cycbot | 063c81d12968d51e53c675030ebd49ec5f9283e52049460a22e5cfd7c7f82cec

General

Target

JaffaCakes118_7b198772f7537b85497ecb23545ba2ce.exe
Size

172KB
MD5

7b198772f7537b85497ecb23545ba2ce
SHA1

9266c8e880ff247b4a0260019328c8ffd3ac05f6
SHA256

063c81d12968d51e53c675030ebd49ec5f9283e52049460a22e5cfd7c7f82cec
SHA512

a1c43f1793171c875b1f5a1df3173da8ab1af87f14751cecbca0c21a41849f1a805d4be24c2a6b5dbbeb6ae5d667e491bdf67bfed182b919c120535068bb3f25
SSDEEP

3072:eF3WWl4UBXhn3GPl1SNEUoJ5HIKAsnWqREKUE1GKCA1L:bW6+x3ol0EUeHzrWhKZAKN

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/836-11-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral2/memory/5064-16-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral2/memory/2016-85-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral2/memory/5064-197-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5064-2-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/836-9-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/836-11-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/5064-16-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2016-84-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2016-85-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/5064-197-0x0000000000400000-0x000000000046B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7b198772f7537b85497ecb23545ba2ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7b198772f7537b85497ecb23545ba2ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7b198772f7537b85497ecb23545ba2ce.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 836	5064	JaffaCakes118_7b198772f7537b85497ecb23545ba2ce.exe	84
PID 5064 wrote to memory of 836	5064	JaffaCakes118_7b198772f7537b85497ecb23545ba2ce.exe	84
PID 5064 wrote to memory of 836	5064	JaffaCakes118_7b198772f7537b85497ecb23545ba2ce.exe	84
PID 5064 wrote to memory of 2016	5064	JaffaCakes118_7b198772f7537b85497ecb23545ba2ce.exe	91
PID 5064 wrote to memory of 2016	5064	JaffaCakes118_7b198772f7537b85497ecb23545ba2ce.exe	91
PID 5064 wrote to memory of 2016	5064	JaffaCakes118_7b198772f7537b85497ecb23545ba2ce.exe	91

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b198772f7537b85497ecb23545ba2ce.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b198772f7537b85497ecb23545ba2ce.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b198772f7537b85497ecb23545ba2ce.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b198772f7537b85497ecb23545ba2ce.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:836
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b198772f7537b85497ecb23545ba2ce.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b198772f7537b85497ecb23545ba2ce.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\D2E0.A23

Filesize
1KB

MD5
bcb138edbb2acbeaa6c18322c1ff2639

SHA1
4b4fac13a284e62b1800c5bb646fe9e36110dcee

SHA256
3b64f996437f6d1299de741a3778a8a9cb36c9fc44808a60d68088f01d50ff06

SHA512
56faae225b43466e9cc9b487eecb8130ad5508d7fc54cc9668412e92584f826bfb8d8cbd4f4a1cf6662add94b2af5be2ec8a5bca3bd1727fe4d32abc6116ed18

Download Submit
C:\Users\Admin\AppData\Roaming\D2E0.A23

Filesize
600B

MD5
6c7551531d540456a07d5903037810d0

SHA1
2d230cfd0967d3c209deb6c00a3da0e69402456a

SHA256
98c04330ccfbade8545b0a9dea0e3e2e94c702e8e9b4664e9a4fdd425bed280b

SHA512
551627e3cefb8f0046ce5093dea672a6909e06582a0dad4068ec3fcd82bc66d0fa434e00837e0c570001e3a1fb4d5e508d15d889e056276eb16e5b635a0d45db

Download Submit
C:\Users\Admin\AppData\Roaming\D2E0.A23

Filesize
996B

MD5
1a1babd22e62ade4f7df97ea8e91dbac

SHA1
00890c63954f59cf3fca2fd9166d705f0c789ad6

SHA256
fa270e3e6e47a545c35161fd12d0f269c4c49f3ae731aa278c1979d040d84446

SHA512
8ea2e2209be896f8aa635f826ee9a841f870e128728bca7e7f27cf31a236b42123cbaf0ba0be49bd37e7222286a06748047134a0ecf8c8b8f5010c3b74ec65a7

Download Submit
memory/836-8-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/836-11-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/836-9-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2016-84-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2016-83-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2016-85-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/5064-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/5064-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/5064-2-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/5064-197-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing