cycbot | 21a00430dc7b2ecf702b16f52227f7d558e9397b0d0e5f263416502c289ca3a0

General

Target

JaffaCakes118_231c813d12836c2870d58d3cc88c7efa.exe
Size

178KB
MD5

231c813d12836c2870d58d3cc88c7efa
SHA1

74f3f77519e563513369c6bfd73fd687ebac3ee0
SHA256

21a00430dc7b2ecf702b16f52227f7d558e9397b0d0e5f263416502c289ca3a0
SHA512

51a42872c84db394dd3ce8ecfe9ea8d68507a0970f0fcc967b35c1c7eb030b81737f60d61ca89ae1550e8ca4d6c4a2b5c28670d27604ffd0426b3ba49885ee30
SSDEEP

3072:/L/wyNqSMLufKePcPRD5kFR+rUr1YdDrgXvftX48yr2goxiX:/L/wXLufDwIR6d/gXHtXJm5R

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/2576-13-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/3040-14-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/3040-15-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/4496-124-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/3040-287-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/3040-289-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3040-2-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/2576-12-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/2576-13-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/3040-14-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/3040-15-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/4496-124-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/3040-287-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/3040-289-0x0000000000400000-0x0000000000454000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_231c813d12836c2870d58d3cc88c7efa.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2576	3040	JaffaCakes118_231c813d12836c2870d58d3cc88c7efa.exe	84
PID 3040 wrote to memory of 2576	3040	JaffaCakes118_231c813d12836c2870d58d3cc88c7efa.exe	84
PID 3040 wrote to memory of 2576	3040	JaffaCakes118_231c813d12836c2870d58d3cc88c7efa.exe	84
PID 3040 wrote to memory of 4496	3040	JaffaCakes118_231c813d12836c2870d58d3cc88c7efa.exe	99
PID 3040 wrote to memory of 4496	3040	JaffaCakes118_231c813d12836c2870d58d3cc88c7efa.exe	99
PID 3040 wrote to memory of 4496	3040	JaffaCakes118_231c813d12836c2870d58d3cc88c7efa.exe	99

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_231c813d12836c2870d58d3cc88c7efa.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_231c813d12836c2870d58d3cc88c7efa.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_231c813d12836c2870d58d3cc88c7efa.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_231c813d12836c2870d58d3cc88c7efa.exe startC:\Program Files (x86)\LP\5043\11E.exe%C:\Program Files (x86)\LP\5043
  2⤵
  PID:2576
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_231c813d12836c2870d58d3cc88c7efa.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_231c813d12836c2870d58d3cc88c7efa.exe startC:\Users\Admin\AppData\Roaming\3B837\73050.exe%C:\Users\Admin\AppData\Roaming\3B837
  2⤵
  PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\3B837\71C7.B83

Filesize
996B

MD5
eb3c36dec2b8aa0cdc3a07928893ecc3

SHA1
f21d77ff48227f32b5cfa8be6700e969404b6efa

SHA256
9526811ce067317c7e4d5fe85e342f7ea6625f919e75c52fd5ca44de77272021

SHA512
9d6ed65f6a8263f778f477a03fb76b014d5d45294191ba8b27341a89d8d0c20cdc08dbc19ce4e1636845cb42a04d456c07a363cb5faff49685c7a7211a1aa600

Download Submit
C:\Users\Admin\AppData\Roaming\3B837\71C7.B83

Filesize
600B

MD5
8b3fb428ac4120298995b0020e3588e3

SHA1
caf56aabdf16eb083b0c1ba44775b49e83bf4e6b

SHA256
f490e9e8dfa5dd78e9e279a9e478f4cf5fe43b0a7dd438b41a5130c83033fb2d

SHA512
743ec558d7dfa72304c31e780933adb0504b55aac1edcfd9f2bcb21436f330bf31cd6438bd81fc284d1e37eb27fee2310ea1ef94ab50f812964cc9081617344f

Download Submit
C:\Users\Admin\AppData\Roaming\3B837\71C7.B83

Filesize
1KB

MD5
e6249a42badf0c04f4b4c5d949e57c7d

SHA1
60cde088acfa23a81302c1ec38fce1916feea0b5

SHA256
e80e3cad34976f4bb22df16b4df0c61778377436c06ed12bf2330cd820157ea5

SHA512
9a42165db0dc36ef07e20bf37ff4d528abd613b936e3b39b0794300e735cef7f2ffa3b2c122d133e06decb3eb4e9519b5938437afbbae36109b314a06fa70c73

Download Submit
memory/2576-12-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2576-13-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2576-11-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3040-14-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3040-15-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3040-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3040-2-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3040-287-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3040-289-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4496-124-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing