cycbot | 25c3266b22e4ada9c1ffff1a383c9cf873e293f847296e98235d24c09f13cef2

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_eb73f2c78e339f39bcb636a843e8c083.exe
Size

175KB
MD5

eb73f2c78e339f39bcb636a843e8c083
SHA1

3d65ba4fc1a9953ef20eec715c29f7edfd323211
SHA256

25c3266b22e4ada9c1ffff1a383c9cf873e293f847296e98235d24c09f13cef2
SHA512

bd06574bf1a297c596e988e90b2ba52b4d498b326a081b115f6e3ba8aa9c584e174a7334aad0ad03a91d557730651e603d597d3f13d1651c6d13cc6159d67af8
SSDEEP

3072:ASZlGpwW2QnGISR/sNBE78oryFsY45Q3EuPz9JFp+Oyl8oiiZdWKOO:ASZ+72Qn7C/4a8orNh5QUuPDSJWoBd2O

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/4076-13-0x0000000000400000-0x000000000046F000-memory.dmp	family_cycbot
behavioral2/memory/1660-14-0x0000000000400000-0x000000000046F000-memory.dmp	family_cycbot
behavioral2/memory/560-83-0x0000000000400000-0x000000000046F000-memory.dmp	family_cycbot
behavioral2/memory/1660-188-0x0000000000400000-0x000000000046F000-memory.dmp	family_cycbot

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1660-2-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/4076-12-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/4076-13-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/1660-14-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/560-83-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/1660-188-0x0000000000400000-0x000000000046F000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_eb73f2c78e339f39bcb636a843e8c083.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 4076	1660	JaffaCakes118_eb73f2c78e339f39bcb636a843e8c083.exe	82
PID 1660 wrote to memory of 4076	1660	JaffaCakes118_eb73f2c78e339f39bcb636a843e8c083.exe	82
PID 1660 wrote to memory of 4076	1660	JaffaCakes118_eb73f2c78e339f39bcb636a843e8c083.exe	82
PID 1660 wrote to memory of 560	1660	JaffaCakes118_eb73f2c78e339f39bcb636a843e8c083.exe	88
PID 1660 wrote to memory of 560	1660	JaffaCakes118_eb73f2c78e339f39bcb636a843e8c083.exe	88
PID 1660 wrote to memory of 560	1660	JaffaCakes118_eb73f2c78e339f39bcb636a843e8c083.exe	88

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eb73f2c78e339f39bcb636a843e8c083.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eb73f2c78e339f39bcb636a843e8c083.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eb73f2c78e339f39bcb636a843e8c083.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eb73f2c78e339f39bcb636a843e8c083.exe startC:\Program Files (x86)\Internet Explorer\D3AC\E41.exe%C:\Program Files (x86)\Internet Explorer\D3AC
  2⤵
  PID:4076
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eb73f2c78e339f39bcb636a843e8c083.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eb73f2c78e339f39bcb636a843e8c083.exe startC:\Users\Admin\AppData\Roaming\C92D8\8CED3.exe%C:\Users\Admin\AppData\Roaming\C92D8
  2⤵
  PID:560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\C92D8\82AB.92D

Filesize
1KB

MD5
f417438e21986cc2f8513c148120e214

SHA1
e375aa97a644ac574c5e55271ffee083e2bc8dab

SHA256
667f8e3785144720e32257f2898eb783c3b9d3021e58cb39d9b7e163b3e94752

SHA512
0dfb8076a53644d5f4278d25c753e28bb0e4844902bc58e783d07d318bf38ed40d4a03cba073fff6190aa846c00ddc225c48a871eac0f13e2139b7b1322f3011

Download Submit
C:\Users\Admin\AppData\Roaming\C92D8\82AB.92D

Filesize
600B

MD5
cbe4881ebf13666f2338826c81157a21

SHA1
f0956ada86ab286f7655c99aced4cda00db79cf9

SHA256
c8aedfc20ee9136c209f148773cc9d789f2860dbdd5ed4ba30531bc2336350dc

SHA512
071217ce85a1039bcb6589e3319c1e643522392d9e1b7c67d65c73d5bdbaba2e63526f6d24df01352adc44d685e18fd0dc477f4f35698e3d4c8521b3cf1a659c

Download Submit
C:\Users\Admin\AppData\Roaming\C92D8\82AB.92D

Filesize
996B

MD5
78b362ea06cef6accad84bef26fd6c5f

SHA1
a7f6769b24086e607ebb26a723dc01c737babafd

SHA256
aba64f60924299c7509bcb46774e9f660b6d982d59292c9d04bfcc7dd7df4e17

SHA512
10a44a0e98c8e3202a3d135da77d5b3acc82b3aebd72e4059acd09f4a6fd61187ad9f7a4173336307bf671f24eddd20446a3cbcd291dce542e0862e86ff0015b

Download Submit
memory/560-83-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1660-2-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1660-1-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1660-14-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1660-188-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4076-12-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4076-13-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download