Analysis Overview
SHA256
1a9bfc6a675e53b2e1fdd150f10aa3d1546b9c63540d0a2dc52113cb434088b9
Threat Level: Known bad
The file JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0 was found to be: Known bad.
Malicious Activity Summary
Cycbot family
Detects Cycbot payload
Cycbot
Reads user/profile data of web browsers
UPX packed file
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-19 11:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-19 11:37
Reported
2025-01-19 11:40
Platform
win7-20241010-en
Max time kernel
140s
Max time network
124s
Command Line
Signatures
Cycbot
Cycbot family
Detects Cycbot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe startC:\Program Files (x86)\LP\BF8B\06D.exe%C:\Program Files (x86)\LP\BF8B
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe startC:\Users\Admin\AppData\Roaming\BF90C\3F5BF.exe%C:\Users\Admin\AppData\Roaming\BF90C
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | complaintsboard.com | udp |
| US | 104.25.182.41:80 | complaintsboard.com | tcp |
| US | 8.8.8.8:53 | ad4q1ju3e.yordatazone.com | udp |
| US | 8.8.8.8:53 | q1rvu1.cloudstorepro.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | 2-tnkoc.yordatazone.com | udp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| N/A | 127.0.0.1:60566 | tcp | |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| N/A | 127.0.0.1:60566 | tcp |
Files
memory/2732-0-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2732-2-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2732-3-0x0000000000400000-0x0000000000454000-memory.dmp
C:\Users\Admin\AppData\Roaming\BF90C\C593.F90
| MD5 | 3dbc8a37853b780670f1a28fad576715 |
| SHA1 | 7fb5c18237e69be0db457ccbc5bbc7829199dbaa |
| SHA256 | a252efce606972b80cfcd4ae5347d07fc7cf06e06d425d17e4a3adadb112579c |
| SHA512 | f7d85403fb882f4c6503b846911543fe5c9332088269c8698af7052648224d7234711072bba2f05dddabc5bc85cefc2dfa96cdd9a1004a74442b1b94c0a1085a |
memory/2796-14-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2796-13-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2796-15-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2732-16-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2732-17-0x0000000000400000-0x0000000000452000-memory.dmp
C:\Users\Admin\AppData\Roaming\BF90C\C593.F90
| MD5 | 0926f23b929a037f37942b0827b1115f |
| SHA1 | c1dcae0d8b98a6b0ccc4602131811d868aa5b018 |
| SHA256 | 85066cd22d0891255654310b1407676e507dd528a61d9bbdaa5c2a6430a7b101 |
| SHA512 | 2e5d3f4d2e37331348aceb6d06cf23d7b1009d0dd818c2c45f44fc69e214f9ab9962a3daa5a812be42267509dd9e4e4d502a044c6d3b9262673314f7334bc5df |
memory/808-144-0x0000000000400000-0x0000000000454000-memory.dmp
memory/808-145-0x0000000000400000-0x0000000000454000-memory.dmp
C:\Users\Admin\AppData\Roaming\BF90C\C593.F90
| MD5 | 01d9dceaa960fd2855458e7bff054d41 |
| SHA1 | 5c2edd9d359f1951c68f75a7f58259b9ac92b6f1 |
| SHA256 | ed640e41a75cdac6eabb17ab6c765f8444faec57f89e8dfe6391cefdecedbd08 |
| SHA512 | 6957dda19f68190f6fefbf063045184b2d48e6e59218d249ace228b09fe7a53223c0a85dd29029129078b386d244551ac98fd50a93a35edb73e0254a799237a6 |
C:\Users\Admin\AppData\Roaming\BF90C\C593.F90
| MD5 | 663e406c1eafb0e3fb8a81c246326d65 |
| SHA1 | ef006dbb3bd9e695db84e5a584b8d69c2bd34e3e |
| SHA256 | ed40cfde09e9b8c182b6a475b842281199dcbf930ca52c89624654006396de84 |
| SHA512 | 8cba418fa0f1da04f67a3a7ce4c9ecc4905ccc3702dbd541fd875eaa4a18edaf4c1b06fbb66e1a82fd18ede43911e65d26865e12936b5ca2264d11ccb188b3da |
memory/2732-308-0x0000000000400000-0x0000000000454000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-19 11:37
Reported
2025-01-19 11:51
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Cycbot
Cycbot family
Detects Cycbot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe startC:\Program Files (x86)\LP\2CCA\F46.exe%C:\Program Files (x86)\LP\2CCA
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe startC:\Users\Admin\AppData\Roaming\A4909\9E42C.exe%C:\Users\Admin\AppData\Roaming\A4909
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.98.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | patentgenius.com | udp |
| US | 208.91.197.27:80 | patentgenius.com | tcp |
| US | 8.8.8.8:53 | 27.197.91.208.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | t90w.yordatazone.com | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rhu.cloudstorepro.com | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wiishu.cloudstorepro.com | udp |
| N/A | 127.0.0.1:57111 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| N/A | 127.0.0.1:57111 | tcp | |
| N/A | 127.0.0.1:57111 | tcp | |
| N/A | 127.0.0.1:57111 | tcp | |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:57111 | tcp | |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
memory/4696-0-0x0000000000400000-0x0000000000454000-memory.dmp
memory/4696-2-0x0000000000400000-0x0000000000452000-memory.dmp
memory/4696-3-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1744-13-0x0000000000400000-0x0000000000454000-memory.dmp
memory/4696-14-0x0000000000400000-0x0000000000454000-memory.dmp
memory/4696-15-0x0000000000400000-0x0000000000452000-memory.dmp
C:\Users\Admin\AppData\Roaming\A4909\9695.490
| MD5 | 8503e20d3dc65931d9ebfb60306c5686 |
| SHA1 | 3e82fb8742ccc09faa3325aae9d37cf8c7451592 |
| SHA256 | 00b82557665da0fc7f4b88b073d26120a2fa9c114d6218dd26366277f05c4b71 |
| SHA512 | fccffb118fb285fc9644cf7e9746012f7a668d875688265014a2fabdc6c4faa689a521509caa075423c7acf16a756acb540dca0dd51a917954142ebff784a419 |
memory/5044-125-0x0000000000400000-0x0000000000454000-memory.dmp
C:\Users\Admin\AppData\Roaming\A4909\9695.490
| MD5 | 7a17fe33a7e2948f14846ca0996f8157 |
| SHA1 | 54f7fed04d20ce78b64c37f592b9b2835bde8825 |
| SHA256 | 6c18cccc017f6518ba7e495359423ce0d8dca2cff04477067940fae3bd4bcb49 |
| SHA512 | 12651f734dada20924e621b58d4dc1f2992bd3567a8082dd2eb3c4e85133350842cf62a6e0f77807093a7ebe91e1c97d8539374fe4a3f38ac0e994e976d03ec0 |
C:\Users\Admin\AppData\Roaming\A4909\9695.490
| MD5 | 8b9ac48af6ae148b43bf7c730430d279 |
| SHA1 | 78d09a1839818ae2ad39aa9536aa8a29d4356b9d |
| SHA256 | a06288aef4cecd6e9d8288f25f8dc95c4807f4c8ddec659348bea4d90734bc4b |
| SHA512 | 0e262543a040fd5f61a91db948e231a9d05336b7197376c0d54c2b0944d381b23df89e4f081d689a9ded38e41531abbe198dd9adfe1098fe1e6d629dc6eae651 |
memory/4696-280-0x0000000000400000-0x0000000000454000-memory.dmp