cycbot | 24f498ccacefdc17908286f5a32ece287150d04a86962bfdfcf596f7550454b6

General

Target

JaffaCakes118_4e04ae53c23c85b945326296df72f5bf.exe
Size

186KB
MD5

4e04ae53c23c85b945326296df72f5bf
SHA1

30aad14448cc6e4b726965f4903b14f66e81ccbd
SHA256

24f498ccacefdc17908286f5a32ece287150d04a86962bfdfcf596f7550454b6
SHA512

e564fac511659910e86b497e5a3301fe054cea356b3181d0213224f7fd5ee6d345427977c273310043425c4ee203270ca2c37174a82e107a767a3f48676c041c
SSDEEP

3072:y2Gc/zzK8pXIhEjGANCwjwsiXQrApPen4asY5Kb512gJAYMeEa4Wq7vZ6JOkm1P:T3zzKj6/NCwjpiwJsCKZAYMeEa4NZ6X+

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/3896-13-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/4032-14-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/4032-15-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/4948-101-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/4032-260-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4032-2-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/3896-12-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/3896-11-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/3896-13-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/4032-14-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/4032-15-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/4948-101-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/4032-260-0x0000000000400000-0x0000000000454000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4e04ae53c23c85b945326296df72f5bf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4e04ae53c23c85b945326296df72f5bf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4e04ae53c23c85b945326296df72f5bf.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4032 wrote to memory of 3896	4032	JaffaCakes118_4e04ae53c23c85b945326296df72f5bf.exe	90
PID 4032 wrote to memory of 3896	4032	JaffaCakes118_4e04ae53c23c85b945326296df72f5bf.exe	90
PID 4032 wrote to memory of 3896	4032	JaffaCakes118_4e04ae53c23c85b945326296df72f5bf.exe	90
PID 4032 wrote to memory of 4948	4032	JaffaCakes118_4e04ae53c23c85b945326296df72f5bf.exe	98
PID 4032 wrote to memory of 4948	4032	JaffaCakes118_4e04ae53c23c85b945326296df72f5bf.exe	98
PID 4032 wrote to memory of 4948	4032	JaffaCakes118_4e04ae53c23c85b945326296df72f5bf.exe	98

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4e04ae53c23c85b945326296df72f5bf.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4e04ae53c23c85b945326296df72f5bf.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4032
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4e04ae53c23c85b945326296df72f5bf.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4e04ae53c23c85b945326296df72f5bf.exe startC:\Program Files (x86)\LP\49F2\9EA.exe%C:\Program Files (x86)\LP\49F2
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3896
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4e04ae53c23c85b945326296df72f5bf.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4e04ae53c23c85b945326296df72f5bf.exe startC:\Users\Admin\AppData\Roaming\26907\07D49.exe%C:\Users\Admin\AppData\Roaming\26907
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\26907\79AD.690

Filesize
996B

MD5
50bdc575b978bcc85f47de50c9c786fc

SHA1
feea96f61f32c6fca4c521a7cd6f41f96df4e536

SHA256
6d118adf0f5332a01296e525cbb0b643ce393b051fe2cb36e9a29457ba210bba

SHA512
25d1b58cae2f928b3cd704007d400b78079486dcfe2360d233c22be6b921df1a5c70dbc6e1eb47bec15a0b0ff763a4c41722141859508792f43b0ae63df4f70c

Download Submit
C:\Users\Admin\AppData\Roaming\26907\79AD.690

Filesize
600B

MD5
534978a93da49467b177e3fed9ee88b5

SHA1
92aea43253a194dcea4e5ef9386f82a6acd70a45

SHA256
65b649bee3c9b0197089d011a104486c92d15ed0d0ff39065a3c86a13c77ff3d

SHA512
cc1e8dfebfe8e80f09fb28ccdd9dfe60a7453d19fd30e0aa7dcd1ad468fb2c6b5b41d0757d99a9a47c9478abd332a86be6d2b7c403c3ac657ae11ec7e8e6e2ba

Download Submit
C:\Users\Admin\AppData\Roaming\26907\79AD.690

Filesize
1KB

MD5
fb2eefb2b9d40a0e8f88913f6637a6d0

SHA1
56c4303b00f26921bcdf60a1f5726f39a46848ac

SHA256
c22b7b6b79966965b7414b8218cf6c26dbc8a6152218097f5bff50ab8bc64dc2

SHA512
207fd85e2a687d333f7c1d51f84e537a4712e491d13ba5b1795bbc9b2669aa2f6e73f5a438a254eec8ba16a4d3089ccd12c291db473ee811353f5c9c75dabff0

Download Submit
memory/3896-12-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3896-11-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3896-13-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4032-15-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4032-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4032-14-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4032-2-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4032-260-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4948-100-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4948-101-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing