
PID 2880 wrote to memory of 1672	2880	44bdc883.exe	34
PID 2880 wrote to memory of 1672	2880	44bdc883.exe	34
PID 2880 wrote to memory of 2396	2880	44bdc883.exe	36
PID 2880 wrote to memory of 2396	2880	44bdc883.exe	36
PID 2880 wrote to memory of 2396	2880	44bdc883.exe	36
PID 2880 wrote to memory of 2396	2880	44bdc883.exe	36
PID 2744 wrote to memory of 1744	2744	rundll32.exe	37
PID 2744 wrote to memory of 1744	2744	rundll32.exe	37
PID 2744 wrote to memory of 1744	2744	rundll32.exe	37
PID 2744 wrote to memory of 1744	2744	rundll32.exe	37
PID 2744 wrote to memory of 1744	2744	rundll32.exe	37
PID 2744 wrote to memory of 1744	2744	rundll32.exe	37
PID 2744 wrote to memory of 1744	2744	rundll32.exe	37

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ff3ef6b696bc4d00a134f153182f8cb.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ff3ef6b696bc4d00a134f153182f8cb.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Users\Admin\AppData\Local\Temp\d04b0559.exe
  C:\Users\Admin\AppData\Local\Temp\d04b0559.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2372
- C:\Users\Admin\AppData\Local\Temp\910391bd.exe
  C:\Users\Admin\AppData\Local\Temp\910391bd.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\mstinsL.dll",Startup
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\mstinsL.dll",iep
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1744
- C:\Users\Admin\AppData\Local\Temp\44bdc883.exe
  C:\Users\Admin\AppData\Local\Temp\44bdc883.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Users\Admin\AppData\Local\Temp\44bdc883.exe
    C:\Users\Admin\AppData\Local\Temp\44bdc883.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
    3⤵
    - Executes dropped EXE
    PID:1672
- - C:\Users\Admin\AppData\Local\Temp\44bdc883.exe
    C:\Users\Admin\AppData\Local\Temp\44bdc883.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
    3⤵
    - Executes dropped EXE
    PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\44bdc883.exe

Filesize
167KB

MD5
d7b4181b27e3c49fe004e269729b64ab

SHA1
46009d16834c399a1ba6d401150d25f1b630fafd

SHA256
c121ef0915388809056150fa9542e3c61c4dbba4177b53e2704f922535f47013

SHA512
5a1f3149a3b3cc5f8bc8d9ce3111ac4e4fcbcd14ce8cc8a7cff34aec5c5fd489e1878ef2a39a093964566330373362eaec7326d6a82d4dc427740275dd101e7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\910391bd.exe

Filesize
112KB

MD5
3ca26258ccf37f6144e78d2fe06dff8e

SHA1
1d34534ccdc271d07b36c1d810517dd6c20568d6

SHA256
ae177b7b6ed91a117eb452dc705dcc0fefc65b361cfa08ece0bfc0d185f89a96

SHA512
965039266b6aa45f953ea4515b4d8344b9a8277ea9717aa167ce0bf0cd19ae0dab25b6a25c6abb065f45c2c25bcff6278f3708d96414a7c7a3de4a20dbc6459a

Download Submit
C:\Users\Admin\AppData\Local\mstinsL.dll

Filesize
112KB

MD5
ac2d37da5ee9c3c94e026538ebbc64ca

SHA1
27a2153e9a645cf2ea7cbaa9d90e4daea2f76ffc

SHA256
ef1a951c9840e57ca1fd4823accaa66fc124df61d2897413d6f83970f3f56678

SHA512
def7437d93346eaba75f0d8b84d46d4e912021448bea94425ad1f684bfefa32337bc139f8d378b3347440762d346f9fee3a0d252432d5983006d21bf545edcb5

Download Submit
C:\Users\Admin\AppData\Roaming\F64E.3DB

Filesize
1KB

MD5
cf3060e7963b6fb6a4467c3a864e5987

SHA1
7afdc5dd012e2ad52edfee49ade93035673819f1

SHA256
9279549c683cefa7c1530aaed29d3a8e0db4e04cb678e37cb6aabda7e2eab8e9

SHA512
935dd64e3b9c9b6ac21d884e6422977affd2ae9e077666503c223eb881c1643240a04c39f73ddeed5e78375269b753f12990b96c67b58e4610944e09853483c9

Download Submit
C:\Users\Admin\AppData\Roaming\F64E.3DB

Filesize
600B

MD5
d5ffe1cf2273b0c346af9c2b2ca80fe3

SHA1
0f432c3fb67e938d7d0d1a10340ca566f220bfef

SHA256
9d01845ffac23f36e2358d6d0e396a3f84719443fa1e78e8bb2a3081e9dd1892

SHA512
85ae22a90a25c144bef3a35327dadc4bf7fa3bfe77b1dc5c6debece0a60a450d5c4b82233157e2b7b1dfb638e9491548abc18371b68597eabe18dff4a1ec3cb2

Download Submit
\Users\Admin\AppData\Local\Temp\d04b0559.exe

Filesize
52KB

MD5
03a0c199e8d5b1b2c143a4e2f4d4926d

SHA1
3b2bac2ea10faf6e67d477a797c58879d3e2b229

SHA256
85252f50292b5f6974099b02674c7bafa3cd7403e70f94cf457bd7167b99c172

SHA512
54f91ef41fffa2dd33697206f085a411035f8c4421f4574af8e53a65311427fac9d28c0c015f820dec0b7c9ca842d970632ff0537faa7914fb1f40c26e798c6f

Download Submit
memory/1672-56-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1672-54-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1744-249-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2372-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2372-18-0x0000000000220000-0x0000000000231000-memory.dmp

Filesize
68KB

Download
memory/2372-61-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2396-131-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2712-30-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2712-127-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2712-36-0x0000000001F00000-0x0000000001F40000-memory.dmp

Filesize
256KB

Download
memory/2712-63-0x0000000001F00000-0x0000000001F40000-memory.dmp

Filesize
256KB

Download
memory/2712-62-0x0000000001F00000-0x0000000001F40000-memory.dmp

Filesize
256KB

Download
memory/2712-34-0x0000000001F00000-0x0000000001F40000-memory.dmp

Filesize
256KB

Download
memory/2744-216-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2744-46-0x00000000008F0000-0x0000000000930000-memory.dmp

Filesize
256KB

Download
memory/2744-47-0x00000000008F0000-0x0000000000930000-memory.dmp

Filesize
256KB

Download
memory/2744-65-0x00000000008F0000-0x0000000000930000-memory.dmp

Filesize
256KB

Download
memory/2744-45-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2744-129-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2744-248-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2880-128-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2880-37-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2880-64-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2880-256-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2892-1-0x00000000004E0000-0x0000000000544000-memory.dmp

Filesize
400KB

Download
memory/2892-28-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2892-2-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download