cycbot | 6be102ea5e555ee5ca772def01180a8d52648c8a73f0b4389cdcd88974a5e756

General

Target

faa674f85eb7b8fa5f4817e573bb2a37_JaffaCakes118.exe
Size

180KB
MD5

faa674f85eb7b8fa5f4817e573bb2a37
SHA1

450c95f84b88f89c01efad5ca3ed9a8706eecd6d
SHA256

6be102ea5e555ee5ca772def01180a8d52648c8a73f0b4389cdcd88974a5e756
SHA512

7312e4fc833b4013aa5c2b0e19d0f185d2b35f5d3c7b7b318d9a5a77e38b8175c59536af93c783674587ba30cbc526f64e8aa0d1f310dcf99e41ee88c792e984
SSDEEP

3072:9KlVa/TUW+W/kn7JiCHJ/IAiTq6k6h/Q3xAV2Do2lILEICeXUewhsS7aS2:ewTwiMJ/IAiZUx22mCEPysS7af

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/3304-13-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/1932-14-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/2820-74-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/1932-185-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1932-2-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/3304-12-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/3304-13-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/1932-14-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/2820-73-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/2820-74-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/1932-185-0x0000000000400000-0x000000000044E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	faa674f85eb7b8fa5f4817e573bb2a37_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	faa674f85eb7b8fa5f4817e573bb2a37_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	faa674f85eb7b8fa5f4817e573bb2a37_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 3304	1932	faa674f85eb7b8fa5f4817e573bb2a37_JaffaCakes118.exe	82
PID 1932 wrote to memory of 3304	1932	faa674f85eb7b8fa5f4817e573bb2a37_JaffaCakes118.exe	82
PID 1932 wrote to memory of 3304	1932	faa674f85eb7b8fa5f4817e573bb2a37_JaffaCakes118.exe	82
PID 1932 wrote to memory of 2820	1932	faa674f85eb7b8fa5f4817e573bb2a37_JaffaCakes118.exe	85
PID 1932 wrote to memory of 2820	1932	faa674f85eb7b8fa5f4817e573bb2a37_JaffaCakes118.exe	85
PID 1932 wrote to memory of 2820	1932	faa674f85eb7b8fa5f4817e573bb2a37_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\faa674f85eb7b8fa5f4817e573bb2a37_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\faa674f85eb7b8fa5f4817e573bb2a37_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Users\Admin\AppData\Local\Temp\faa674f85eb7b8fa5f4817e573bb2a37_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\faa674f85eb7b8fa5f4817e573bb2a37_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3304
- C:\Users\Admin\AppData\Local\Temp\faa674f85eb7b8fa5f4817e573bb2a37_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\faa674f85eb7b8fa5f4817e573bb2a37_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\85F6.225

Filesize
1KB

MD5
5a97a2f3f6c1a9bfe7160321eb22df59

SHA1
4684241d3d2bcb76060d85858eb9b009f64c2042

SHA256
722b627af74c7a9685b77c537bf218c03d79ca484021d92215ea74d3ca63d2c5

SHA512
54901498247450d2194c5e8e27ab697cd9eb2272db7a58d58c702c2ed2b4c278b93f23a395800d66776c9158ae536ec53fcf9face85ea56358d723f9f17e039b

Download Submit
C:\Users\Admin\AppData\Roaming\85F6.225

Filesize
600B

MD5
54fbb1b0fffdc3af2dc491f703f5ac8d

SHA1
4e03ea5fc141cf88ec67a0d28ece0ef9cb5f7d6b

SHA256
9f16c3811c64246a184cde0ff3c33312017104b3dde40751ce3b23127f946fb9

SHA512
c0753860a5a554e298e34ea0f3fa0d5de271f31896783e9164747c902274ea0470514a549532cf7f821912c1ecef89c2c6052ef857854aadcd6d3974c22b7468

Download Submit
C:\Users\Admin\AppData\Roaming\85F6.225

Filesize
996B

MD5
7f3fceeaaae7feb73ebd0304c8ce0bb0

SHA1
c3547091b827b9dc968f2ff1691687a9ec8dc82d

SHA256
7d8cbd5742cbe571077c27a9410b06de5f9ae482fb53158b03e8c3763e5a5618

SHA512
f3df704ee1477092c89b1bed05cf743d08d8e1e8c27e714a0d966138dcd604d692fc3ed9e69dbb18416c4092a2869dda57f904fc80c789cf5a68f7a50f3a6947

Download Submit
memory/1932-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1932-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1932-14-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1932-185-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2820-73-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2820-74-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3304-12-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3304-13-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing