cycbot | 4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1

Analysis

max time kernel
140s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16/01/2025, 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7911b3c2b5597bade8af33b64cbead69.exe
Size

186KB
MD5

7911b3c2b5597bade8af33b64cbead69
SHA1

ba3b3b48152c7387481d637d76535b1490f97185
SHA256

4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1
SHA512

391e0216a05ab95fad3adf936accc8770a2238bfa5363f7f178ec0a55063aa93e5eb2460f5cab2399d8c11e98cd07d3397c79d5912846f2341052ec37468501a
SSDEEP

3072:Jz+yYdb/Rs7U5MKTK3jNpp83Jh31+sJcmPmGXxE6E2pfbS1oB0VZhW:pWts7/KTkjNpwJp1vmGXxg2hwoB0

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/432-11-0x0000000000400000-0x0000000000453000-memory.dmp	family_cycbot
behavioral2/memory/532-12-0x0000000000400000-0x0000000000453000-memory.dmp	family_cycbot
behavioral2/memory/4852-73-0x0000000000400000-0x0000000000453000-memory.dmp	family_cycbot
behavioral2/memory/532-176-0x0000000000400000-0x0000000000453000-memory.dmp	family_cycbot

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/532-2-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/432-11-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/532-12-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4852-73-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/532-176-0x0000000000400000-0x0000000000453000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7911b3c2b5597bade8af33b64cbead69.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 532 wrote to memory of 432	532	JaffaCakes118_7911b3c2b5597bade8af33b64cbead69.exe	85
PID 532 wrote to memory of 432	532	JaffaCakes118_7911b3c2b5597bade8af33b64cbead69.exe	85
PID 532 wrote to memory of 432	532	JaffaCakes118_7911b3c2b5597bade8af33b64cbead69.exe	85
PID 532 wrote to memory of 4852	532	JaffaCakes118_7911b3c2b5597bade8af33b64cbead69.exe	93
PID 532 wrote to memory of 4852	532	JaffaCakes118_7911b3c2b5597bade8af33b64cbead69.exe	93
PID 532 wrote to memory of 4852	532	JaffaCakes118_7911b3c2b5597bade8af33b64cbead69.exe	93

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7911b3c2b5597bade8af33b64cbead69.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7911b3c2b5597bade8af33b64cbead69.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:532
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7911b3c2b5597bade8af33b64cbead69.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7911b3c2b5597bade8af33b64cbead69.exe startC:\Program Files (x86)\Internet Explorer\3A04\7F0.exe%C:\Program Files (x86)\Internet Explorer\3A04
  2⤵
  PID:432
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7911b3c2b5597bade8af33b64cbead69.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7911b3c2b5597bade8af33b64cbead69.exe startC:\Users\Admin\AppData\Roaming\4413C\1ED3A.exe%C:\Users\Admin\AppData\Roaming\4413C
  2⤵
  PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\4413C\CD1B.413

Filesize
1KB

MD5
341567599b9d77c17cb24273d429dc01

SHA1
4652aa13f0c8eb23230ee178eab150555307daf2

SHA256
e2d33ffdb5c5ee0a0fe94dd1f39c87aa5794c301ae9c6d1282bbe55936e0a86d

SHA512
b53282e7ee7d710a2af61f45806c8281af6e087e9794cdf666f25d13d748ba3d459e2048836538ed2aed0fe20236c409808efbd3cf29d0bcf3f132db02f9387f

Download Submit
C:\Users\Admin\AppData\Roaming\4413C\CD1B.413

Filesize
600B

MD5
dc58f4153de3f5da1b9e9fbda1d8c2f3

SHA1
a8c87ee12005512472ce713e788b57bdbaad5987

SHA256
9137dd90ef8ace4b0806aed881f0b6cca2da0b4b8d629a8897811daa35a4fa63

SHA512
6c5ed17581fbe1f9291396d6040352f0354e2d6a8352000c0536d9bc2922a6a8624f5059ef28f415a498877a593788d8f0c48ff5d75e16addcfe6052825a9fd7

Download Submit
C:\Users\Admin\AppData\Roaming\4413C\CD1B.413

Filesize
996B

MD5
61b45d88d5ce58cce42f7b96381fe4d1

SHA1
df1118dce2026e9b70a626275bdcba815d6f3288

SHA256
8f22b20c12c180a0ca2b9304b6ab63113f716416b49efd0c82de2e091427524f

SHA512
f464f5350521e76dfef72e05e5f951b7af8ad69eed2c309e7c3781c7310c4ea3f7ad1f20c0974c355f05bef2c1e36496428cc2170de3c2c69fa12809ac800550

Download Submit
memory/432-11-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/532-1-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/532-2-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/532-12-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/532-176-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4852-73-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download