cycbot | b5a6fd94288252ba8849b0e2a626c072b037a8eb6dd0c3e82d631969b6f4fda2

General

Target

cf9a4e373b940f0c2f0ca9f67b9670d9_JaffaCakes118.exe
Size

181KB
MD5

cf9a4e373b940f0c2f0ca9f67b9670d9
SHA1

505d13eb1f7f399f3b59e9a892da2fa794da74d6
SHA256

b5a6fd94288252ba8849b0e2a626c072b037a8eb6dd0c3e82d631969b6f4fda2
SHA512

c56e799ffa79a42dc1798dbfa12b477e2f24596243ba7e9d9616fe05dd827107a8aca2421d32eb0111880cec773f09137c6aa99d23e762481a63b78287d753f9
SSDEEP

3072:DYV8IYFjFmPmGAxJDMiSK9+JWf/6OmE0FsaoPdzvg6JfR7oCr3jL:DUnmYP8f/pf/6DFsaizv1R7

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/216-8-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/4952-13-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/1960-83-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/4952-196-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/4952-198-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4952-1-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/216-8-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/4952-13-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/1960-81-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/1960-83-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/4952-196-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/4952-198-0x0000000000400000-0x000000000044E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf9a4e373b940f0c2f0ca9f67b9670d9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf9a4e373b940f0c2f0ca9f67b9670d9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf9a4e373b940f0c2f0ca9f67b9670d9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 216	4952	cf9a4e373b940f0c2f0ca9f67b9670d9_JaffaCakes118.exe	82
PID 4952 wrote to memory of 216	4952	cf9a4e373b940f0c2f0ca9f67b9670d9_JaffaCakes118.exe	82
PID 4952 wrote to memory of 216	4952	cf9a4e373b940f0c2f0ca9f67b9670d9_JaffaCakes118.exe	82
PID 4952 wrote to memory of 1960	4952	cf9a4e373b940f0c2f0ca9f67b9670d9_JaffaCakes118.exe	87
PID 4952 wrote to memory of 1960	4952	cf9a4e373b940f0c2f0ca9f67b9670d9_JaffaCakes118.exe	87
PID 4952 wrote to memory of 1960	4952	cf9a4e373b940f0c2f0ca9f67b9670d9_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\cf9a4e373b940f0c2f0ca9f67b9670d9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cf9a4e373b940f0c2f0ca9f67b9670d9_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Users\Admin\AppData\Local\Temp\cf9a4e373b940f0c2f0ca9f67b9670d9_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\cf9a4e373b940f0c2f0ca9f67b9670d9_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:216
- C:\Users\Admin\AppData\Local\Temp\cf9a4e373b940f0c2f0ca9f67b9670d9_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\cf9a4e373b940f0c2f0ca9f67b9670d9_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\0AF1.141

Filesize
600B

MD5
4c41bd244851e80695dd7a2340ac62fe

SHA1
e1d7acc14ba28136dfc3d36365a22d0ea1c0e8cd

SHA256
dccef1a7552cfd36b3841dc2fc6904339bebaafa13778298ee9443b820119c02

SHA512
b41959ea7f310138a1db63c6b459744db60e3dc01b4cd54d3b8581e860690dc9e8cc752ff8e51e15176f7f8c78319b5e122fefb0f0c5d7cb543949acd98c49b6

Download Submit
C:\Users\Admin\AppData\Roaming\0AF1.141

Filesize
1KB

MD5
2e2786f9739536bf6ef66840cba6d4e5

SHA1
e32f6105531c1aabd4fd86cf9edd607c63ead265

SHA256
0af8609bb66908e73473d8c70150680dfc096a9d1e22decdc92e97723672974e

SHA512
b72b50c51526cc0006560174e1413ba8450d2e128fef68c96da14e1be4f334346d4ec099353f5ec7f18f6957f7200138fbc138ba7b041706f8e39169eae0b1c1

Download Submit
C:\Users\Admin\AppData\Roaming\0AF1.141

Filesize
996B

MD5
afb2c8feb20c0bb04e932b1c1e4d126b

SHA1
cd08eb45f17ac14941772d1bf5028d0ac8358ec5

SHA256
a8813e27164442cdc97d42f7e80c3453e2b8c35f691accfb753a56208188c98d

SHA512
b48ba5a64e9a457693ac29fa241bf3c4ada9e3124baee9e9d9869fc6952bd7f9d377bbcee549524ac3cf1c1de3c70a668fd84ba14dc2089fd0f68f588ad5952f

Download Submit
memory/216-8-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1960-80-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1960-81-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1960-83-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4952-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4952-13-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4952-196-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4952-198-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing