cycbot | 27bd9e1db8e910a64403c6dd98e218670ae43a20291e499f757edc568bbaca82

General

Target

JaffaCakes118_17697460f42f0f2917d33641755d8b86.exe
Size

179KB
MD5

17697460f42f0f2917d33641755d8b86
SHA1

a40339fe7504c246c4a4f0315b5913cebc79d7ac
SHA256

27bd9e1db8e910a64403c6dd98e218670ae43a20291e499f757edc568bbaca82
SHA512

7e70cf2efb72d9e274677ed29a7e156fb968a836f9fbe446f9ee934664cd46e02730c848ed92a4d5dce54a0427e53d222bd100035d0fb4aa8c5b945ec36cdd6d
SSDEEP

3072:M1OS7e7LDSy/8ppC9zgAiaXS77PrCDLdyL+r1oZNPy:MES7PRppch7iCDEL+eZZ

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/3884-15-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/3888-16-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/3888-17-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/3904-107-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/3888-258-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3888-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3884-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3884-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3884-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3888-16-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3888-17-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/3904-107-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3888-258-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_17697460f42f0f2917d33641755d8b86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_17697460f42f0f2917d33641755d8b86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_17697460f42f0f2917d33641755d8b86.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 3884	3888	JaffaCakes118_17697460f42f0f2917d33641755d8b86.exe	84
PID 3888 wrote to memory of 3884	3888	JaffaCakes118_17697460f42f0f2917d33641755d8b86.exe	84
PID 3888 wrote to memory of 3884	3888	JaffaCakes118_17697460f42f0f2917d33641755d8b86.exe	84
PID 3888 wrote to memory of 3904	3888	JaffaCakes118_17697460f42f0f2917d33641755d8b86.exe	99
PID 3888 wrote to memory of 3904	3888	JaffaCakes118_17697460f42f0f2917d33641755d8b86.exe	99
PID 3888 wrote to memory of 3904	3888	JaffaCakes118_17697460f42f0f2917d33641755d8b86.exe	99

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_17697460f42f0f2917d33641755d8b86.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_17697460f42f0f2917d33641755d8b86.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_17697460f42f0f2917d33641755d8b86.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_17697460f42f0f2917d33641755d8b86.exe startC:\Program Files (x86)\LP\E4EA\1A5.exe%C:\Program Files (x86)\LP\E4EA
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3884
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_17697460f42f0f2917d33641755d8b86.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_17697460f42f0f2917d33641755d8b86.exe startC:\Users\Admin\AppData\Roaming\A1FA5\E71E4.exe%C:\Users\Admin\AppData\Roaming\A1FA5
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\A1FA5\5D1B.1FA

Filesize
996B

MD5
457c66868eafd7c35396fd13b6dbaf26

SHA1
45c7e51515db682fe14c8d2c3e80a75a0e6100fd

SHA256
7441de26c56c012caed6f5f9bf7a52761bd7ba0ce90145c23fce415ba2cf71ef

SHA512
d1e2b8fa0f7d5d23aafafaf1042521687079c29a3f64592cec03d908ce3200ebf5cbd9722180f17e87cd4c47251ed2b9e0fc46dec84a5d658db3e16a1f07580a

Download Submit
C:\Users\Admin\AppData\Roaming\A1FA5\5D1B.1FA

Filesize
600B

MD5
f81fcb46c57a42d70a300943072bba3e

SHA1
b57aa6ca0acbe6dbf7a5aec84134d286605f419d

SHA256
e1649dd4bf77091a06e6da86be65593fb922054b4bdbd39c936c8e7d8fac8c6f

SHA512
0f8d2381a2c1eb1a01dde0827fa58afbfd2df9a63df55d4a05266e30bbcd5d9a84ee030342a28702468e48ff2c06733116c59834548b3ee3c66b72af862be2a1

Download Submit
C:\Users\Admin\AppData\Roaming\A1FA5\5D1B.1FA

Filesize
1KB

MD5
f97695b205034859871f679b874d14ae

SHA1
eccd890bb5764a126c5572a1c524e1514a24858e

SHA256
e3f957b666405e6f686b2c45c10d503d817c82e60bf1ca2eab24928f21435ad4

SHA512
a0817783377589e8bc3b6bfc615c9606626149db5d463ce304131e324fb4c2bd63bf576460666297a803167b38ba2145ab6bb00d4ff4e4a869e587975fca31f5

Download Submit
memory/3884-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3884-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3884-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3888-16-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3888-17-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3888-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3888-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3888-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3888-258-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3904-107-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing