cycbot | 9dfc1bf1d3663eac731a17fe8d156a26ba17e2aec1f52511caa0ff1d4fcea9d2

General

Target

JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe
Size

176KB
MD5

22c9a3b3e6f8e0ea86ab8857b55f7382
SHA1

1f33b0fbc825ab0a8d24e5de3d0c1dc9f88e2a98
SHA256

9dfc1bf1d3663eac731a17fe8d156a26ba17e2aec1f52511caa0ff1d4fcea9d2
SHA512

60f95592800c943a0ba7adce12f46fd88cd9eaa3f20e9fc04b7b3a69cb0eb72adfc961f5886b9bb6bc2e0d246ce586583ad960ad99ad4d254b0d2289a3753306
SSDEEP

3072:MyQ0ye7pnGvSkMzzC2WKHPN1mPR82UZSOvCb2oc/VHOgW594b9Qf:BQ0yipGvMnChESy2UZSOKIVpWTCGf

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/1768-13-0x0000000000400000-0x000000000046F000-memory.dmp	family_cycbot
behavioral2/memory/4744-14-0x0000000000400000-0x000000000046F000-memory.dmp	family_cycbot
behavioral2/memory/2964-79-0x0000000000400000-0x000000000046F000-memory.dmp	family_cycbot
behavioral2/memory/4744-187-0x0000000000400000-0x000000000046F000-memory.dmp	family_cycbot
behavioral2/memory/4744-188-0x0000000000400000-0x000000000046F000-memory.dmp	family_cycbot

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4744-2-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/1768-11-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/1768-13-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/4744-14-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/2964-79-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/4744-187-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/4744-188-0x0000000000400000-0x000000000046F000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 1768	4744	JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe	84
PID 4744 wrote to memory of 1768	4744	JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe	84
PID 4744 wrote to memory of 1768	4744	JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe	84
PID 4744 wrote to memory of 2964	4744	JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe	92
PID 4744 wrote to memory of 2964	4744	JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe	92
PID 4744 wrote to memory of 2964	4744	JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe	92

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe startC:\Program Files (x86)\Internet Explorer\D3A7\47F.exe%C:\Program Files (x86)\Internet Explorer\D3A7
  2⤵
  PID:1768
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22c9a3b3e6f8e0ea86ab8857b55f7382.exe startC:\Users\Admin\AppData\Roaming\7113E\34ED3.exe%C:\Users\Admin\AppData\Roaming\7113E
  2⤵
  PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\7113E\E864.113

Filesize
1KB

MD5
109e2ff39ba23f06203b6178fac39ab6

SHA1
9e53ca82df51696c9f02198809543768d49969b6

SHA256
8fcb3616efb4fcf21dd4ebd5fc190bd9943e7a48c4ae186e8a82543dc4d73034

SHA512
3e91c71688fa4c614d7b8e658515f7ebe99c453ad3b536cd15eb528cea609aca7e84ccbefbd5cc0ba404528cea07a9cfa543e2478597c7b2cb62ccdd16c1b86f

Download Submit
C:\Users\Admin\AppData\Roaming\7113E\E864.113

Filesize
600B

MD5
f9e84bbdc558d9ab894737b6175ff5ee

SHA1
42d1a0a6bf802afde4dbdad40e5e25771a9f97b5

SHA256
ccda1eba78a4d0a0e2135efb90ef760191ce92b773503d9543756cb07069638f

SHA512
396e2b13f57ad3c9fff6570f1bf8a6c12e6a35fc4be0ceba47c5b12a41b4ed3221063f18fb4ac12ba39b713ab38a4466e05fbaa16a5adcd808649c4542bf90fd

Download Submit
C:\Users\Admin\AppData\Roaming\7113E\E864.113

Filesize
996B

MD5
295a936cd245afa715c624ce92663cd9

SHA1
506f45f155647cf9aabc139299f3e76509fa44f5

SHA256
2d572bf29d4f3222a0024e2c6de1b59412ff37c80b6cadfbd1a5654217beac64

SHA512
6d7e859f1162f3917b398e9104780a17ff3272d1e101fd2a6726884497f1384d670de8897c8e9d48c87fc59a3a881efa88ee404b0de5311b1d774c833dd26efd

Download Submit
memory/1768-11-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1768-13-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2964-79-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4744-1-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4744-2-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4744-14-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4744-187-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4744-188-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download

Analysis

Sharing