cycbot | f8cc35b3a05ef14f0d29cbb6dec90967c0f94481c6dee2a888b407ffa34599fc

General

Target

d2e1b84666f8d3601b3cac019065331d_JaffaCakes118.exe
Size

191KB
MD5

d2e1b84666f8d3601b3cac019065331d
SHA1

68c10f67795643a830b99573dd8f15ffa4c61867
SHA256

f8cc35b3a05ef14f0d29cbb6dec90967c0f94481c6dee2a888b407ffa34599fc
SHA512

8e697fddbd64e2bbb79c95bcc7da57c4aab9869c203e66fea365dd0e3a9d6d52b10a974078ef097d54a04e504c4a1513f4ffa9eedf481f690bcfc02190197c3a
SSDEEP

3072:aPrcNY+evWLp/is9W6kxl9NnBne6ItAKz1XDN3tGcjeGShKuBaGirak5LXzgQzsT:aANTevO3WHdHIeKz1TN3njeG7ak5Dzlf

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/316-13-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/740-14-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/1636-81-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/740-201-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/740-1-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/740-2-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/316-13-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/740-14-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/1636-80-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/1636-81-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/740-201-0x0000000000400000-0x000000000044E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2e1b84666f8d3601b3cac019065331d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2e1b84666f8d3601b3cac019065331d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2e1b84666f8d3601b3cac019065331d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 316	740	d2e1b84666f8d3601b3cac019065331d_JaffaCakes118.exe	85
PID 740 wrote to memory of 316	740	d2e1b84666f8d3601b3cac019065331d_JaffaCakes118.exe	85
PID 740 wrote to memory of 316	740	d2e1b84666f8d3601b3cac019065331d_JaffaCakes118.exe	85
PID 740 wrote to memory of 1636	740	d2e1b84666f8d3601b3cac019065331d_JaffaCakes118.exe	89
PID 740 wrote to memory of 1636	740	d2e1b84666f8d3601b3cac019065331d_JaffaCakes118.exe	89
PID 740 wrote to memory of 1636	740	d2e1b84666f8d3601b3cac019065331d_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\d2e1b84666f8d3601b3cac019065331d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d2e1b84666f8d3601b3cac019065331d_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:740
- C:\Users\Admin\AppData\Local\Temp\d2e1b84666f8d3601b3cac019065331d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d2e1b84666f8d3601b3cac019065331d_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:316
- C:\Users\Admin\AppData\Local\Temp\d2e1b84666f8d3601b3cac019065331d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d2e1b84666f8d3601b3cac019065331d_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\F15E.C77

Filesize
1KB

MD5
905a4ebb1cdf8f4f31bc339adab17bc1

SHA1
0783576dd85022ea045cc96fcf60618d4cb93694

SHA256
d9b4ec44f2a855431c61212f775e47dac7a5f61a271485012050e31b8f055d16

SHA512
950dea25533e133b23790ce098827deb7f5b77c6687f5e7fac2a81e39f210e7c5c9b1db331cd14ebec3df43c16fdca2cf723d3e548e55f1e2513e639f348f931

Download Submit
C:\Users\Admin\AppData\Roaming\F15E.C77

Filesize
1KB

MD5
da4365f663eddbf4d067860a8a0dcb5b

SHA1
2bc4498dae273e71ed608528fa232e14abdb181e

SHA256
589ec7eca74314bd6ceaccaad79416984ce02b9d23dabc64127f2d3b4e79a89d

SHA512
2ad36cde310d5edd91fb39f432948b60d6c1783ad56e4b7d8b41fdefec26a4a6e705260829c1bb76bfdbfbb3ecc37494d828cf80837750e1fbb9dd703b9ed4f6

Download Submit
C:\Users\Admin\AppData\Roaming\F15E.C77

Filesize
600B

MD5
48caa037228407d767005cc882b8c07f

SHA1
ad1ed3062fa55818f4f47024e7f8e07841a0be68

SHA256
88218bf032b6a241bcff5aba1c35a3505e4e95d83eba2b423c29e17a5e5ccff5

SHA512
3b76821b911f7afb7cc3d22cb887c001b610b65bcaa5671ae0b07f1a0104e493e676028655b2931c8d28885114ee4290dab4e2585d5bdfacd08ce56a507d1f5d

Download Submit
C:\Users\Admin\AppData\Roaming\F15E.C77

Filesize
996B

MD5
2f019fd216e13b1b68271abcc0b35319

SHA1
19d526320a13dd201c6f25884f87cdcd13ab2dc3

SHA256
0332438cab21f906886ea5c9421f696bd162629078cdfb14ce07bf1a294e4437

SHA512
cf152c22297f99da36c36aaf2057d4b37074d0f7fc56e7c1a928e68dd8f6fcceaedc29a3145e79046dbd578acd6f23a69eedd9d82c7affa71e2748c80d79ed72

Download Submit
memory/316-13-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/740-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/740-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/740-14-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/740-201-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1636-80-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1636-79-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1636-81-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing