cycbot | 28a38218bffc67455d0b132d26ef751b7d239be9093ccf1f527fa5e8a3d2a01f

General

Target

JaffaCakes118_02253b4f65f49dcf9cece0f2ce858ff8.exe
Size

180KB
MD5

02253b4f65f49dcf9cece0f2ce858ff8
SHA1

f899e34d98fddeaa05b31dcf881a75a17c4cfe53
SHA256

28a38218bffc67455d0b132d26ef751b7d239be9093ccf1f527fa5e8a3d2a01f
SHA512

15b5a32fc0d2191ceb2e26813b2b1e06d44ab3554648c7afd138633998f375f17bdeb57331462a11b27e0fd0bc1d14dab179aedb5965270ca363203bb7a315cf
SSDEEP

3072:Z1oALN8ojjJZqEqw9Ia4OffcxCFk9Mmf4S98iygDZe6BxA9ZR9nU2iqPchllzF3E:ZdN8ojSEqwimkCFkS0198EVeqxAnULyN

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/2144-14-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/4528-15-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/4528-16-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/1648-123-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/4528-302-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4528-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2144-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2144-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4528-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4528-16-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/1648-122-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1648-123-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4528-302-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_02253b4f65f49dcf9cece0f2ce858ff8.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 2144	4528	JaffaCakes118_02253b4f65f49dcf9cece0f2ce858ff8.exe	83
PID 4528 wrote to memory of 2144	4528	JaffaCakes118_02253b4f65f49dcf9cece0f2ce858ff8.exe	83
PID 4528 wrote to memory of 2144	4528	JaffaCakes118_02253b4f65f49dcf9cece0f2ce858ff8.exe	83
PID 4528 wrote to memory of 1648	4528	JaffaCakes118_02253b4f65f49dcf9cece0f2ce858ff8.exe	92
PID 4528 wrote to memory of 1648	4528	JaffaCakes118_02253b4f65f49dcf9cece0f2ce858ff8.exe	92
PID 4528 wrote to memory of 1648	4528	JaffaCakes118_02253b4f65f49dcf9cece0f2ce858ff8.exe	92

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02253b4f65f49dcf9cece0f2ce858ff8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02253b4f65f49dcf9cece0f2ce858ff8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02253b4f65f49dcf9cece0f2ce858ff8.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02253b4f65f49dcf9cece0f2ce858ff8.exe startC:\Program Files (x86)\LP\E4ED\1A5.exe%C:\Program Files (x86)\LP\E4ED
  2⤵
  PID:2144
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02253b4f65f49dcf9cece0f2ce858ff8.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02253b4f65f49dcf9cece0f2ce858ff8.exe startC:\Users\Admin\AppData\Roaming\D6EC3\E71E4.exe%C:\Users\Admin\AppData\Roaming\D6EC3
  2⤵
  PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\D6EC3\3A61.6EC

Filesize
996B

MD5
abe3293d55934b4d6973c748d0348a28

SHA1
a0cc21f93974fd934931ee6ca4e40882bc9a76e3

SHA256
6db93c7bc8bcf2cba93e21090bd27e31ec581ceac3af74be34d4d8fc718bb52c

SHA512
b7d3383d33cd921d2c19e42263e2feeb3a224284382000e14ead69978236e6dcd3cf81ba16076e3e1fa4e1bb5b798f3d2d84e58acb4abda40f00791442ab095c

Download Submit
C:\Users\Admin\AppData\Roaming\D6EC3\3A61.6EC

Filesize
600B

MD5
06259f0045a9797362dddae8ded5195e

SHA1
ea046d240337f3eceb5f3f74de008e13f3d346ba

SHA256
49da5bcfc7df3014b95e7557d320aaaecc693a370c3cb16f2ccc097fcdd560a3

SHA512
c8d611ff6c8d6f7723c4b3aeceb8cbcc1f093b109ca150fe247db3b415f935c8900729d9dbcb3a2cb2db814f41a0c3075f99c3b7731aaced324372f920c99972

Download Submit
C:\Users\Admin\AppData\Roaming\D6EC3\3A61.6EC

Filesize
1KB

MD5
3582b6793c0ff67443f7c1131cf785ed

SHA1
8a658a8c89f44281dc5b2f96a75d0a19b0c2e4e6

SHA256
e1cdc7fc1f7678a84926167c7878733faf6ac7b0a5e58eb86d1a5416171a5ac7

SHA512
2a1f3dbdc05b5db75421dac945934733b3b7e9df51d32e38b59fdd8e92da5acde1112dfb532ccdf2d1cacf3c35b0657845907cd9bd0c977648b68c7d08c0d25a

Download Submit
memory/1648-123-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1648-122-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2144-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2144-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4528-16-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4528-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4528-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4528-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4528-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4528-302-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing