cycbot | 12cb7a2effe5cdb15deddb0cb549eba973390e08f9faa83a20f3cb8a1a9804d6

General

Target

JaffaCakes118_318b88ac72cb1412cf6a4dd3fdd91d0e.exe
Size

187KB
MD5

318b88ac72cb1412cf6a4dd3fdd91d0e
SHA1

23a3c3c2495e05977e8caad4c9796abe70f8934b
SHA256

12cb7a2effe5cdb15deddb0cb549eba973390e08f9faa83a20f3cb8a1a9804d6
SHA512

8020c9294e1c0d57efdff46d5ccdec3ffc39910870bda75aa4f6ce69043427eb1fad060dfb39cc8b6b7a49b63a1778135043eeaebb378528143dec100dc74d06
SSDEEP

3072:DGZsPCOzJthGdFsPjGuBw+I96BAot8zFPwGs/7/Dx3wwGduVBPU7KFm:bhthGkBVNBAoqiA18VBuKF

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/4192-12-0x0000000000400000-0x0000000000471000-memory.dmp	family_cycbot
behavioral2/memory/1980-13-0x0000000000400000-0x0000000000471000-memory.dmp	family_cycbot
behavioral2/memory/3432-82-0x0000000000400000-0x0000000000471000-memory.dmp	family_cycbot
behavioral2/memory/1980-192-0x0000000000400000-0x0000000000471000-memory.dmp	family_cycbot

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1980-2-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral2/memory/4192-12-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral2/memory/1980-13-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral2/memory/3432-81-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral2/memory/3432-82-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral2/memory/1980-192-0x0000000000400000-0x0000000000471000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_318b88ac72cb1412cf6a4dd3fdd91d0e.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 4192	1980	JaffaCakes118_318b88ac72cb1412cf6a4dd3fdd91d0e.exe	83
PID 1980 wrote to memory of 4192	1980	JaffaCakes118_318b88ac72cb1412cf6a4dd3fdd91d0e.exe	83
PID 1980 wrote to memory of 4192	1980	JaffaCakes118_318b88ac72cb1412cf6a4dd3fdd91d0e.exe	83
PID 1980 wrote to memory of 3432	1980	JaffaCakes118_318b88ac72cb1412cf6a4dd3fdd91d0e.exe	93
PID 1980 wrote to memory of 3432	1980	JaffaCakes118_318b88ac72cb1412cf6a4dd3fdd91d0e.exe	93
PID 1980 wrote to memory of 3432	1980	JaffaCakes118_318b88ac72cb1412cf6a4dd3fdd91d0e.exe	93

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_318b88ac72cb1412cf6a4dd3fdd91d0e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_318b88ac72cb1412cf6a4dd3fdd91d0e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_318b88ac72cb1412cf6a4dd3fdd91d0e.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_318b88ac72cb1412cf6a4dd3fdd91d0e.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:4192
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_318b88ac72cb1412cf6a4dd3fdd91d0e.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_318b88ac72cb1412cf6a4dd3fdd91d0e.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:3432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\0A97.0E0

Filesize
600B

MD5
b1bc5b78856902a9401ccdcd41121b72

SHA1
8d3783effdba0440b90aacee685a64505a71866a

SHA256
00a5baca15679955510570b6cdcce1127ee6bf356d13632588ac5988382ba8fe

SHA512
f9584186a5cf4496f4e14eb022812cac5df4d60f3c28055905c3cd2b3d685bec7ed6fa2e702c931aebfa28b5b7d4444fedc909af1fdecd386c9e642fe3fd0436

Download Submit
C:\Users\Admin\AppData\Roaming\0A97.0E0

Filesize
1KB

MD5
f768b0c494cfbcc5094c512e6a6c3adf

SHA1
7bedd5cc29ec2a6d67eaeaebab244e357e526e6d

SHA256
436c1967baaba9a47e4310fcb0002bef39a4154f3bbcbbc104e113570c10c504

SHA512
59737812a427856f2892c5ecb301a16e06c3eea6b7bb8d4ea4e34d59946e128ccaabc369497bb3d74ee1084642fb959e4de3e29fe60fedee517f050e6e9f1ef4

Download Submit
C:\Users\Admin\AppData\Roaming\0A97.0E0

Filesize
996B

MD5
d90284b13c8ed409faecad94faefb7b9

SHA1
069df4f34afd3fd8ffc97b5f086e7bb6b513fed4

SHA256
429a5d472dc731170fd3e373747920ba0e05c491f22b0d62225f7de6d942ac75

SHA512
cb55ae3a5044039cd66c86d4e55cdbd8d38743a308f1095407d24ea249371a5a63e658bb7b79736854d45d9641cda18c7b354c03f3c59ad56ce4349655dc79c3

Download Submit
memory/1980-1-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1980-2-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1980-13-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1980-192-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3432-81-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3432-80-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3432-82-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4192-12-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing