cycbot | 4e13b1d5ab5234f228658e47f7d02be93a172e01483bcc27c041516fd128b354

Analysis

max time kernel
140s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2025 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5790b8365cafa2868f4fe4af4b90ed21.exe
Size

187KB
MD5

5790b8365cafa2868f4fe4af4b90ed21
SHA1

52c2f9a4aef7bf8b7d700c631b148b14cbef59a6
SHA256

4e13b1d5ab5234f228658e47f7d02be93a172e01483bcc27c041516fd128b354
SHA512

1a58acc5f58fb233eefcc670a808b4284cb2d479312ed6557f32b6421b8d8e9cc3c8ed031c1252af3adf651667073e7d5d152dac532f884701136895752c67d9
SSDEEP

3072:7O/Rpeq71qplZ2+0wk3ilnB68X0YRNfBRdlQH03+7DFNEbS6LjamDlL6WS:7O/R9clZ2kiqNBRNfB5SPFSS63a8u

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/1500-13-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/872-14-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/3636-77-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/872-184-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/872-1-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/1500-11-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/1500-13-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/872-14-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/3636-77-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/872-184-0x0000000000400000-0x0000000000452000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5790b8365cafa2868f4fe4af4b90ed21.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 1500	872	JaffaCakes118_5790b8365cafa2868f4fe4af4b90ed21.exe	83
PID 872 wrote to memory of 1500	872	JaffaCakes118_5790b8365cafa2868f4fe4af4b90ed21.exe	83
PID 872 wrote to memory of 1500	872	JaffaCakes118_5790b8365cafa2868f4fe4af4b90ed21.exe	83
PID 872 wrote to memory of 3636	872	JaffaCakes118_5790b8365cafa2868f4fe4af4b90ed21.exe	92
PID 872 wrote to memory of 3636	872	JaffaCakes118_5790b8365cafa2868f4fe4af4b90ed21.exe	92
PID 872 wrote to memory of 3636	872	JaffaCakes118_5790b8365cafa2868f4fe4af4b90ed21.exe	92

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5790b8365cafa2868f4fe4af4b90ed21.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5790b8365cafa2868f4fe4af4b90ed21.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:872
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5790b8365cafa2868f4fe4af4b90ed21.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5790b8365cafa2868f4fe4af4b90ed21.exe startC:\Program Files (x86)\Internet Explorer\D3AB\8D9.exe%C:\Program Files (x86)\Internet Explorer\D3AB
  2⤵
  PID:1500
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5790b8365cafa2868f4fe4af4b90ed21.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5790b8365cafa2868f4fe4af4b90ed21.exe startC:\Users\Admin\AppData\Roaming\B9B52\FCED3.exe%C:\Users\Admin\AppData\Roaming\B9B52
  2⤵
  PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\B9B52\243C.9B5

Filesize
1KB

MD5
6b75ea9198b49c4b3d403e9013b61349

SHA1
2d5728632550ce6ca6be19d0daea636a5aa33bc6

SHA256
dd4895fbe07931b5cb18dca294ecc6e5eaac2ddcca6ece6e308b363237b61074

SHA512
6ca20305b652f05cb73ecd805f6637a91853baa925631e98d028d2f1ba42dd868b7e7d23e44f85ca70e7a5b392488d09ba0bbbeffcd33dff213186d7948271cb

Download Submit
C:\Users\Admin\AppData\Roaming\B9B52\243C.9B5

Filesize
600B

MD5
1be2c4060bb337a67c8aa94ecea4d479

SHA1
ce8b3da7e69abe06e68c6da707c504e5de565754

SHA256
adc903018a95e2dbcd085c9f2f593201b1a3181ceeb6afd24f69aa3ac440c10a

SHA512
8fe459d59a7d3926596b1245b8218d4cb2fb6312d1f4728fb6760ebf04054e2bdb43ccfb5183845380b3a3477c9b1660c1ee907550ddc40d18404f2b0f5b658d

Download Submit
C:\Users\Admin\AppData\Roaming\B9B52\243C.9B5

Filesize
996B

MD5
0ff8027d6dd0aa72e8ed5d3c84793056

SHA1
c40dd1ad4b7c900482da75bba9a6b12f7ab8d1b7

SHA256
42fe795b1b693f042fe291b440d5d5e73f683c3596770f5befdf9b7f5c2f1863

SHA512
55ee374339b4466303c18c68db29452124e04b5fe71eaf14fddb69ce3b9b1bc91dc642121d16309262bd7eb417ab74ae5f529741531db2e23410c5d863ad76b5

Download Submit
memory/872-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/872-14-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/872-184-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1500-10-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1500-11-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1500-13-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3636-77-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download