cycbot | 4e6119e5932aac7d72e61bde7a4f2dd3f0b2ad1cb3a4f7de34a7adaa83f63787

General

Target

JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe
Size

187KB
MD5

289c05bfe6833f103e96cc733057fd34
SHA1

eda3d3c71cabfc946f5335e3cd48d9fb7ff5ff8e
SHA256

4e6119e5932aac7d72e61bde7a4f2dd3f0b2ad1cb3a4f7de34a7adaa83f63787
SHA512

d36ee68e53ff89c6ce2bdfba54cf962d7f47d872fe618036904ba38c615b2b81ae3c8a8e7ad59811584331a1cbf2fb82c40b2dab4941dc777e2da37afbe01b83
SSDEEP

3072:l2vjHdaoHP8+5uzYbHmpBnAE4rVktA8RPfBETe:SjRk4uz02BnA2NR3

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/2796-12-0x0000000000400000-0x0000000000453000-memory.dmp	family_cycbot
behavioral2/memory/224-13-0x0000000000400000-0x0000000000453000-memory.dmp	family_cycbot
behavioral2/memory/3988-80-0x0000000000400000-0x0000000000453000-memory.dmp	family_cycbot
behavioral2/memory/224-174-0x0000000000400000-0x0000000000453000-memory.dmp	family_cycbot

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/224-2-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2796-11-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2796-12-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/224-13-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3988-78-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3988-80-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/224-174-0x0000000000400000-0x0000000000453000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 2796	224	JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe	83
PID 224 wrote to memory of 2796	224	JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe	83
PID 224 wrote to memory of 2796	224	JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe	83
PID 224 wrote to memory of 3988	224	JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe	91
PID 224 wrote to memory of 3988	224	JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe	91
PID 224 wrote to memory of 3988	224	JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe	91

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:224
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe startC:\Program Files (x86)\Internet Explorer\D3A0\9C3.exe%C:\Program Files (x86)\Internet Explorer\D3A0
  2⤵
  PID:2796
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe startC:\Users\Admin\AppData\Roaming\0CAFF\49ED3.exe%C:\Users\Admin\AppData\Roaming\0CAFF
  2⤵
  PID:3988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\0CAFF\F56A.CAF

Filesize
1KB

MD5
9b8ba62fbc5c47b75edc7797b9f8be8b

SHA1
43117e98e7eadaefc59a2d2a4f48dc63d2388939

SHA256
3bb4ad29a5b1456007b4049320c62b51d808278c90b7b3ceadcf97d125126e6f

SHA512
83dc5d7535d000d5d1eca15a91535b9f5419888d7801d130491b34468e4670187adc139382142b5776a788b4c2a4deec662024f01de91db61afc0e827a0d630e

Download Submit
C:\Users\Admin\AppData\Roaming\0CAFF\F56A.CAF

Filesize
600B

MD5
5d83229cbee46a630ed989070b14c3c7

SHA1
6df0f749bc85c14301890a4ce52c7f6b887ad7fc

SHA256
e9dead399e21143efe69d67d068a2402b3d950cba41fc1aca04463174978239e

SHA512
824605e736d630506ae8410deda26509e0501e43308b42952ae77f17452b695999b7cbbe220e89aa3da2ecc3dfadc60e8dcc5d9d34a9ddfa47cf355690d44e2c

Download Submit
C:\Users\Admin\AppData\Roaming\0CAFF\F56A.CAF

Filesize
996B

MD5
29859dc9d48b64c237ded99cd4a57a42

SHA1
2de1b651c483fa84e32383d5b6678bfb4e1b4154

SHA256
9f0a7495d28576c1ac482a9dfdbf503a6a2b8e9af1596396ff86080bd462d683

SHA512
a6e20ffb83737f8df7311051c48a4001cce4efc93ebfce970c488ef63790ddf3e8b3879a4501bfe21e16326b98d300d22c0552a427f9d9f4138dede556e4e3a6

Download Submit
memory/224-1-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/224-2-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/224-13-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/224-174-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2796-11-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2796-12-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3988-78-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3988-80-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing