cycbot | 762df47eebb891520784292b2a8d1b3be226cd07758d795dc4f92c64a08302cf

General

Target

d5e21c7e4e38da25440dde05bd77252b_JaffaCakes118.exe
Size

194KB
MD5

d5e21c7e4e38da25440dde05bd77252b
SHA1

09f7513476e57695ade71a788ed5671667974100
SHA256

762df47eebb891520784292b2a8d1b3be226cd07758d795dc4f92c64a08302cf
SHA512

9c854f8f3a1170ab2049eb4a1c4536659129edb8a4e731b44dc96271b4799450f19d0324cabe36b85c741f7137d12c662624178f9979af473b13304a424ccef8
SSDEEP

6144:ht15RY73OI0Gz5YWdUIckYzp8mDjyw/uQ:hBRaIMYMUIcrzWwjy7Q

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/4796-15-0x0000000000400000-0x0000000000471000-memory.dmp	family_cycbot
behavioral2/memory/4796-13-0x0000000000400000-0x0000000000471000-memory.dmp	family_cycbot
behavioral2/memory/4988-16-0x0000000000400000-0x0000000000471000-memory.dmp	family_cycbot
behavioral2/memory/1056-88-0x0000000000400000-0x0000000000471000-memory.dmp	family_cycbot
behavioral2/memory/4988-198-0x0000000000400000-0x0000000000471000-memory.dmp	family_cycbot

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4988-2-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral2/memory/4796-15-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral2/memory/4796-13-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral2/memory/4796-12-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral2/memory/4988-16-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral2/memory/1056-86-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral2/memory/1056-88-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral2/memory/4988-198-0x0000000000400000-0x0000000000471000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5e21c7e4e38da25440dde05bd77252b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 4796	4988	d5e21c7e4e38da25440dde05bd77252b_JaffaCakes118.exe	82
PID 4988 wrote to memory of 4796	4988	d5e21c7e4e38da25440dde05bd77252b_JaffaCakes118.exe	82
PID 4988 wrote to memory of 4796	4988	d5e21c7e4e38da25440dde05bd77252b_JaffaCakes118.exe	82
PID 4988 wrote to memory of 1056	4988	d5e21c7e4e38da25440dde05bd77252b_JaffaCakes118.exe	90
PID 4988 wrote to memory of 1056	4988	d5e21c7e4e38da25440dde05bd77252b_JaffaCakes118.exe	90
PID 4988 wrote to memory of 1056	4988	d5e21c7e4e38da25440dde05bd77252b_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\d5e21c7e4e38da25440dde05bd77252b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d5e21c7e4e38da25440dde05bd77252b_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Users\Admin\AppData\Local\Temp\d5e21c7e4e38da25440dde05bd77252b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d5e21c7e4e38da25440dde05bd77252b_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:4796
- C:\Users\Admin\AppData\Local\Temp\d5e21c7e4e38da25440dde05bd77252b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d5e21c7e4e38da25440dde05bd77252b_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DBBB.587

Filesize
1KB

MD5
6977586edc672df4d89d90e4dd375b49

SHA1
90aa8a33b600049f509d1b415a5d79e1f9d8cef5

SHA256
57e414d566344cc0c3be8f51a8ad169ce72c259fbdf1973de882c2895b825c4a

SHA512
ea14e626561ec76d3d6dc145367efa96793aaa1f9fbaba791546aecbd4baaa75c0a77b6e178b93570e7b673ddf3938352fc64e47c86a5d6967fd21cf0f3e0a28

Download Submit
C:\Users\Admin\AppData\Roaming\DBBB.587

Filesize
600B

MD5
26a665c48cc49958ff23a12e9b5a90b4

SHA1
60bb712e17995c6b95c0e1e569c4b4ca1a49a178

SHA256
c5ff329b7e23d1f1f999f0987b064771a2c28509f592e0524f7aed482f6e3085

SHA512
3426353f32433d760a93fdf8741a9f0accd3e86ae8f2242f91d20beff71681276bdfbcfc9eca31ccf45ff5c022f4b8b6d5927d0a39432e3bd21d2712a17477f4

Download Submit
C:\Users\Admin\AppData\Roaming\DBBB.587

Filesize
996B

MD5
2675c3a00682c962482737498824d893

SHA1
5333fc31580ef2c87312a05387e259c1a0aca64c

SHA256
4dcffa4b85f48c5095675bb87231c8405e52ae41b5b3debb32981550c5a84ff0

SHA512
d02da03174e92dce542b72d4f34b4374f7e0e3b2de5a123c5c054d2093871b560b2a04d670ebe8b36eb73f64b7bbe872b14fef2a6db7bde61d3f3abac3f76750

Download Submit
memory/1056-86-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1056-88-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4796-15-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4796-13-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4796-12-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4988-1-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4988-2-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4988-16-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4988-198-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing