cycbot | 4c3ce8ccf974b1f26fe88ea11baeacfafd3bedb308045cc029c59fe594dd2171

General

Target

JaffaCakes118_6a409442ed9d7cac7a62cc4008e1b96c.exe
Size

182KB
MD5

6a409442ed9d7cac7a62cc4008e1b96c
SHA1

3e56f19450587c4e0ff0a40253821509a8c005e6
SHA256

4c3ce8ccf974b1f26fe88ea11baeacfafd3bedb308045cc029c59fe594dd2171
SHA512

d02abaaa292378d105958c67dce5f96357f8215d8f2a732f799dd4ad1019531e413272fc2d1bb27447e8f056d90ec5858ad4d41852eb48971aacf7fea2eb063e
SSDEEP

3072:pZ9kn7uk4bxzpQDyiJHp6gq6/ButZzT9C9UlzEyYqODI1VnH97oG+axt:pPDhbuHAl+Bur9CiuqO057oQ

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/2672-10-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral2/memory/3440-15-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral2/memory/2284-79-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral2/memory/3440-187-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3440-2-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3440-1-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2672-8-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2672-10-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3440-15-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2284-79-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3440-187-0x0000000000400000-0x000000000046C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6a409442ed9d7cac7a62cc4008e1b96c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6a409442ed9d7cac7a62cc4008e1b96c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6a409442ed9d7cac7a62cc4008e1b96c.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3440 wrote to memory of 2672	3440	JaffaCakes118_6a409442ed9d7cac7a62cc4008e1b96c.exe	83
PID 3440 wrote to memory of 2672	3440	JaffaCakes118_6a409442ed9d7cac7a62cc4008e1b96c.exe	83
PID 3440 wrote to memory of 2672	3440	JaffaCakes118_6a409442ed9d7cac7a62cc4008e1b96c.exe	83
PID 3440 wrote to memory of 2284	3440	JaffaCakes118_6a409442ed9d7cac7a62cc4008e1b96c.exe	85
PID 3440 wrote to memory of 2284	3440	JaffaCakes118_6a409442ed9d7cac7a62cc4008e1b96c.exe	85
PID 3440 wrote to memory of 2284	3440	JaffaCakes118_6a409442ed9d7cac7a62cc4008e1b96c.exe	85

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a409442ed9d7cac7a62cc4008e1b96c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a409442ed9d7cac7a62cc4008e1b96c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a409442ed9d7cac7a62cc4008e1b96c.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a409442ed9d7cac7a62cc4008e1b96c.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2672
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a409442ed9d7cac7a62cc4008e1b96c.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a409442ed9d7cac7a62cc4008e1b96c.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\6237.875

Filesize
1KB

MD5
c067ab606c99b6ea4f8df08902662959

SHA1
73d9a08a6d54b7f770d9311101c611e673858620

SHA256
61c63c096e7aa2b43eb48095678763e05598d98fa0078692ba527b8c1e21e6ea

SHA512
9d7a5dc1cadc1e9276c7d775fdc62cb8ace709f309fec571a795091f6efee0ec727189f60c09ef4b4fdbf7781d70ad8ea592d946e2c2b02b7f14c9a1c74ea117

Download Submit
C:\Users\Admin\AppData\Roaming\6237.875

Filesize
600B

MD5
ea32b4a0f7440ec25670e2399bb89c84

SHA1
90ed5277c28c391cc8f6476d51e4aca6abc34d57

SHA256
d71218e69c9b0dc8cfdccdcc20c799f4aee7b4f55f58662acd41d8e7f13ae16d

SHA512
e20a57d0250c6528be4040fc171259ad19fa0daac8fd7d8f0496ab6eff21b858acb429132f3fea620a1b9b5539087b0a954d23029fb9f05a752622acc97d8326

Download Submit
C:\Users\Admin\AppData\Roaming\6237.875

Filesize
996B

MD5
c6070e88228525808cadb414b4ad4954

SHA1
168e494997e74a04ab2beec89ace8f69a16bdb6c

SHA256
4609e1c4acf807d876378c841272854e2dde1e20ea80e4e1052730a863966c59

SHA512
1ef3d4b5f79ed541a83ade93342262235da8ce3ce29a2fc2772a6139a68e6daa7c35491bb571a64a6bce85cbc8c6fa2b23cd5a4e4ffb1803c6e808fc30112bf8

Download Submit
memory/2284-78-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2284-79-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2672-8-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2672-10-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3440-2-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3440-1-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3440-15-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3440-187-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing