cycbot | c662ecf0275787570795de5e741538c660a0af5bb5d13879efeb653f515d6506

General

Target

JaffaCakes118_622592b5f7166013ac8a63f08c1a3d80.exe
Size

180KB
MD5

622592b5f7166013ac8a63f08c1a3d80
SHA1

41b14f90de662652c373a2516346d487e61a37c9
SHA256

c662ecf0275787570795de5e741538c660a0af5bb5d13879efeb653f515d6506
SHA512

42ef02e77183b448992f34fa7f1bed604166bb659cc85c54ba41b92db34fab45ef2e69197b86ed6ec478e65b65364cf9ef03f341424aebb4ae4d7d8cb83814df
SSDEEP

3072:oAuBp9xL+nU5XgZLFrDaRC9vLwg0+ONtjUGPpnsSeRHdBiw2FAUwJA834dJmY/k2:o79xLjRC6R2vEg05jLRvuDGANAddJm8V

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/4284-14-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/3564-15-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/3564-16-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/1352-138-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/3564-301-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3564-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4284-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4284-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3564-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3564-16-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/1352-138-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3564-301-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_622592b5f7166013ac8a63f08c1a3d80.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_622592b5f7166013ac8a63f08c1a3d80.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_622592b5f7166013ac8a63f08c1a3d80.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3564 wrote to memory of 4284	3564	JaffaCakes118_622592b5f7166013ac8a63f08c1a3d80.exe	84
PID 3564 wrote to memory of 4284	3564	JaffaCakes118_622592b5f7166013ac8a63f08c1a3d80.exe	84
PID 3564 wrote to memory of 4284	3564	JaffaCakes118_622592b5f7166013ac8a63f08c1a3d80.exe	84
PID 3564 wrote to memory of 1352	3564	JaffaCakes118_622592b5f7166013ac8a63f08c1a3d80.exe	93
PID 3564 wrote to memory of 1352	3564	JaffaCakes118_622592b5f7166013ac8a63f08c1a3d80.exe	93
PID 3564 wrote to memory of 1352	3564	JaffaCakes118_622592b5f7166013ac8a63f08c1a3d80.exe	93

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_622592b5f7166013ac8a63f08c1a3d80.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_622592b5f7166013ac8a63f08c1a3d80.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_622592b5f7166013ac8a63f08c1a3d80.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_622592b5f7166013ac8a63f08c1a3d80.exe startC:\Program Files (x86)\LP\0591\000.exe%C:\Program Files (x86)\LP\0591
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4284
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_622592b5f7166013ac8a63f08c1a3d80.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_622592b5f7166013ac8a63f08c1a3d80.exe startC:\Users\Admin\AppData\Roaming\1774E\77105.exe%C:\Users\Admin\AppData\Roaming\1774E
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1774E\E602.774

Filesize
996B

MD5
d15b72459f51aff947d96ecf3c6f2828

SHA1
cb2c2ee13344f2d4cfdd9edd1e537ac94aabe512

SHA256
78ddbde8b9f2b7581ee88c79f07a4b5aa7d62ba3cf41a61d5cc478f0d0fa468c

SHA512
261dc01d04d8ee07419e1d287277c994cde67bf2d086e10a1e26a20d3dc6e566e1c9e25e554a8954609207dbf937f7913cf0978ddf14684b2069d9322265eb82

Download Submit
C:\Users\Admin\AppData\Roaming\1774E\E602.774

Filesize
600B

MD5
992d972542635ae6b7e058add1325a8e

SHA1
8156bce10d5b9cbac86d475b8301b0132a08b660

SHA256
c9dd163271b1b82364979ce093e54912305b109b11d16b84121a2b92ffcb853b

SHA512
18ced10b47f25e5dd8fffa263be9be98ecc15dcf347475bae15d01eefd4b31955adf07494c8f44900dc50a33ae4ad6c0918a0e71364212c1b8f0ef40ff38639b

Download Submit
C:\Users\Admin\AppData\Roaming\1774E\E602.774

Filesize
1KB

MD5
7ad661ea256588912d47c0a73c3f7550

SHA1
b2ee7bb8475fdd282203c15553e253f104b1b97a

SHA256
dee2060ac1ed8a09acec48d09967139b8c305c9a6a235e36b33e7c3f3bcc5f30

SHA512
42bc2f89abafd52adcd86be63e8f2bd047fca00c004b5f0d562d80a83e6b7463586a3a584b72090a1bb36a43d8dd5200de9e7e38392b154b2dfec92a76f2bb6d

Download Submit
memory/1352-138-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3564-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3564-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3564-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3564-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3564-16-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3564-301-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4284-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4284-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing