cycbot | 4bc53d3c2b2b7e398c2ff79567c649693e8cf31ae87f687935d040909dd131af

General

Target

JaffaCakes118_32663601c06a91564a0de6dfa310140c.exe
Size

188KB
MD5

32663601c06a91564a0de6dfa310140c
SHA1

7aedbd286e02fee49db7331bf4d2e6e584ae8d2b
SHA256

4bc53d3c2b2b7e398c2ff79567c649693e8cf31ae87f687935d040909dd131af
SHA512

c8f38abf6a21d51cf797ba402345c27c9f6db1f566cb604a5915d823a073a48f9fc3627f863c6d9188f26fb38e10cb61a62d30cf62002b6dfb63cad25edb3c80
SSDEEP

3072:0FsFlM4t39BF1irIluJFJIL1hjAEdtBxYKyWXazR3jxMip:0FsFlMQNBFQrJLCzjAEdtIKrazR1

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/4024-13-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/4080-14-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/1168-69-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/4080-180-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4080-2-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/4024-12-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/4024-13-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/4080-14-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/1168-69-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/4080-180-0x0000000000400000-0x000000000044E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_32663601c06a91564a0de6dfa310140c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_32663601c06a91564a0de6dfa310140c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_32663601c06a91564a0de6dfa310140c.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 4024	4080	JaffaCakes118_32663601c06a91564a0de6dfa310140c.exe	82
PID 4080 wrote to memory of 4024	4080	JaffaCakes118_32663601c06a91564a0de6dfa310140c.exe	82
PID 4080 wrote to memory of 4024	4080	JaffaCakes118_32663601c06a91564a0de6dfa310140c.exe	82
PID 4080 wrote to memory of 1168	4080	JaffaCakes118_32663601c06a91564a0de6dfa310140c.exe	87
PID 4080 wrote to memory of 1168	4080	JaffaCakes118_32663601c06a91564a0de6dfa310140c.exe	87
PID 4080 wrote to memory of 1168	4080	JaffaCakes118_32663601c06a91564a0de6dfa310140c.exe	87

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_32663601c06a91564a0de6dfa310140c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_32663601c06a91564a0de6dfa310140c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_32663601c06a91564a0de6dfa310140c.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_32663601c06a91564a0de6dfa310140c.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4024
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_32663601c06a91564a0de6dfa310140c.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_32663601c06a91564a0de6dfa310140c.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\2BCE.1C5

Filesize
1KB

MD5
2131120c8f20c13aa48eeb4a5e134701

SHA1
516a948576a0376e19a0f4ae404720dceba76930

SHA256
f3a647e9166ab328022655dc9a5aa191d88af920594704bf10e4f8d15b03ff63

SHA512
eeda36068b0e9305e6812de2bc7dc729aaf86c22bcb4f912d977bf5ed2a2b3f2e6ad3df1299dd07518b8d0a64af271fdf0119f73064e89141d792695795faab3

Download Submit
C:\Users\Admin\AppData\Roaming\2BCE.1C5

Filesize
600B

MD5
2d281edc2775ba6eabcbe5319cd85ada

SHA1
e78fcd21a731df6b9bd0c833580719c61a447b7c

SHA256
268a67f5e906c76f069a9593dceda7bbf81ec59f3cf24ba7d6bb3f4f0bb96eba

SHA512
95a065154cac84585f401a2f6bd092b468058ac21803c5cfb643f791c175d46d2936cbb933086fc839434191c6fb3f52146e6f648890053e6d705f53331964e5

Download Submit
C:\Users\Admin\AppData\Roaming\2BCE.1C5

Filesize
996B

MD5
911980cb1403654c5ca8f113e534f6fe

SHA1
cac50155ccdca1b9afb5b00714552b060e20fdde

SHA256
506a760749aba88e9e1f2f72a396f2cca68c9777c253b7efa57288a87329e51c

SHA512
77890d8d00a2d74124c5ca09aaeb9b733c0dbc1b3a182db04cf020d8557644bbee059a7b07048f61f676121dfc79c1639ad2144b89e14f2f558864b781781b3a

Download Submit
memory/1168-69-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4024-12-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4024-13-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4080-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4080-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4080-14-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4080-180-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing