cycbot | 2b2a13b06aa43334f963ea9fb176be6e62a07bfbe9873bfdc4ea7e1a68ad1f54

General

Target

JaffaCakes118_0953ea55cbde8a4348fe587a94494dc1.exe
Size

179KB
MD5

0953ea55cbde8a4348fe587a94494dc1
SHA1

9661d5e1c0309cc1ef9f5eddea8e503e26aed612
SHA256

2b2a13b06aa43334f963ea9fb176be6e62a07bfbe9873bfdc4ea7e1a68ad1f54
SHA512

13d114b9cae405878c4e20080aeca6de1041765d51b528128e98aa6d23830137b98f77252a7836a38339dc73147879159810f5ac09e1bd7a8bf9e32d351cd1e8
SSDEEP

3072:EaAZQ6101RAkEeVAnjHt/7kXksrSe4pyk4wTaHaVDnV2SzHXCZNubqs5:EaA66L5kXkw74D7yZ8bq

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/1372-14-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/1476-15-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/1476-16-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/1148-126-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/1476-301-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1476-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1372-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1372-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1476-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1476-16-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/1148-126-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1476-301-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0953ea55cbde8a4348fe587a94494dc1.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 1372	1476	JaffaCakes118_0953ea55cbde8a4348fe587a94494dc1.exe	83
PID 1476 wrote to memory of 1372	1476	JaffaCakes118_0953ea55cbde8a4348fe587a94494dc1.exe	83
PID 1476 wrote to memory of 1372	1476	JaffaCakes118_0953ea55cbde8a4348fe587a94494dc1.exe	83
PID 1476 wrote to memory of 1148	1476	JaffaCakes118_0953ea55cbde8a4348fe587a94494dc1.exe	86
PID 1476 wrote to memory of 1148	1476	JaffaCakes118_0953ea55cbde8a4348fe587a94494dc1.exe	86
PID 1476 wrote to memory of 1148	1476	JaffaCakes118_0953ea55cbde8a4348fe587a94494dc1.exe	86

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0953ea55cbde8a4348fe587a94494dc1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0953ea55cbde8a4348fe587a94494dc1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0953ea55cbde8a4348fe587a94494dc1.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0953ea55cbde8a4348fe587a94494dc1.exe startC:\Program Files (x86)\LP\F9DC\59B.exe%C:\Program Files (x86)\LP\F9DC
  2⤵
  PID:1372
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0953ea55cbde8a4348fe587a94494dc1.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0953ea55cbde8a4348fe587a94494dc1.exe startC:\Users\Admin\AppData\Roaming\C47CF\C41F9.exe%C:\Users\Admin\AppData\Roaming\C47CF
  2⤵
  PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\C47CF\FD95.47C

Filesize
996B

MD5
31f8a1b74fba197d318ade13c1d2521c

SHA1
4d0b289e01d044a828de0c94ff79cda2ebcb7145

SHA256
cce6c345e45996638e892997c8b2225ca45d74ce82b66a3717a7c512a06c57e1

SHA512
9e732c5fa1f1c17a5d5ffb970858995c64ecf8503d075569e8e19c84321d9a28bba72ca63957e54fb93a14bfac4d2554d88d5d52dc931708b2b2c42535ce9833

Download Submit
C:\Users\Admin\AppData\Roaming\C47CF\FD95.47C

Filesize
600B

MD5
64790a4efcf099d138c95bffa03f1faa

SHA1
9543267380170f7ad1f29440f5b73583f12b420b

SHA256
72302fa942d4cbae06f3336e4a89d385eb35e67e447fdf814c219125619c89de

SHA512
87d7515bd27715c2071c0bcaf00e2296caa4befd59ffa12b588ec5f227f00eb14dbe9cd4180b97fccc190e698adc594d215fdd53736bf228b8c2d1229afd9698

Download Submit
C:\Users\Admin\AppData\Roaming\C47CF\FD95.47C

Filesize
1KB

MD5
736c1dcd77bfbdc77743dade49e5a0fb

SHA1
122932ee26a58ae5e1b257d8f2661172551b10e7

SHA256
831aaf13b6c3ef719f1986c233111b2bcafd76c75fc0a288ae840e1cf3aa5c8c

SHA512
8b230945ef0da568fd7415741ac6f2498e4c658081fcd42bcd42f801ee687cc0bd026ac714e022e7d3685b8f490db5b8a6ccb898ae741ad396d906cec54155d3

Download Submit
memory/1148-126-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1372-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1372-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1476-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1476-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1476-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1476-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1476-16-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1476-301-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing