cycbot | 2d03e9296ce51f5b615ca909b6b25b8b15b545408853a8e9e0d9937b3ddb63bb

General

Target

JaffaCakes118_13ec9f74136163bc789c03b4775279b1.exe
Size

172KB
MD5

13ec9f74136163bc789c03b4775279b1
SHA1

830037f95747e811939c7c7f888206951cea528d
SHA256

2d03e9296ce51f5b615ca909b6b25b8b15b545408853a8e9e0d9937b3ddb63bb
SHA512

a719265fccdcff56ae726e6d3ebd2939cb4c094037bd6fe326aed1a27bab47a554cc5cdebabed318b075a04675aa73012e787e2efe338ba054cb016d4fde8835
SSDEEP

3072:Ju8M2vpUDCPApvoIetzmQE37wNAa1hVpDbPS0s+fSfeuYD11FTRbzk5a+LUzy:JumKvtgGrwN/FbK0KfsD11FTR/kAN

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/1580-13-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral2/memory/1188-19-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral2/memory/1492-89-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral2/memory/1188-193-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1188-2-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1580-13-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1188-19-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1492-87-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1492-89-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1188-193-0x0000000000400000-0x000000000046C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_13ec9f74136163bc789c03b4775279b1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_13ec9f74136163bc789c03b4775279b1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_13ec9f74136163bc789c03b4775279b1.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 1580	1188	JaffaCakes118_13ec9f74136163bc789c03b4775279b1.exe	83
PID 1188 wrote to memory of 1580	1188	JaffaCakes118_13ec9f74136163bc789c03b4775279b1.exe	83
PID 1188 wrote to memory of 1580	1188	JaffaCakes118_13ec9f74136163bc789c03b4775279b1.exe	83
PID 1188 wrote to memory of 1492	1188	JaffaCakes118_13ec9f74136163bc789c03b4775279b1.exe	85
PID 1188 wrote to memory of 1492	1188	JaffaCakes118_13ec9f74136163bc789c03b4775279b1.exe	85
PID 1188 wrote to memory of 1492	1188	JaffaCakes118_13ec9f74136163bc789c03b4775279b1.exe	85

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_13ec9f74136163bc789c03b4775279b1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_13ec9f74136163bc789c03b4775279b1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_13ec9f74136163bc789c03b4775279b1.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_13ec9f74136163bc789c03b4775279b1.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1580
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_13ec9f74136163bc789c03b4775279b1.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_13ec9f74136163bc789c03b4775279b1.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\032F.999

Filesize
597B

MD5
22017f534a83444694fc85757546ef01

SHA1
89855ba80cf31553d9be765fee36de895b907751

SHA256
c68fe68353b0df94407a76f9563e406ccd1bdd0d75f68953dec45d053a227d83

SHA512
f183fc32a4c2748609299bd3763f84e66739fd82b27c02537cbf3bf53fbc8ce354a3af915e2eeab34ae915271d6ab50a47194f0a78a9ce2f928ff32d22bcd5fc

Download Submit
C:\Users\Admin\AppData\Roaming\032F.999

Filesize
1KB

MD5
10f140f3627bcdd18db15d77f3ae11d4

SHA1
ed4648a04a0f739da8d8d9dea9712210d253223b

SHA256
2fe97b850d85b17186bdc50dae2ee78c9794f227a56f310272dd205912b22e8a

SHA512
7765058155068cf672afee6d3c270c86639b50c83098fd702805af4f406b1f27c90fbea58211a2a7e127be3ff4d26520b2897704112b0b4aa26da33ace48d8e4

Download Submit
C:\Users\Admin\AppData\Roaming\032F.999

Filesize
897B

MD5
b3b96d23cf463825713d9ad67a221a51

SHA1
a9c31b46abe6f3f83b966ec5ec653a457896ba0e

SHA256
99f1cb688c98938850ec4c1d8f224de20b9c199d785a93ad66be4e3b47c33881

SHA512
f7b85207d8b45b7a628eceadffa330a1e1d4d5796f3ba946e93b0cab452313bdcc1e8d10740307eab275d24ddc6c31ddcd7f4d1d81025f983fad8bcb164680b4

Download Submit
C:\Users\Admin\AppData\Roaming\032F.999

Filesize
1KB

MD5
ee94810f56f0f4dc9805d4f6f6025e4b

SHA1
6bf2559ebbddfda0c5ef9fc5130b2501a5a3512f

SHA256
c74f2922dec1edb3c48c42e5af59486bf91fdcedd1fe0e4d4c27e976d9180669

SHA512
ee32b8c6af77c5989d29ece05d9301c8433e8502820d37c6073076a01d7e90d68eb4ef04e91a3bd49f909f9c8126370efeaf74ff4e47cbd0f4b0b3d992b2c449

Download Submit
memory/1188-1-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1188-2-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1188-19-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1188-193-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1492-86-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1492-87-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1492-89-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1580-13-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing