cycbot | 2f17bb1742217a5bc0fe0d89044c4241f382bc56c2995fa319f94a08798afcd9

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2025 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_aaef7fd20c151a51263286b2fbcdabca.exe
Size

195KB
MD5

aaef7fd20c151a51263286b2fbcdabca
SHA1

2b9ff1fb63f440d02fe4d572ce9c1eb7a3c17ce1
SHA256

2f17bb1742217a5bc0fe0d89044c4241f382bc56c2995fa319f94a08798afcd9
SHA512

93ce7971dd68f5e4c7eb0f745daa559c409f2f3e0b8bf9e30e808d334f19ef2dad0707ef7443d93f9263cd7743cfcf1e334400366e5420602cdf725c95ddbf5e
SSDEEP

3072:EUVfW7yjVxXgXC3Xhq8OgbX2++2gX3mchQneB9FjycwO65uky3yJqdRh0e+9lpcj:ET+XgYXhq8OgTt+bn5vPFPk2dftwj

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/3384-14-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/4908-15-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/1288-82-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/4908-197-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4908-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3384-12-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3384-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4908-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1288-82-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4908-197-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_aaef7fd20c151a51263286b2fbcdabca.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 3384	4908	JaffaCakes118_aaef7fd20c151a51263286b2fbcdabca.exe	85
PID 4908 wrote to memory of 3384	4908	JaffaCakes118_aaef7fd20c151a51263286b2fbcdabca.exe	85
PID 4908 wrote to memory of 3384	4908	JaffaCakes118_aaef7fd20c151a51263286b2fbcdabca.exe	85
PID 4908 wrote to memory of 1288	4908	JaffaCakes118_aaef7fd20c151a51263286b2fbcdabca.exe	88
PID 4908 wrote to memory of 1288	4908	JaffaCakes118_aaef7fd20c151a51263286b2fbcdabca.exe	88
PID 4908 wrote to memory of 1288	4908	JaffaCakes118_aaef7fd20c151a51263286b2fbcdabca.exe	88

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aaef7fd20c151a51263286b2fbcdabca.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aaef7fd20c151a51263286b2fbcdabca.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aaef7fd20c151a51263286b2fbcdabca.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aaef7fd20c151a51263286b2fbcdabca.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:3384
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aaef7fd20c151a51263286b2fbcdabca.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aaef7fd20c151a51263286b2fbcdabca.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:1288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\B12E.F68

Filesize
1KB

MD5
06d9838c5a05fc31fea8dc982428106a

SHA1
60ee2309b8e8ba8f57f43f039edda7a694433f78

SHA256
bd0f7d477f7436ab0775b42ae964e2a32bc464dae0a732ecc3c6ae930406849e

SHA512
8ef5897e5b4cbba9521d558e3c17c276e702d8f4ebc7d61ef458865b710e0d26ec8ad0fc2dc6278d4570d3485841063856441490bfb7f8e60da78da661026262

Download Submit
C:\Users\Admin\AppData\Roaming\B12E.F68

Filesize
600B

MD5
5128df08bdc59f46bd9c8bc6615b1700

SHA1
2db7e4d7c98c158c6d22e09e7a6c549d4cd96817

SHA256
595528bdf142d016bba483158b98008dadbee5813e5724e90187a39c42528912

SHA512
816c4ddfa84677388cec58bc9ac34833f2902885c62ff524dd29748c40c21ad21bfd91fb9be0db007c41613a95341a4600931b905f8c54e8dd5b3c88d2ca1d51

Download Submit
C:\Users\Admin\AppData\Roaming\B12E.F68

Filesize
996B

MD5
0c91ea5188f2210d51967a1a5a8483a3

SHA1
3cac49c33433138eec3a2b559ad7b0ef108cb9fb

SHA256
bce7aadc3e0702986ec1e5cb04e0325181ba23387e1ef84588119cb4e225f191

SHA512
3c267bda58e5e154a1331072ffa616725c1b7b9caad10f35e4a7be0c8db0f7f8e2d4f17c052e7a4b685bfdf72c4b773cf2fd0bc22d59e4242bdbb23b802d747d

Download Submit
memory/1288-82-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3384-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3384-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4908-1-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4908-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4908-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4908-197-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download