cycbot | 64c2274f9408f872035c0a7613e71033997fc43322c828a25d135348af79637b

General

Target

9865cdd466b724c5b6fe64784e52fce4_JaffaCakes118.exe
Size

180KB
MD5

9865cdd466b724c5b6fe64784e52fce4
SHA1

bb89827ee471d75942c36a1ba827d816af7cb643
SHA256

64c2274f9408f872035c0a7613e71033997fc43322c828a25d135348af79637b
SHA512

767e8efb344b7b256d3e934668e579fd15d1f7bda40ea56af347979784941a2617348dd7bcc3adeceafc7f18f5704e9476c1d48b15f9ce4390dd5b49ef98d1fb
SSDEEP

3072:XxYD/9MqpwVwP0gYjQFIRW1hl0M6RxW+vhrodZyKaRZnIW5M1ZjLIc4Bz:ha9wqOAIRW1hl0MILvFKYKqIWQjLY

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/1456-13-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral2/memory/1456-12-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral2/memory/3832-15-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral2/memory/1664-91-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral2/memory/3832-202-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3832-2-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1456-13-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1456-12-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3832-15-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1664-90-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1664-91-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3832-202-0x0000000000400000-0x000000000046B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9865cdd466b724c5b6fe64784e52fce4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9865cdd466b724c5b6fe64784e52fce4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9865cdd466b724c5b6fe64784e52fce4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3832 wrote to memory of 1456	3832	9865cdd466b724c5b6fe64784e52fce4_JaffaCakes118.exe	82
PID 3832 wrote to memory of 1456	3832	9865cdd466b724c5b6fe64784e52fce4_JaffaCakes118.exe	82
PID 3832 wrote to memory of 1456	3832	9865cdd466b724c5b6fe64784e52fce4_JaffaCakes118.exe	82
PID 3832 wrote to memory of 1664	3832	9865cdd466b724c5b6fe64784e52fce4_JaffaCakes118.exe	90
PID 3832 wrote to memory of 1664	3832	9865cdd466b724c5b6fe64784e52fce4_JaffaCakes118.exe	90
PID 3832 wrote to memory of 1664	3832	9865cdd466b724c5b6fe64784e52fce4_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\9865cdd466b724c5b6fe64784e52fce4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9865cdd466b724c5b6fe64784e52fce4_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Users\Admin\AppData\Local\Temp\9865cdd466b724c5b6fe64784e52fce4_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\9865cdd466b724c5b6fe64784e52fce4_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1456
- C:\Users\Admin\AppData\Local\Temp\9865cdd466b724c5b6fe64784e52fce4_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\9865cdd466b724c5b6fe64784e52fce4_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DC7A.228

Filesize
1KB

MD5
a4888a9bacb241d641a3d9e687fd0d70

SHA1
42351b6a01f197da5b02acde5371831184bbb17a

SHA256
8e42aa011273dddd7568fef80be0cc7dcbd62a9c0e4095543054564722ea6b22

SHA512
da56474aa3aa01bbb28dde5daf5f1591c596ee7016663d9205d4823c6db797f04f6214435e1931e6979f8a5d169e53c6049b17c79cd20bc7d0fd35f37c6258da

Download Submit
C:\Users\Admin\AppData\Roaming\DC7A.228

Filesize
600B

MD5
52934948d7b10ee4f22d43dc342deeff

SHA1
b5f6250a37c4036b06a1e5eb104233c6eb35df1c

SHA256
7c593485623f6e532d0fb4130e89e36dd05ae1860144367cf39c40078dae006d

SHA512
debba4e48000436831b206b0d22130fa37247b7e2425e84e420b880d10d964fb26a93fa43e68a185b3055682b0a6c04dc40b88899ec920d0914786e008859c77

Download Submit
C:\Users\Admin\AppData\Roaming\DC7A.228

Filesize
996B

MD5
b0fd396a442fea4eeda7c7c17dadf22f

SHA1
e9c8ff306669b620684fdfcc2bc958bae8689cc1

SHA256
e3ed3f4ffce4106fa37d66fce3f06efe07e8fef21bd6a59d8ed9a52857cb2d45

SHA512
e2a45128d6bb9b38ac4695ac422f92bf83213497b31e46ef915e50a385166931139979a1cd30dc750d37bebf094296ef5883f647c5d3a2c20e658a027531425b

Download Submit
memory/1456-13-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1456-12-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1664-90-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1664-91-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3832-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3832-2-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3832-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3832-202-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing