Malware Analysis Report

2025-08-11 04:38

Sample ID 250119-nrczdsvqd1
Target JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0
SHA256 1a9bfc6a675e53b2e1fdd150f10aa3d1546b9c63540d0a2dc52113cb434088b9
Tags
cycbot backdoor discovery rat spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1a9bfc6a675e53b2e1fdd150f10aa3d1546b9c63540d0a2dc52113cb434088b9

Threat Level: Known bad

The file JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0 was found to be: Known bad.

Malicious Activity Summary

cycbot backdoor discovery rat spyware stealer upx

Cycbot family

Detects Cycbot payload

Cycbot

Reads user/profile data of web browsers

UPX packed file

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-19 11:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-19 11:37

Reported

2025-01-19 11:40

Platform

win7-20241010-en

Max time kernel

140s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe"

Signatures

Cycbot

backdoor rat cycbot

Cycbot family

cycbot

Detects Cycbot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2732 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe
PID 2732 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe
PID 2732 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe
PID 2732 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe
PID 2732 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe
PID 2732 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe
PID 2732 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe
PID 2732 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe startC:\Program Files (x86)\LP\BF8B\06D.exe%C:\Program Files (x86)\LP\BF8B

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe startC:\Users\Admin\AppData\Roaming\BF90C\3F5BF.exe%C:\Users\Admin\AppData\Roaming\BF90C

Network

Country Destination Domain Proto
US 8.8.8.8:53 complaintsboard.com udp
US 104.25.182.41:80 complaintsboard.com tcp
US 8.8.8.8:53 ad4q1ju3e.yordatazone.com udp
US 8.8.8.8:53 q1rvu1.cloudstorepro.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 2-tnkoc.yordatazone.com udp
GB 142.250.187.196:80 www.google.com tcp
N/A 127.0.0.1:60566 tcp
GB 142.250.187.196:80 www.google.com tcp
N/A 127.0.0.1:60566 tcp

Files

memory/2732-0-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2732-2-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2732-3-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Roaming\BF90C\C593.F90

MD5 3dbc8a37853b780670f1a28fad576715
SHA1 7fb5c18237e69be0db457ccbc5bbc7829199dbaa
SHA256 a252efce606972b80cfcd4ae5347d07fc7cf06e06d425d17e4a3adadb112579c
SHA512 f7d85403fb882f4c6503b846911543fe5c9332088269c8698af7052648224d7234711072bba2f05dddabc5bc85cefc2dfa96cdd9a1004a74442b1b94c0a1085a

memory/2796-14-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2796-13-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2796-15-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2732-16-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2732-17-0x0000000000400000-0x0000000000452000-memory.dmp

C:\Users\Admin\AppData\Roaming\BF90C\C593.F90

MD5 0926f23b929a037f37942b0827b1115f
SHA1 c1dcae0d8b98a6b0ccc4602131811d868aa5b018
SHA256 85066cd22d0891255654310b1407676e507dd528a61d9bbdaa5c2a6430a7b101
SHA512 2e5d3f4d2e37331348aceb6d06cf23d7b1009d0dd818c2c45f44fc69e214f9ab9962a3daa5a812be42267509dd9e4e4d502a044c6d3b9262673314f7334bc5df

memory/808-144-0x0000000000400000-0x0000000000454000-memory.dmp

memory/808-145-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Roaming\BF90C\C593.F90

MD5 01d9dceaa960fd2855458e7bff054d41
SHA1 5c2edd9d359f1951c68f75a7f58259b9ac92b6f1
SHA256 ed640e41a75cdac6eabb17ab6c765f8444faec57f89e8dfe6391cefdecedbd08
SHA512 6957dda19f68190f6fefbf063045184b2d48e6e59218d249ace228b09fe7a53223c0a85dd29029129078b386d244551ac98fd50a93a35edb73e0254a799237a6

C:\Users\Admin\AppData\Roaming\BF90C\C593.F90

MD5 663e406c1eafb0e3fb8a81c246326d65
SHA1 ef006dbb3bd9e695db84e5a584b8d69c2bd34e3e
SHA256 ed40cfde09e9b8c182b6a475b842281199dcbf930ca52c89624654006396de84
SHA512 8cba418fa0f1da04f67a3a7ce4c9ecc4905ccc3702dbd541fd875eaa4a18edaf4c1b06fbb66e1a82fd18ede43911e65d26865e12936b5ca2264d11ccb188b3da

memory/2732-308-0x0000000000400000-0x0000000000454000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-19 11:37

Reported

2025-01-19 11:51

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe"

Signatures

Cycbot

backdoor rat cycbot

Cycbot family

cycbot

Detects Cycbot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe startC:\Program Files (x86)\LP\2CCA\F46.exe%C:\Program Files (x86)\LP\2CCA

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe startC:\Users\Admin\AppData\Roaming\A4909\9E42C.exe%C:\Users\Admin\AppData\Roaming\A4909

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 7.98.22.2.in-addr.arpa udp
US 8.8.8.8:53 patentgenius.com udp
US 208.91.197.27:80 patentgenius.com tcp
US 8.8.8.8:53 27.197.91.208.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 t90w.yordatazone.com udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 rhu.cloudstorepro.com udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 wiishu.cloudstorepro.com udp
N/A 127.0.0.1:57111 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
N/A 127.0.0.1:57111 tcp
N/A 127.0.0.1:57111 tcp
N/A 127.0.0.1:57111 tcp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
N/A 127.0.0.1:57111 tcp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

memory/4696-0-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4696-2-0x0000000000400000-0x0000000000452000-memory.dmp

memory/4696-3-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1744-13-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4696-14-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4696-15-0x0000000000400000-0x0000000000452000-memory.dmp

C:\Users\Admin\AppData\Roaming\A4909\9695.490

MD5 8503e20d3dc65931d9ebfb60306c5686
SHA1 3e82fb8742ccc09faa3325aae9d37cf8c7451592
SHA256 00b82557665da0fc7f4b88b073d26120a2fa9c114d6218dd26366277f05c4b71
SHA512 fccffb118fb285fc9644cf7e9746012f7a668d875688265014a2fabdc6c4faa689a521509caa075423c7acf16a756acb540dca0dd51a917954142ebff784a419

memory/5044-125-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Roaming\A4909\9695.490

MD5 7a17fe33a7e2948f14846ca0996f8157
SHA1 54f7fed04d20ce78b64c37f592b9b2835bde8825
SHA256 6c18cccc017f6518ba7e495359423ce0d8dca2cff04477067940fae3bd4bcb49
SHA512 12651f734dada20924e621b58d4dc1f2992bd3567a8082dd2eb3c4e85133350842cf62a6e0f77807093a7ebe91e1c97d8539374fe4a3f38ac0e994e976d03ec0

C:\Users\Admin\AppData\Roaming\A4909\9695.490

MD5 8b9ac48af6ae148b43bf7c730430d279
SHA1 78d09a1839818ae2ad39aa9536aa8a29d4356b9d
SHA256 a06288aef4cecd6e9d8288f25f8dc95c4807f4c8ddec659348bea4d90734bc4b
SHA512 0e262543a040fd5f61a91db948e231a9d05336b7197376c0d54c2b0944d381b23df89e4f081d689a9ded38e41531abbe198dd9adfe1098fe1e6d629dc6eae651

memory/4696-280-0x0000000000400000-0x0000000000454000-memory.dmp