cycbot | a3e1a94b736bc9d8c180747920b6700ef3dfe5764b920ec8798dd97055ab8f47

General

Target

JaffaCakes118_49c246c901fe43763bb0d4b427af132a.exe
Size

171KB
MD5

49c246c901fe43763bb0d4b427af132a
SHA1

1ca81d7ff46a1c029b8174732be1b44e0c26a25c
SHA256

a3e1a94b736bc9d8c180747920b6700ef3dfe5764b920ec8798dd97055ab8f47
SHA512

16fcfad04965d4572f1cf517c5ac9e54b6bddd6999a1a1f2207f2b0aad5d8d47f4d6aedb595b1c2c915ef57c81d135f88d5500fcba69a224e1e579b198065049
SSDEEP

3072:DSl/g5OWnlF/ABgkKYOoJlAmrQIfO4lMMrbWV:uZgln7ABXKY3QqpHrb

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/412-13-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral2/memory/5112-14-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral2/memory/2904-84-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral2/memory/5112-196-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5112-2-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/412-13-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/5112-14-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2904-83-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2904-84-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/5112-196-0x0000000000400000-0x000000000046B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_49c246c901fe43763bb0d4b427af132a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_49c246c901fe43763bb0d4b427af132a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_49c246c901fe43763bb0d4b427af132a.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 412	5112	JaffaCakes118_49c246c901fe43763bb0d4b427af132a.exe	83
PID 5112 wrote to memory of 412	5112	JaffaCakes118_49c246c901fe43763bb0d4b427af132a.exe	83
PID 5112 wrote to memory of 412	5112	JaffaCakes118_49c246c901fe43763bb0d4b427af132a.exe	83
PID 5112 wrote to memory of 2904	5112	JaffaCakes118_49c246c901fe43763bb0d4b427af132a.exe	85
PID 5112 wrote to memory of 2904	5112	JaffaCakes118_49c246c901fe43763bb0d4b427af132a.exe	85
PID 5112 wrote to memory of 2904	5112	JaffaCakes118_49c246c901fe43763bb0d4b427af132a.exe	85

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_49c246c901fe43763bb0d4b427af132a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_49c246c901fe43763bb0d4b427af132a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_49c246c901fe43763bb0d4b427af132a.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_49c246c901fe43763bb0d4b427af132a.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:412
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_49c246c901fe43763bb0d4b427af132a.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_49c246c901fe43763bb0d4b427af132a.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\D3EC.BFB

Filesize
1KB

MD5
2b3cb5f682fa36c66f95af9a96f15d89

SHA1
46eee514f76955fad0d98e0bd1a96ed4939e666e

SHA256
8e2eea70114b4b27f240b6a38f11911892119b4ef381de9b20b89c810225da5f

SHA512
5145e0e8038b560fde596e60db66f9b55895ae61ac9799a427ed76dced9d11d9381cf6efb0ee5cee13c647d3edb8ae416903f1cf199b5a1b3f79654703ebb60f

Download Submit
C:\Users\Admin\AppData\Roaming\D3EC.BFB

Filesize
600B

MD5
e3bc74d3bd9f1fe2a0ac53f9dd802a5e

SHA1
e6651c946fe27232fda91dd6f845ebe5f361206d

SHA256
477816a6b38bdee9df15da87020a65ded2c4fb177d81576b9bd8f6391b6afebf

SHA512
1d12fb6d1820ccb8aa1069fa41a4abf0c015ae49ae1a8cc7cebafe310f1d35ff6cd9cbc086d326454080e0174a05ea9b00dc58f407bb593c693078f891963c3d

Download Submit
C:\Users\Admin\AppData\Roaming\D3EC.BFB

Filesize
996B

MD5
fbc7433d26fe968b3fb3665a49f58c69

SHA1
f9238b3542add7a28b846f8bbacac00181222709

SHA256
c839cf3b7f9bb76ba28558ea38d45569db82ef7d2a9523810cb0889fe6721377

SHA512
867bbeb2f55f66422bb22278c56f52ec3a61f94985a2d221c057d24b43446220d151aaec49e9365fc9e2407b1c6e6603f26582c449ed5254806f7c558e6109e8

Download Submit
memory/412-13-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2904-83-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2904-82-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2904-84-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/5112-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/5112-2-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/5112-14-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/5112-196-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing