cycbot | bd4b7960ce2b22637c5aaab2375a408adaf6df83cbb3225243697e6da434accb

General

Target

d5da4effb15b169bcc2f077601e1917b_JaffaCakes118.exe
Size

181KB
MD5

d5da4effb15b169bcc2f077601e1917b
SHA1

f30981bd956fe700e40754da40e1edbfa030ad5c
SHA256

bd4b7960ce2b22637c5aaab2375a408adaf6df83cbb3225243697e6da434accb
SHA512

77886b4900d5e2fd7b606bc2f8f2e1475d2b579b9df0b338dcfe5494c6ef5a2d3a938bf25820b424430fa7dd566212e8497a5e113ae477eb1b0d3cb5482f26d7
SSDEEP

3072:X1kLuoetGSs89EPMuJx+32JWVDNHv73lexURVQcW1rF4NBeDb:X1kuNtm/EuSxZf+cDB6b

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/4920-9-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/4472-14-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/636-78-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/4472-183-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4472-2-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/4920-9-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/4472-14-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/636-76-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/636-78-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/4472-183-0x0000000000400000-0x000000000044E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5da4effb15b169bcc2f077601e1917b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5da4effb15b169bcc2f077601e1917b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5da4effb15b169bcc2f077601e1917b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 4920	4472	d5da4effb15b169bcc2f077601e1917b_JaffaCakes118.exe	83
PID 4472 wrote to memory of 4920	4472	d5da4effb15b169bcc2f077601e1917b_JaffaCakes118.exe	83
PID 4472 wrote to memory of 4920	4472	d5da4effb15b169bcc2f077601e1917b_JaffaCakes118.exe	83
PID 4472 wrote to memory of 636	4472	d5da4effb15b169bcc2f077601e1917b_JaffaCakes118.exe	87
PID 4472 wrote to memory of 636	4472	d5da4effb15b169bcc2f077601e1917b_JaffaCakes118.exe	87
PID 4472 wrote to memory of 636	4472	d5da4effb15b169bcc2f077601e1917b_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\d5da4effb15b169bcc2f077601e1917b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d5da4effb15b169bcc2f077601e1917b_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Users\Admin\AppData\Local\Temp\d5da4effb15b169bcc2f077601e1917b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d5da4effb15b169bcc2f077601e1917b_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4920
- C:\Users\Admin\AppData\Local\Temp\d5da4effb15b169bcc2f077601e1917b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d5da4effb15b169bcc2f077601e1917b_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1BC4.16A

Filesize
300B

MD5
7824701ef778e4ddb7687c2c9ff3787d

SHA1
dc817a020d02f93cacaa72be66fd80a9dc368193

SHA256
897e726d5be67feabdb5c37ecfcef0251b2eca7652eb778587f9507b9217f0df

SHA512
058459819c39664249bac5eac4a4626e9035944a60ff14b464b82e561b6c9cb159e0979376a296a9cd3c05a213e7066abeec098483013e116c6ac03b6294c6c0

Download Submit
C:\Users\Admin\AppData\Roaming\1BC4.16A

Filesize
1KB

MD5
a2352e009c5c954d9835a81b77768905

SHA1
f01c9af35730917fdb8f8161884446320a33ed73

SHA256
653c3602e2678fadc6e5820bda96c731f2c6a9320ce129d59affbc4ad5b9ed9c

SHA512
80272dcf3080a02f093774a0f0e9f5ddcefa916c367057edaf7b0d9329ae272ab501ab6cccda3b1a11a72484a2b3c75bac3d2e511ad7b8089604276333b678c4

Download Submit
C:\Users\Admin\AppData\Roaming\1BC4.16A

Filesize
600B

MD5
e4731ab0a80ef99264e3998ef8bb8ca8

SHA1
06cf188e32bdac8815c410b8507e635f701e032c

SHA256
38d4e46f1c25849bdc8c81f8792a45defa5fee467004fefbce22f98155f80c4d

SHA512
454a77fc29b0a115e6c2e298b2554df4c5f7d79747e67d4303277e216330071551103a26720ea52b7133aa97b73f36b9c8b5339a9699ceb07fbf010a7150e841

Download Submit
C:\Users\Admin\AppData\Roaming\1BC4.16A

Filesize
996B

MD5
22117051ce7bae9b4d8e2a08042c1012

SHA1
f4ad406998be3b75196ea6a01874dd255a07c85f

SHA256
717a937fe652822f95fc07064b2223d9451f9cd82e1f78ecd6ff7a7b0a79afe0

SHA512
4a567ea3470b069139762e0fbc4cc071027096430c458211ea86582a641fa63a78b03d0e83428ec4e53337c56b55b94af6c32639da969d2d512c7341b1e6b8fd

Download Submit
memory/636-75-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/636-76-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/636-78-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4472-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4472-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4472-14-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4472-183-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4920-9-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing