cycbot | b495ec893449a90135781bc73e854a43598d5e4d10c72e53633e8e3faf423f93

General

Target

e0e5b6bd452cda57e220b56414d6c757_JaffaCakes118.exe
Size

181KB
MD5

e0e5b6bd452cda57e220b56414d6c757
SHA1

2b906007bdd2a8625bf4e2c219a3cc824606ba67
SHA256

b495ec893449a90135781bc73e854a43598d5e4d10c72e53633e8e3faf423f93
SHA512

ad84e3dad928e93edebc0c8d9bfe379e656a8131d46fbd33bd2889a3400dcaa7d63e3445aca0d8fe332a6aea48814b5da19c785ee7a2658da93dd81278634707
SSDEEP

3072:fLaN43+0yH/U7fsD+mIzjHxPtPSR45Umi0QxGEvzdVjZgpn3LvSWCC8MWi:fLaAy8og9xco6xGKBxZyjSWCYWi

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/4104-13-0x0000000000400000-0x0000000000471000-memory.dmp	family_cycbot
behavioral2/memory/4720-14-0x0000000000400000-0x0000000000471000-memory.dmp	family_cycbot
behavioral2/memory/1212-75-0x0000000000400000-0x0000000000471000-memory.dmp	family_cycbot
behavioral2/memory/4720-175-0x0000000000400000-0x0000000000471000-memory.dmp	family_cycbot

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4720-2-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral2/memory/4104-12-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral2/memory/4104-13-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral2/memory/4720-14-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral2/memory/1212-75-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral2/memory/4720-175-0x0000000000400000-0x0000000000471000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0e5b6bd452cda57e220b56414d6c757_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0e5b6bd452cda57e220b56414d6c757_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0e5b6bd452cda57e220b56414d6c757_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 4104	4720	e0e5b6bd452cda57e220b56414d6c757_JaffaCakes118.exe	83
PID 4720 wrote to memory of 4104	4720	e0e5b6bd452cda57e220b56414d6c757_JaffaCakes118.exe	83
PID 4720 wrote to memory of 4104	4720	e0e5b6bd452cda57e220b56414d6c757_JaffaCakes118.exe	83
PID 4720 wrote to memory of 1212	4720	e0e5b6bd452cda57e220b56414d6c757_JaffaCakes118.exe	92
PID 4720 wrote to memory of 1212	4720	e0e5b6bd452cda57e220b56414d6c757_JaffaCakes118.exe	92
PID 4720 wrote to memory of 1212	4720	e0e5b6bd452cda57e220b56414d6c757_JaffaCakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\e0e5b6bd452cda57e220b56414d6c757_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e0e5b6bd452cda57e220b56414d6c757_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Users\Admin\AppData\Local\Temp\e0e5b6bd452cda57e220b56414d6c757_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e0e5b6bd452cda57e220b56414d6c757_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4104
- C:\Users\Admin\AppData\Local\Temp\e0e5b6bd452cda57e220b56414d6c757_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e0e5b6bd452cda57e220b56414d6c757_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\50BA.612

Filesize
1KB

MD5
5d219f074bfe4059fc10ac896d72a178

SHA1
60dfbae227a783697bbfccb52eab97b8a3e20cea

SHA256
1d270191702d09c6389d482ebb58bb9d41783bfd64207dc3c882c80536da3576

SHA512
75f5f2e66e6b9b53adcfdee544e9c97d3d48bdb6d8d3a73b0c527e21e5160aee3402c4ff9fe33952998ba59d797a1b9aeed3751ec4a64f874a71980b3f0f06bc

Download Submit
C:\Users\Admin\AppData\Roaming\50BA.612

Filesize
1KB

MD5
49aa754b59b08edc644c6af537ccd395

SHA1
8c6c8861faa6de00a8210e52c5d6830c07d16a30

SHA256
ba94c317088bc0a62a350f1ea41d75591d164f4818353f81ff2608863e4d872d

SHA512
ddbf7658cbe7bce4d78509dc86b2136b6a8b059d2fe7f95ad5dd53ed78314c72e6e837948b33caaadfbed23c4677d2169becbce6d87c62adffb4ab32d976cc08

Download Submit
C:\Users\Admin\AppData\Roaming\50BA.612

Filesize
600B

MD5
641ef8f854df5e8f4671c114e6b95a3e

SHA1
48643d62c003f6dc061bafd988da9147281d598c

SHA256
249fd6ab9164d8491e6a6c67949fc4bbb84eb975e94fb7536a37abd8bb5c05c4

SHA512
3ea4aa527761e46b6cbf815f86d86a7059aa77d984450d8da0a06b37f6a3fc32fd9b68fa83c029416f057626d2292782fd9473258e80400c9a9ad088e414ecbe

Download Submit
C:\Users\Admin\AppData\Roaming\50BA.612

Filesize
996B

MD5
bd1ff387e74b54345b9ba0c3c98fadfe

SHA1
abc4f868cc58c89e248b3c408bc017849aed3929

SHA256
f1a678d7a6f0c4b954fdde92075e24905b3650f13b05117fa0d1ecb1399c37c3

SHA512
377da174c39532201913e6cd38e9fcd19c86f4410383ab843e4604e33144cc92e1d19824404e52ad8f427cfc1ee541c0c6cf35fd583e9bcf8a59015d856d77e7

Download Submit
memory/1212-75-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4104-12-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4104-13-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4720-1-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4720-2-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4720-14-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4720-175-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing