cycbot | 1280c3015517aad9db42e2eeb89248e2918e06164803d602fadeec6a3a55faf7

Analysis

max time kernel
150s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2025 05:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_797c25ac265de8037108f4e94eaeffe8.exe
Size

188KB
MD5

797c25ac265de8037108f4e94eaeffe8
SHA1

7b7f0074f0d4359c12c758cfeb7683429da78278
SHA256

1280c3015517aad9db42e2eeb89248e2918e06164803d602fadeec6a3a55faf7
SHA512

ae8cbc9bb743a47a728890cfc36d71d5c7e9355ef0794dcb7702d11690d4c56a07ee78de4b221f954b24872517562b07691609dea75be94ffa33f4311eaa624c
SSDEEP

3072:BT4VNXhYIY2Cf6owIOa5SKsStD3ortfAdIJcCaP4BcrYeLO11ui+lIgnD:BqNX6CnowIOaQiD4JfUycC5WrY71uiNK

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/1176-13-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/4140-47-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/4140-48-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/3972-117-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/4140-187-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4140-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1176-11-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1176-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4140-47-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/4140-48-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3972-117-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4140-187-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_797c25ac265de8037108f4e94eaeffe8.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4140 wrote to memory of 1176	4140	JaffaCakes118_797c25ac265de8037108f4e94eaeffe8.exe	85
PID 4140 wrote to memory of 1176	4140	JaffaCakes118_797c25ac265de8037108f4e94eaeffe8.exe	85
PID 4140 wrote to memory of 1176	4140	JaffaCakes118_797c25ac265de8037108f4e94eaeffe8.exe	85
PID 4140 wrote to memory of 3972	4140	JaffaCakes118_797c25ac265de8037108f4e94eaeffe8.exe	88
PID 4140 wrote to memory of 3972	4140	JaffaCakes118_797c25ac265de8037108f4e94eaeffe8.exe	88
PID 4140 wrote to memory of 3972	4140	JaffaCakes118_797c25ac265de8037108f4e94eaeffe8.exe	88

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_797c25ac265de8037108f4e94eaeffe8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_797c25ac265de8037108f4e94eaeffe8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_797c25ac265de8037108f4e94eaeffe8.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_797c25ac265de8037108f4e94eaeffe8.exe startC:\Program Files (x86)\LP\D3AC\C12.exe%C:\Program Files (x86)\LP\D3AC
  2⤵
  PID:1176
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_797c25ac265de8037108f4e94eaeffe8.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_797c25ac265de8037108f4e94eaeffe8.exe startC:\Users\Admin\AppData\Roaming\C87EB\8DED3.exe%C:\Users\Admin\AppData\Roaming\C87EB
  2⤵
  PID:3972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\C87EB\B0EF.87E

Filesize
996B

MD5
b58ed99b301866d867e0f4d2eea490f0

SHA1
99f1cd7836f1f68ea65f318144ff93eb7e660190

SHA256
c06ef1a4f2a14df287b0f06544d514aaa348299b9c3ac953172d0c466c92d12b

SHA512
4be30dc2669e65b2843fad6a1e4493092a4381c9f0f40ee8da8f6eaa2836dea2535e953a6f2b6fcaa299ee84ced9fa4531092efd83a845ab20f95dd9169d3b6c

Download Submit
C:\Users\Admin\AppData\Roaming\C87EB\B0EF.87E

Filesize
600B

MD5
8db67f837c38a268b790a8a2f7232c8e

SHA1
9e67446fd42e463193ab26e53546a72a5926bdb8

SHA256
61cd6eaa868299a816e21ba6aeafc0ed1268270b87decc4fda7933894554bd59

SHA512
66fcf941f4593261c470ecb03dc8de40a557aa3b8582de2665ac563e07dfa8b49ee865691ca14664cc153f45ae8fc924768aaca2b3d703ed6d31d957e2ecedcc

Download Submit
memory/1176-11-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1176-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3972-115-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3972-117-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4140-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4140-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4140-47-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4140-48-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4140-187-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download