cycbot | 647a18f570d05bf304a2f752aa3e46bac57a3b1aa05605976a630ec542b6680d

General

Target

JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe
Size

185KB
MD5

20cbec00156786bbb8f3505ec451c712
SHA1

13a4677960eb7011c4549b1747375658047e94e6
SHA256

647a18f570d05bf304a2f752aa3e46bac57a3b1aa05605976a630ec542b6680d
SHA512

24a4262aec82fd45736c62944d30097ea8a65cafb47155053a4606afadf6d9578a487811a5735e2d6ae7df81a39a2156f0984cb4f2907d9212f3a265da16a92c
SSDEEP

3072:PiWikRz6onQKh4NvWwqNoFrjpb3gh1gbuPBbi7sQVyugC9lZvRiSNy15cg+3g2LX:PXJ6iQ6KWsx2SuPBbi7lOC9fZiSq5m3f

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/2160-13-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/4364-14-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/4364-15-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/524-80-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/4364-177-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4364-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2160-12-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2160-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4364-14-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/4364-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/524-78-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/524-80-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4364-177-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 2160	4364	JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe	82
PID 4364 wrote to memory of 2160	4364	JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe	82
PID 4364 wrote to memory of 2160	4364	JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe	82
PID 4364 wrote to memory of 524	4364	JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe	85
PID 4364 wrote to memory of 524	4364	JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe	85
PID 4364 wrote to memory of 524	4364	JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe	85

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe startC:\Program Files (x86)\LP\2D96\E1B.exe%C:\Program Files (x86)\LP\2D96
  2⤵
  PID:2160
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20cbec00156786bbb8f3505ec451c712.exe startC:\Users\Admin\AppData\Roaming\6277B\2743D.exe%C:\Users\Admin\AppData\Roaming\6277B
  2⤵
  PID:524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\6277B\B203.277

Filesize
1KB

MD5
65ad2d32da48a918dc3d47f0a113a0fe

SHA1
3acfc755fdb16314e70f1ac97d99855f29d58db9

SHA256
2558f40cf4992c7064a344741d2863113a42ac17d54065f114ecd47a26890815

SHA512
d1bb0a55261ba106ed825b927710cc1bda41da849013e04ccfff686388595ae771f4a628d8ba0e75c1a3ccb761a6ead7aced80a5c41db7a2b3c5d68f1e576c6a

Download Submit
C:\Users\Admin\AppData\Roaming\6277B\B203.277

Filesize
600B

MD5
7c5257957e99ebed353f5abcd27e0e61

SHA1
d58b3c7511494ffe151fc2efaee2e2358f1fbc08

SHA256
9560a1368e681326d9306f010f30c80e1009c4f70a61c93882169bfbc1347ecf

SHA512
67294848412aaa558183cfc3f65589cef068a2893bdbf26c312b45a7d2122ae1be99c32d55939469761bfae07ab440ce8c9e1bdd00f2418a4493c5e8e4f14d2b

Download Submit
C:\Users\Admin\AppData\Roaming\6277B\B203.277

Filesize
996B

MD5
f05dfe590e4bd8d3531c8922cda51dea

SHA1
ef33c0706c3d89105ad162bba6782697e754e53b

SHA256
f87ed7913cc45bb1f0a6ab3d066fc769208bd8b1aa34c44c996b89f16f00bdef

SHA512
2fab614d06b007b8564e8b0c8e210f6fc796ff9cd5943bdb4c4ef503d8d7d9eb7fcdb16f7590c36bc193abebc7a56e001dad439ac685e54e213c0658582f9a15

Download Submit
memory/524-80-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/524-78-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2160-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2160-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2160-11-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4364-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4364-14-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4364-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4364-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4364-177-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing