cycbot | 8bf262dfef65d1d917608969c942062fbb0bcfa65c28c773c2dcdee479c33a82

General

Target

fd0f495e2591d50d33149ef4521cf42c_JaffaCakes118.exe
Size

183KB
MD5

fd0f495e2591d50d33149ef4521cf42c
SHA1

4c48efc91268be9226b42be113e3870e603f59a7
SHA256

8bf262dfef65d1d917608969c942062fbb0bcfa65c28c773c2dcdee479c33a82
SHA512

735b5449640451a0c8ee0a2dac914c43b4fc4c7bc72a9033f75a9e0d39b5f445b102a8569d59b15b9fae58429e0e173d4cb8dd2255c54901c35ff8f9b71c1d35
SSDEEP

3072:BzIIfglntYsALBO6tBONx+LMG/kh8rhg1rUyaYVk8r68i/kRylgEe2O0:uIUHAM+BsrKFwrVLOf/NQ

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/4108-13-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/2204-14-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/2204-15-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/3400-87-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/2204-186-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2204-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4108-12-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4108-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2204-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2204-15-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/3400-86-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3400-87-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2204-186-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd0f495e2591d50d33149ef4521cf42c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd0f495e2591d50d33149ef4521cf42c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd0f495e2591d50d33149ef4521cf42c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 4108	2204	fd0f495e2591d50d33149ef4521cf42c_JaffaCakes118.exe	82
PID 2204 wrote to memory of 4108	2204	fd0f495e2591d50d33149ef4521cf42c_JaffaCakes118.exe	82
PID 2204 wrote to memory of 4108	2204	fd0f495e2591d50d33149ef4521cf42c_JaffaCakes118.exe	82
PID 2204 wrote to memory of 3400	2204	fd0f495e2591d50d33149ef4521cf42c_JaffaCakes118.exe	87
PID 2204 wrote to memory of 3400	2204	fd0f495e2591d50d33149ef4521cf42c_JaffaCakes118.exe	87
PID 2204 wrote to memory of 3400	2204	fd0f495e2591d50d33149ef4521cf42c_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\fd0f495e2591d50d33149ef4521cf42c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd0f495e2591d50d33149ef4521cf42c_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\fd0f495e2591d50d33149ef4521cf42c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fd0f495e2591d50d33149ef4521cf42c_JaffaCakes118.exe startC:\Program Files (x86)\LP\0B05\619.exe%C:\Program Files (x86)\LP\0B05
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4108
- C:\Users\Admin\AppData\Local\Temp\fd0f495e2591d50d33149ef4521cf42c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fd0f495e2591d50d33149ef4521cf42c_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\55485\97B0B.exe%C:\Users\Admin\AppData\Roaming\55485
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\55485\5BED.548

Filesize
1KB

MD5
0df43740e6563bcf6223714c6fc6f462

SHA1
22ce443f32deca167af83c8617119a3a84b8cf5c

SHA256
ebfe6fbc60878b148188d1b6d9738b238bde35c413358b8c8ca713b05dbd777d

SHA512
eea7b32792eee3ce7f93d5808ab3a4f98d0cfc5282e5e5dd6db3af8f59f1c2ffc76186fd185ff3745271326a7c66f6e6611ae8329cbbaa9470e80ab27e364c4a

Download Submit
C:\Users\Admin\AppData\Roaming\55485\5BED.548

Filesize
600B

MD5
9456c0180374a513b37d04f0739a5e30

SHA1
8598666ce030648f571b37257de74e2aa4626a5b

SHA256
97efa57d3a8e3f921f1a14ac1f2988e7dfca32e9897acef369f61e040337144e

SHA512
0d2d45be94445e6a4fed7b96143d896f6ea4182f54372b9d2d52112ab2f2a5e6e34c755b8bf56d70dae42bcb7b8ba92d81ca261bb64572ecd19ba48a3659acce

Download Submit
C:\Users\Admin\AppData\Roaming\55485\5BED.548

Filesize
300B

MD5
d31abdc1bb01932cb9a27e0c576ae9b2

SHA1
dbe8bed155bde3e9a806fcd98ace31a4e5df7397

SHA256
5c9db4c61acd92e4b772c700b0ae0d095198a6b0e450b7a7bc83add1a91f78f6

SHA512
a5536c8af9ebc6b6c5ce66f554bd1ad096fc2d857661181ce9226531d3205ce4306492aaf7877375a431124c2e00ab5f30afe837302f2b389e4e988460089c86

Download Submit
C:\Users\Admin\AppData\Roaming\55485\5BED.548

Filesize
996B

MD5
4db52886a995169dc4d6fb985e74db15

SHA1
f8ac637f81ad3e798bc16552862faed6e5caead9

SHA256
a2e9ee07ef28512f65d46e352809224f1a412ca14917a670a042158e3bef1f60

SHA512
071b56d49f6fa040491814474b1f3b03d5869e4f97e50bf3f1b2503441c505514d1289ad3872819593b682f746b49afc8c72a96a1adeddc00bd19af69ec7092e

Download Submit
memory/2204-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2204-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2204-186-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2204-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2204-15-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3400-86-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3400-87-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4108-11-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4108-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4108-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing