cycbot | 295db97f63e0989f1702f576242b601950c26fe0d40c21571102bd22b2cf9b3c

General

Target

JaffaCakes118_3f42737f1251688be21161e5c3257552.exe
Size

189KB
MD5

3f42737f1251688be21161e5c3257552
SHA1

4882cf826953c6aa1f3bf01119bb7a498ec662b9
SHA256

295db97f63e0989f1702f576242b601950c26fe0d40c21571102bd22b2cf9b3c
SHA512

cd453396acd576136b75d30cb027721abebf2d7721d23b92f043362490633792b4b6eb62b1082c94b388343c8f4f8c3a07f376e2c01543c2874b7c67db7cc8d2
SSDEEP

3072:ZdwTJAxGf89jWR+9j+ur6jIuSMx4GdXM+msPEErSiMjULpKFXeylX1/yKhJAKulh:gTJAxw81WAXuneGFM/sMEeH8pK5NVyKM

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/3164-13-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/3156-14-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/3156-15-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/1448-86-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/3156-179-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3156-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3164-12-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3164-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3156-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3156-15-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/1448-84-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1448-86-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3156-179-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3f42737f1251688be21161e5c3257552.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3156 wrote to memory of 3164	3156	JaffaCakes118_3f42737f1251688be21161e5c3257552.exe	84
PID 3156 wrote to memory of 3164	3156	JaffaCakes118_3f42737f1251688be21161e5c3257552.exe	84
PID 3156 wrote to memory of 3164	3156	JaffaCakes118_3f42737f1251688be21161e5c3257552.exe	84
PID 3156 wrote to memory of 1448	3156	JaffaCakes118_3f42737f1251688be21161e5c3257552.exe	90
PID 3156 wrote to memory of 1448	3156	JaffaCakes118_3f42737f1251688be21161e5c3257552.exe	90
PID 3156 wrote to memory of 1448	3156	JaffaCakes118_3f42737f1251688be21161e5c3257552.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3f42737f1251688be21161e5c3257552.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3f42737f1251688be21161e5c3257552.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3f42737f1251688be21161e5c3257552.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3f42737f1251688be21161e5c3257552.exe startC:\Program Files (x86)\LP\E937\873.exe%C:\Program Files (x86)\LP\E937
  2⤵
  PID:3164
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3f42737f1251688be21161e5c3257552.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3f42737f1251688be21161e5c3257552.exe startC:\Users\Admin\AppData\Roaming\72E72\AEBE9.exe%C:\Users\Admin\AppData\Roaming\72E72
  2⤵
  PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\72E72\261F.2E7

Filesize
1KB

MD5
16de35749459416512b4b8c6613bd3c5

SHA1
4db0650a49dd574182d81fa2c43d39a07f9666d6

SHA256
31cd39f3a6e658ad9ec63cb2677e086093971678342e23af3beb2d065c9ee9b1

SHA512
2e23f80983d3662044411f08b5670d2207a3e9e227a2a3e5d9f8c132a30cb9447d563be79af26b0282de0005eb4f0ebaf44a15fe633fdf23374f2267e834d073

Download Submit
C:\Users\Admin\AppData\Roaming\72E72\261F.2E7

Filesize
600B

MD5
52c65b5e7047c48f810a0b02f7192ed1

SHA1
e185647d80d7b05d274515a52793d0cbc0256cf2

SHA256
5689d2cfbdcdcaea0193d6694237faad3d505c253cc87be22669110cd7f4eb9c

SHA512
a4ae36488067b2d522cb47b58fdd66da69039100b9cb7e69bb262e4112741f575eb5702f5649c1559f9629412a7e042efa030b5692ff25400dfe4ae947f877bf

Download Submit
C:\Users\Admin\AppData\Roaming\72E72\261F.2E7

Filesize
996B

MD5
9951825b0c2cfc90f74f7cbfdc50ff7e

SHA1
eb242b55940a0254045c77fa7ffc492e3b69b721

SHA256
32bf16224b69b18d683270a4d2e025e928b1af697f66564683a6df423081e914

SHA512
175a0274e3f3825c9d5884473cbf1425c23d538feeee99b0db8a791880f2b1cd7793eaed90202f6bac44cb26ea0f47fa73e7e4138838fdc3e2ac373981267081

Download Submit
memory/1448-86-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1448-84-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3156-15-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3156-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3156-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3156-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3156-179-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3164-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3164-11-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3164-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing