cycbot | 4e0e37d4e4f3ee09c2235828c0000b552ee44db68b602a22c33d2a449c1eed10

General

Target

d1f565bfffe554c71d504095eedb97e1_JaffaCakes118.exe
Size

171KB
MD5

d1f565bfffe554c71d504095eedb97e1
SHA1

f8039b9ea6dfedcb70bee66d2d92600ad33959a0
SHA256

4e0e37d4e4f3ee09c2235828c0000b552ee44db68b602a22c33d2a449c1eed10
SHA512

2c51714decfa6721e85a3ff5f43d102275f1f8471b98701dd2da2dd4e9189af925f6a1bcbd82f465d459cc5e27e78c5291eccc1472983bd3e6f25339c0cac552
SSDEEP

3072:i1SLBSMwluZnm/rXg/4vcwwwSZBzXLXHvFCUo6rkte37+Nu5jAJuT:6SLInZrX1cnwSv7XPUUoZAL+N6jA0

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/1384-9-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral2/memory/2004-14-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral2/memory/4504-80-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral2/memory/2004-193-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2004-2-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1384-8-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1384-9-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2004-14-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4504-78-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4504-80-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2004-193-0x0000000000400000-0x000000000046B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1f565bfffe554c71d504095eedb97e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1f565bfffe554c71d504095eedb97e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1f565bfffe554c71d504095eedb97e1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 1384	2004	d1f565bfffe554c71d504095eedb97e1_JaffaCakes118.exe	83
PID 2004 wrote to memory of 1384	2004	d1f565bfffe554c71d504095eedb97e1_JaffaCakes118.exe	83
PID 2004 wrote to memory of 1384	2004	d1f565bfffe554c71d504095eedb97e1_JaffaCakes118.exe	83
PID 2004 wrote to memory of 4504	2004	d1f565bfffe554c71d504095eedb97e1_JaffaCakes118.exe	91
PID 2004 wrote to memory of 4504	2004	d1f565bfffe554c71d504095eedb97e1_JaffaCakes118.exe	91
PID 2004 wrote to memory of 4504	2004	d1f565bfffe554c71d504095eedb97e1_JaffaCakes118.exe	91

C:\Users\Admin\AppData\Local\Temp\d1f565bfffe554c71d504095eedb97e1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d1f565bfffe554c71d504095eedb97e1_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Local\Temp\d1f565bfffe554c71d504095eedb97e1_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d1f565bfffe554c71d504095eedb97e1_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1384
- C:\Users\Admin\AppData\Local\Temp\d1f565bfffe554c71d504095eedb97e1_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d1f565bfffe554c71d504095eedb97e1_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\C994.70B

Filesize
1KB

MD5
ea52caa498c9f184dfa99bc1d5ca50cd

SHA1
0671c20a5f3c359301d9c304fd232876b4ed0692

SHA256
4aa4f152ae666fcfbe82571ae78843c4d28fed2a089ddfbe7b3583da2618a3f4

SHA512
95b84c097a844714e3e6925ec96d14eb40ca1a99d5b94da746a10dc2c1427584bc8df693202c37c62f12334b8de39cc472dc1ccdb77d7a6aabf5ff7564fd7769

Download Submit
C:\Users\Admin\AppData\Roaming\C994.70B

Filesize
600B

MD5
72982580fc71fe6b0f92980132303ae7

SHA1
9a7f031442e1eca54d10bf2eb9846cffa7410788

SHA256
957a33452c265bf339f55a792a891f75f0156930d278721a59ff8ee437e7d0c2

SHA512
8dc54912679481992b15c3e753c1bec23780a13fa1bed24fce4a367a89c7b3ed2f8b5330e7a0e47eebb16ca73d67581e2461ff9c4ec7f5da41822e4e115353d6

Download Submit
C:\Users\Admin\AppData\Roaming\C994.70B

Filesize
996B

MD5
992cb74730f8f119427fb9ec6d38c517

SHA1
80f531e35d69a0065b54f909bc1faee479b75469

SHA256
a50fc054ad5bd871112882dea7807061d05388200c1afd7878b7a2cc9b9a41f1

SHA512
d42bf0e05908fa382bd35fdad39935c18302b320e6c6aca23a268dcf554cb43e5c1e85f6fa12e6488ebfceaa2a073b2bc4f0eeaf2dbec10534a22aa3e0ea6c8d

Download Submit
memory/1384-8-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1384-9-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2004-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2004-2-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2004-14-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2004-193-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4504-78-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4504-80-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing