cycbot | 76c7ac6e39553fe1143d39d648b1ac4f9783805e59ade5c0e2ca155af3905d72

General

Target

c798c1b9cba4ffcd33671c47941ea9f0_JaffaCakes118.exe
Size

179KB
MD5

c798c1b9cba4ffcd33671c47941ea9f0
SHA1

82c5fe85508987cfd549bbc668c51a0c9ddd829c
SHA256

76c7ac6e39553fe1143d39d648b1ac4f9783805e59ade5c0e2ca155af3905d72
SHA512

3deb22f84c56c1200c76e0fe94adc609ae1d8c2912b0e0971a57cad02beba87cc2ed1ba2be2afcffc5e4c043ea08be7dae70b958f811ba22f9f12fa198f11fe6
SSDEEP

3072:L8svOQUkW/hGG03dj2bLYZurqqMR96F0AXNErDCHC1u815Se6gFprk:L/vOQfSGG0xeYZufMR9ATNEb1l5Syr

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/1896-14-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/3316-15-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/3316-16-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/4372-114-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/3316-269-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3316-3-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/1896-13-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/1896-14-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/3316-15-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/3316-16-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/4372-114-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/3316-269-0x0000000000400000-0x0000000000454000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c798c1b9cba4ffcd33671c47941ea9f0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c798c1b9cba4ffcd33671c47941ea9f0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c798c1b9cba4ffcd33671c47941ea9f0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3316 wrote to memory of 1896	3316	c798c1b9cba4ffcd33671c47941ea9f0_JaffaCakes118.exe	82
PID 3316 wrote to memory of 1896	3316	c798c1b9cba4ffcd33671c47941ea9f0_JaffaCakes118.exe	82
PID 3316 wrote to memory of 1896	3316	c798c1b9cba4ffcd33671c47941ea9f0_JaffaCakes118.exe	82
PID 3316 wrote to memory of 4372	3316	c798c1b9cba4ffcd33671c47941ea9f0_JaffaCakes118.exe	88
PID 3316 wrote to memory of 4372	3316	c798c1b9cba4ffcd33671c47941ea9f0_JaffaCakes118.exe	88
PID 3316 wrote to memory of 4372	3316	c798c1b9cba4ffcd33671c47941ea9f0_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\c798c1b9cba4ffcd33671c47941ea9f0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c798c1b9cba4ffcd33671c47941ea9f0_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3316
- C:\Users\Admin\AppData\Local\Temp\c798c1b9cba4ffcd33671c47941ea9f0_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\c798c1b9cba4ffcd33671c47941ea9f0_JaffaCakes118.exe startC:\Program Files (x86)\LP\1B1D\D85.exe%C:\Program Files (x86)\LP\1B1D
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1896
- C:\Users\Admin\AppData\Local\Temp\c798c1b9cba4ffcd33671c47941ea9f0_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\c798c1b9cba4ffcd33671c47941ea9f0_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\DF21D\6C81B.exe%C:\Users\Admin\AppData\Roaming\DF21D
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DF21D\D13B.F21

Filesize
996B

MD5
556f47ce3ffde569cdefe9da42b9babc

SHA1
346f2c7a4d5c43b273de82b1c7ad55da69c6625e

SHA256
b5d2daac9c7fd17ee6b8bf0e16ebb270e8599a7e6df323ef84d598f0b3056000

SHA512
266a7058f76d7fef9d4da897e7ea504e37aebf016340f05201b8fc0b7e13420d6899715dd163cb237bc2c363616c4bf3777e7ec37e891f3d5f27ffbf0fd99840

Download Submit
C:\Users\Admin\AppData\Roaming\DF21D\D13B.F21

Filesize
600B

MD5
26eba534e4b1a42ca21283cbfd1bf68b

SHA1
4885956d96887e9369c98da4554239472cf22320

SHA256
8718b659e1d1b4ebd2d46a58df050773056771b5cfb6504e4ef8549546300568

SHA512
40f1ee802164d6867a31332151e86a38b0024ef64dee19a91ff40776e7d11eefd083e1156932c137250d53fbe1fd7839877a73d2a5f638f27890153d418e5367

Download Submit
C:\Users\Admin\AppData\Roaming\DF21D\D13B.F21

Filesize
1KB

MD5
f17f7cef828b5de9acfcda96dff365dc

SHA1
975d8b322af97714750740ab2622e49308915440

SHA256
273151ac1569ec3546aaa51f99d07491e39f8bc3eb76bf8d19f7afeb610682ca

SHA512
90324fec66405d33e5060a9aa2fc39b081fa7c75083da1831861bd98b7b6da9c1384846044ed04642d785e7efc6c637ec52a2e1d3a8f1875ab94f5a065b9ae2a

Download Submit
memory/1896-13-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1896-14-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3316-0-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3316-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3316-3-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3316-15-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3316-16-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3316-269-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4372-114-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing