cycbot | 4cd8dac5fb8c4eea3eb5ece67bdbdb005b84185b368a57a59ebda0c0832c0d88

General

Target

JaffaCakes118_1c6c7561efaa9fecdd96222014c80ad4.exe
Size

186KB
MD5

1c6c7561efaa9fecdd96222014c80ad4
SHA1

45f19657e8333da6ebb61fe8f5639689cf3e8e92
SHA256

4cd8dac5fb8c4eea3eb5ece67bdbdb005b84185b368a57a59ebda0c0832c0d88
SHA512

dfbe5fa87c0e8e299b4040e8b33b0c73688836f1ad31153611adc7a14c233d910b45883a31b47a94becf5c0ad8ff629ef70f7488325764b9ad9bb290d49d24fd
SSDEEP

3072:JrNmuxndTuXB3zNX9I8AqL8En1mwYHFrDB05eDc0cDNgacixAPX8i7gQh/oVAR3G:Guxnd+BhXm8VrnQNFnB0hBgmOPf/ugf+

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/3324-12-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/3524-13-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/3524-14-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/4628-83-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/3524-186-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3524-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3324-11-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3324-12-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3524-13-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/3524-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4628-83-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3524-186-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1c6c7561efaa9fecdd96222014c80ad4.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3524 wrote to memory of 3324	3524	JaffaCakes118_1c6c7561efaa9fecdd96222014c80ad4.exe	83
PID 3524 wrote to memory of 3324	3524	JaffaCakes118_1c6c7561efaa9fecdd96222014c80ad4.exe	83
PID 3524 wrote to memory of 3324	3524	JaffaCakes118_1c6c7561efaa9fecdd96222014c80ad4.exe	83
PID 3524 wrote to memory of 4628	3524	JaffaCakes118_1c6c7561efaa9fecdd96222014c80ad4.exe	92
PID 3524 wrote to memory of 4628	3524	JaffaCakes118_1c6c7561efaa9fecdd96222014c80ad4.exe	92
PID 3524 wrote to memory of 4628	3524	JaffaCakes118_1c6c7561efaa9fecdd96222014c80ad4.exe	92

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6c7561efaa9fecdd96222014c80ad4.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6c7561efaa9fecdd96222014c80ad4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3524
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6c7561efaa9fecdd96222014c80ad4.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6c7561efaa9fecdd96222014c80ad4.exe startC:\Program Files (x86)\LP\2985\42E.exe%C:\Program Files (x86)\LP\2985
  2⤵
  PID:3324
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6c7561efaa9fecdd96222014c80ad4.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6c7561efaa9fecdd96222014c80ad4.exe startC:\Users\Admin\AppData\Roaming\50427\1543D.exe%C:\Users\Admin\AppData\Roaming\50427
  2⤵
  PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\50427\78C8.042

Filesize
1KB

MD5
d89e38b21b906a1e1a9bdf8f6f8f1057

SHA1
381d77e57d047c3f9d172a4aa3d773511106c750

SHA256
d944a26a5e701e5c0bc412bc3072ca2f84978eb4ad624a0fbbf9538d7288b15e

SHA512
866ea25d564bd32bcbe8011a3d7d4a76fa08c1a056c87e56218d088fb6bf4bda4baa6c3b6b0823c839dc2a7bb4d6e6e53c5ba56b00b30e50735915c5246850dc

Download Submit
C:\Users\Admin\AppData\Roaming\50427\78C8.042

Filesize
600B

MD5
903a5f9f4a4ae1c132864114b5687d07

SHA1
31148da82f613a39248952312994ef3f5a9459f3

SHA256
a14819b91ad787b373b543876d6e8d4930990c554e07fde67f2b1f6132dd6a69

SHA512
9e0a7d9a1b1674b5ba223cbbd5b95ad74d8db2a05f8c298e724e42334c6a3e098492065f9e269fc83277459fca766e61d599b012040ca68aec82c1268f668989

Download Submit
C:\Users\Admin\AppData\Roaming\50427\78C8.042

Filesize
996B

MD5
b76a132fd46848a69efbce0cafc6cb30

SHA1
6449c26bb56ca86e413aae57c183b72d7544b4af

SHA256
6a9f20d4dafe8c6f0d982e4af8e048f4be179a4cebeaeb16ce0c0892eebec937

SHA512
73c74027ac99c8c83a9180f99380f38627433943a3379d1ec2a42bc9e3a58d60cbc9b73bf61e43a39dd5ac81d54d833ce0eb535deeafe7ac57482bee86f2c88b

Download Submit
memory/3324-11-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3324-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3524-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3524-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3524-13-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3524-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3524-186-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4628-81-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4628-83-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing