cycbot | 6ae9d2a3795c048fe91d3a85749a94b6c483006d841201998155a213bbed3e99

General

Target

be89dab47d2d5c5da678957e935683b1_JaffaCakes118.exe
Size

182KB
MD5

be89dab47d2d5c5da678957e935683b1
SHA1

7797617a861de1c7a1881ed25b1d4e8ce0bf6e21
SHA256

6ae9d2a3795c048fe91d3a85749a94b6c483006d841201998155a213bbed3e99
SHA512

27ea7e5b953c14c46e25a07fd09fe04b5399e6a40ffa461a968dc661958bc33c137521f06783cbac0d28f45ab85ef7c0c1f61af5881a0f45f1043788695b9414
SSDEEP

3072:U+A3w0NSJk5wD+hveJT7Mp2MDw9pI9R37IKIm7fgV5udVQ:b2wZJnChvC8p2MDwPICm7YV

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/2156-15-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/2036-16-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/2984-94-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/2036-198-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/2036-203-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2036-2-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/2156-13-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/2156-15-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/2036-16-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/2984-93-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/2984-94-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/2036-198-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/2036-203-0x0000000000400000-0x000000000044E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be89dab47d2d5c5da678957e935683b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be89dab47d2d5c5da678957e935683b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be89dab47d2d5c5da678957e935683b1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2156	2036	be89dab47d2d5c5da678957e935683b1_JaffaCakes118.exe	83
PID 2036 wrote to memory of 2156	2036	be89dab47d2d5c5da678957e935683b1_JaffaCakes118.exe	83
PID 2036 wrote to memory of 2156	2036	be89dab47d2d5c5da678957e935683b1_JaffaCakes118.exe	83
PID 2036 wrote to memory of 2984	2036	be89dab47d2d5c5da678957e935683b1_JaffaCakes118.exe	93
PID 2036 wrote to memory of 2984	2036	be89dab47d2d5c5da678957e935683b1_JaffaCakes118.exe	93
PID 2036 wrote to memory of 2984	2036	be89dab47d2d5c5da678957e935683b1_JaffaCakes118.exe	93

C:\Users\Admin\AppData\Local\Temp\be89dab47d2d5c5da678957e935683b1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\be89dab47d2d5c5da678957e935683b1_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Local\Temp\be89dab47d2d5c5da678957e935683b1_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\be89dab47d2d5c5da678957e935683b1_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2156
- C:\Users\Admin\AppData\Local\Temp\be89dab47d2d5c5da678957e935683b1_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\be89dab47d2d5c5da678957e935683b1_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\B438.5DE

Filesize
1KB

MD5
6e25dd992bdc236a57d8854126405500

SHA1
b7882c94e1282975f97fc8877fbfda8c9d0797ff

SHA256
336ef59cd98a7e30f1eb8db101998b0bbf28b2f867d97ea2c418179dc9add985

SHA512
947f082798e9f97a335e30a3de042dc4b5bbe1582164d6f2341b6eaebbed88ad689aa9aad9b2d73dbd2cc7740b7261d72fb5705b068826015bfe56b25b42a741

Download Submit
C:\Users\Admin\AppData\Roaming\B438.5DE

Filesize
600B

MD5
07d9adc2711cb3e3872f8c3d13d7f238

SHA1
aaedb5241881fcf6a35145609e666b967e711e3a

SHA256
369037f9711f15184b38b05a5288321bd716c0be50487efac5d5b3a22048660b

SHA512
2dbd9a3b8e4e0972746b804b41e2d43018fafd1a0932b31fe645912055fb41a1ea505d4e93d4e1adb351411b7f702cd27a0f4a19828ea16fd99327aa28566b99

Download Submit
C:\Users\Admin\AppData\Roaming\B438.5DE

Filesize
996B

MD5
eac366c5e50b96e9ba878d364139a814

SHA1
15dceef832de37dca8dbc4bf2eac5d8436943a18

SHA256
5c439d7c9dd8a5233431ab3d54a7c9fc8198f880809868618b69fe3fabcfc799

SHA512
f35a08591cb616ff71710a6e29aaf489d982b033eb7f9430191978d9ddce45b3a68d44fdc53386e897e4379cc17d71fd93eb934212547448ee42a9c323dab8c3

Download Submit
memory/2036-16-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2036-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2036-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2036-198-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2036-203-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2156-12-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2156-15-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2156-13-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2984-93-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2984-94-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing