cycbot | 4cc039adfbacf1c0a30b8f6a5d08ad372c187d7a836455197b2c5870e3e4b0ae

General

Target

JaffaCakes118_0e0ac0f1e5b392d635d34bc3369ee155.exe
Size

185KB
MD5

0e0ac0f1e5b392d635d34bc3369ee155
SHA1

70ce8250d0da2bfa5a0ca44d54083269256434ba
SHA256

4cc039adfbacf1c0a30b8f6a5d08ad372c187d7a836455197b2c5870e3e4b0ae
SHA512

9463f39e904800de50eaa2f86f29ed580209ed589cea0fe61a3fa896b64b51d9238ddf46ceaa94686aa0f938bb59df81079cde999517c5700b2a89ec0bbb4756
SSDEEP

3072:I1HoHq842/wG+HZHV5VQ217AP04by0aF3FRnXk3fjf6pitrFar:I1Mzwx5tQ217Az+RFV9X6bwizU

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/2088-12-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/1804-14-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/1804-15-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/4616-83-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/1804-186-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1804-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2088-12-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1804-14-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/1804-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4616-83-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4616-81-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1804-186-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0e0ac0f1e5b392d635d34bc3369ee155.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 2088	1804	JaffaCakes118_0e0ac0f1e5b392d635d34bc3369ee155.exe	82
PID 1804 wrote to memory of 2088	1804	JaffaCakes118_0e0ac0f1e5b392d635d34bc3369ee155.exe	82
PID 1804 wrote to memory of 2088	1804	JaffaCakes118_0e0ac0f1e5b392d635d34bc3369ee155.exe	82
PID 1804 wrote to memory of 4616	1804	JaffaCakes118_0e0ac0f1e5b392d635d34bc3369ee155.exe	87
PID 1804 wrote to memory of 4616	1804	JaffaCakes118_0e0ac0f1e5b392d635d34bc3369ee155.exe	87
PID 1804 wrote to memory of 4616	1804	JaffaCakes118_0e0ac0f1e5b392d635d34bc3369ee155.exe	87

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0e0ac0f1e5b392d635d34bc3369ee155.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0e0ac0f1e5b392d635d34bc3369ee155.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0e0ac0f1e5b392d635d34bc3369ee155.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0e0ac0f1e5b392d635d34bc3369ee155.exe startC:\Program Files (x86)\LP\DF64\1CF.exe%C:\Program Files (x86)\LP\DF64
  2⤵
  PID:2088
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0e0ac0f1e5b392d635d34bc3369ee155.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0e0ac0f1e5b392d635d34bc3369ee155.exe startC:\Users\Admin\AppData\Roaming\4CA3E\0943D.exe%C:\Users\Admin\AppData\Roaming\4CA3E
  2⤵
  PID:4616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\4CA3E\ED2C.CA3

Filesize
1KB

MD5
2bf91f418d60635a2786ba8c1bb372bb

SHA1
1c27fe9d4e848321ff1e694fb8fe07a560e41f7b

SHA256
404c8b233505a1bf5b715cb04865c9f5431c219ce3a5ad698b9586404829a020

SHA512
fed4e97c02e75e08449a1eb4f161d1b176b8c7536bf784b79a63e57e9944ea23bedd866d84f1faaf685e9dfcbf44cd9828987d3679641f7c6de7cf3edfb06c09

Download Submit
C:\Users\Admin\AppData\Roaming\4CA3E\ED2C.CA3

Filesize
600B

MD5
229359c1767cd7e98df4d3d684f1e3c1

SHA1
5d0e82fed15877d5417ca6750a8dbca3c16f1361

SHA256
52e0a0870f9cf24c2431f5b5bc5dd660683c2ae06f80b88a0add3bd41892bfb7

SHA512
498db59f49aad134d9ad5dbb6cc6afc13ff27aca6c4d4a2162528c12b836f3dfc286669b02a21acee0cad529d36879073f47498c543717f3f4535061fafdcd87

Download Submit
C:\Users\Admin\AppData\Roaming\4CA3E\ED2C.CA3

Filesize
996B

MD5
9b46db8ed2f28ec42c9a846ca6d274c5

SHA1
a8852d9bc518fafaea3fdd64d1f5010e75721fb1

SHA256
67d056021dea0ff3b6b100723dcfecf6d7f1de6ec96b9824164ff5b59e268d05

SHA512
2ec0f046ed7a2e121cb53299247c390cf0d5e7dda2e13948713eb8db4be9730107834d8df3113e49595c9a7e9cc9531da4a310febaa611986d92c3d993a7152d

Download Submit
memory/1804-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1804-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1804-14-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1804-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1804-186-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2088-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4616-80-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4616-83-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4616-81-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing