cycbot | 393291e3acdeeb91b0d00327a55785e7a549ba4e25451033ee1197ee0beee0f6

General

Target

f667a1efbd3a8139526eb7775affa2eb_JaffaCakes118.exe
Size

175KB
MD5

f667a1efbd3a8139526eb7775affa2eb
SHA1

c2c652f93b57f71bb2c529be4a2a79afdaa68582
SHA256

393291e3acdeeb91b0d00327a55785e7a549ba4e25451033ee1197ee0beee0f6
SHA512

285f83c910d12aa7f67b3615bb38c5e0edda613ff9f15d6dcdd7a25d85c309ed0ea7ab1c4175a784da9a97411e4ac7b7a97bdc0064f2c3fb34b3a101006faaa2
SSDEEP

3072:a5BtyHlQRB1lvEljPyVQ3fNcTRh+wyq9oVofL5+aualo8W:a8HlI1leLyS3fN3qQUDua6j

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/3008-14-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral2/memory/3908-15-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral2/memory/1216-85-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral2/memory/3908-206-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3908-1-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3908-2-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3008-12-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3008-14-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3908-15-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1216-85-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3908-206-0x0000000000400000-0x000000000046B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f667a1efbd3a8139526eb7775affa2eb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f667a1efbd3a8139526eb7775affa2eb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f667a1efbd3a8139526eb7775affa2eb_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 3008	3908	f667a1efbd3a8139526eb7775affa2eb_JaffaCakes118.exe	82
PID 3908 wrote to memory of 3008	3908	f667a1efbd3a8139526eb7775affa2eb_JaffaCakes118.exe	82
PID 3908 wrote to memory of 3008	3908	f667a1efbd3a8139526eb7775affa2eb_JaffaCakes118.exe	82
PID 3908 wrote to memory of 1216	3908	f667a1efbd3a8139526eb7775affa2eb_JaffaCakes118.exe	88
PID 3908 wrote to memory of 1216	3908	f667a1efbd3a8139526eb7775affa2eb_JaffaCakes118.exe	88
PID 3908 wrote to memory of 1216	3908	f667a1efbd3a8139526eb7775affa2eb_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\f667a1efbd3a8139526eb7775affa2eb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f667a1efbd3a8139526eb7775affa2eb_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Users\Admin\AppData\Local\Temp\f667a1efbd3a8139526eb7775affa2eb_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f667a1efbd3a8139526eb7775affa2eb_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3008
- C:\Users\Admin\AppData\Local\Temp\f667a1efbd3a8139526eb7775affa2eb_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f667a1efbd3a8139526eb7775affa2eb_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\23C5.D55

Filesize
1KB

MD5
621cb8a7e13673d174ebd6ebb61e2f0a

SHA1
575656ec255fc4e2b08eef4d7ec294318fb161b6

SHA256
3f6fa873125d4c54a24f871f41fb112101bd1f06dc5c82c22e50c01424fdb00e

SHA512
25750fa8268a99f40512d14c0d5124bc524d0922e52c037340427430167aede486a38dd924ae13a56c5e7358716d047bb4dee6b3d7a9a752fc33dbd46e273746

Download Submit
C:\Users\Admin\AppData\Roaming\23C5.D55

Filesize
600B

MD5
a49258ba8c6caf06cbe9f5381e892ae5

SHA1
24b13c22d7bfdcc77facf8c4aab383d3e18d7dd5

SHA256
5d0df7a1de34fc57c0b067ffb70b474bc61f832f65ff9d43c136b12bcaae87a3

SHA512
e08431f5889f43e317f89b1979b8d1a4718cc8f761886019b2f437b6dc6a2c4c7f78d765b97c46de5efdc536888cc816e7fb3502bcce2f8b875038673fac109a

Download Submit
C:\Users\Admin\AppData\Roaming\23C5.D55

Filesize
996B

MD5
1ba00e9e419870baa3a55ee4aded7e90

SHA1
e5d484212684887a3277eee52fe2b590928a7938

SHA256
39098035a3f3c47ac720ed79871b1a01903088b686263d321c239d0d94f1ddd8

SHA512
c7b7e96a8c236dc24bcdc492354cb3efdf3f9cc49b19d13ef3a01612fcda2ed0880478b124d2b3e502f3ebf5584dbc991e62d965617854b71e80cd168ce7762b

Download Submit
memory/1216-83-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1216-85-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3008-12-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3008-14-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3908-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3908-2-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3908-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3908-206-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing