cycbot | 4ac1b05fb39c6287a4052cd50b395be75daac09c1521fa9906ba9e2836a983aa

General

Target

f36988e4e6bc154cd7c50bd676fd9367_JaffaCakes118.exe
Size

182KB
MD5

f36988e4e6bc154cd7c50bd676fd9367
SHA1

62451b9e26c6726f4a195a957db8cedbf3fbc24c
SHA256

4ac1b05fb39c6287a4052cd50b395be75daac09c1521fa9906ba9e2836a983aa
SHA512

0f55c1118b19dcea353aee53c950a68c0c0a9254ff1b57f50af8cdfb98da5517257652f4aacb7c08299432094370a3c8b50a71b2a28abcc59090498348d0ebf9
SSDEEP

3072:u18M5zt8ciNzA8iCKKNBkU/L/SR2DnoYc/Uv0ekN+bzbva:u1RENz7nAKa+noYcBxsz

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/956-14-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/2052-15-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/2812-78-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/2052-178-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2052-2-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/956-8-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/956-14-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/2052-15-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/2812-78-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/2052-178-0x0000000000400000-0x000000000044E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f36988e4e6bc154cd7c50bd676fd9367_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f36988e4e6bc154cd7c50bd676fd9367_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f36988e4e6bc154cd7c50bd676fd9367_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 956	2052	f36988e4e6bc154cd7c50bd676fd9367_JaffaCakes118.exe	83
PID 2052 wrote to memory of 956	2052	f36988e4e6bc154cd7c50bd676fd9367_JaffaCakes118.exe	83
PID 2052 wrote to memory of 956	2052	f36988e4e6bc154cd7c50bd676fd9367_JaffaCakes118.exe	83
PID 2052 wrote to memory of 2812	2052	f36988e4e6bc154cd7c50bd676fd9367_JaffaCakes118.exe	85
PID 2052 wrote to memory of 2812	2052	f36988e4e6bc154cd7c50bd676fd9367_JaffaCakes118.exe	85
PID 2052 wrote to memory of 2812	2052	f36988e4e6bc154cd7c50bd676fd9367_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\f36988e4e6bc154cd7c50bd676fd9367_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f36988e4e6bc154cd7c50bd676fd9367_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Users\Admin\AppData\Local\Temp\f36988e4e6bc154cd7c50bd676fd9367_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f36988e4e6bc154cd7c50bd676fd9367_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:956
- C:\Users\Admin\AppData\Local\Temp\f36988e4e6bc154cd7c50bd676fd9367_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f36988e4e6bc154cd7c50bd676fd9367_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\3C80.291

Filesize
1KB

MD5
bd39137100098d39020b4b957b7d1254

SHA1
e8fd5230ad169cf52a5b130275b95178e489a239

SHA256
f29bdcc840287d485240fd297e1333086e3cdb4478449e2b9bfefcc05a8ff519

SHA512
f72d9c18d9067b22eb06c08654b4fcd9ee5545f767a21885822d3ea4448fbe70ac4d963d9f2ab837c1a46307fbbf607bacf41656745d9c165d606877cf71610d

Download Submit
C:\Users\Admin\AppData\Roaming\3C80.291

Filesize
600B

MD5
93c2711a1878cb9657040ae92c1f0d39

SHA1
80375a2f63cda874baab9cc157bde848a334bef8

SHA256
8a573f07e71461b9bd82de3333e7f50c60c986ff930d0cf5ae34ab2e99e4fe32

SHA512
32aeddf79dd48645c79d1467cfbe1cd7ddb62e7d6fb624256175e3bd4b251125f95378daf89c110310c933b152360f7e816fa810b33fadde4ca7b8c59b2d0ad8

Download Submit
C:\Users\Admin\AppData\Roaming\3C80.291

Filesize
996B

MD5
d5c2af75b4fe0740dc384450ae0d17d8

SHA1
6f3edd65f006a17c3d2ec44227aee6c512798015

SHA256
dd02dccc0669890960ef85359f27f1ab419950de91eeed62e05dc806c4238b14

SHA512
f3163b5709c5ae1410dbf8bfeba2964bf4ce2f631bd94eac122c55721e58d2d909c4ac08245b116f2e2e19a690034bc5ea254f26222ce69740404fb346b93e89

Download Submit
memory/956-8-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/956-14-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2052-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2052-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2052-15-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2052-178-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2812-78-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing