cycbot | 1cac94b28c9f606fc435ef9cc5a03b9931711bbe26abb5e76a61a29f506606bb

General

Target

JaffaCakes118_70ab80e5a6464ffb9503e297e92505e1.exe
Size

178KB
MD5

70ab80e5a6464ffb9503e297e92505e1
SHA1

3a6bcdfdfecd3116170d7f0d94f0535268fcf982
SHA256

1cac94b28c9f606fc435ef9cc5a03b9931711bbe26abb5e76a61a29f506606bb
SHA512

f566caf74cd31c6ede6bbd660145311ba0db9e2283265b998579e0b6f80eff5ffdb9f0e06b3db4c66564bdab496003359c6fb31ea8789af02e6fe2bdb3ab935d
SSDEEP

3072:jl7Yqtak+8h/a3mY+2mufP/KzeN65azCFfDQhovWuRXomTsQLntHExnoCT9d4CV3:h7YqAk5h/a3mY+Z06aNzCVDQhoh7tBEj

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/2588-16-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/4332-18-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/2588-20-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/5080-124-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/2588-292-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2588-4-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2588-16-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/4332-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4332-18-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2588-20-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/5080-123-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/5080-124-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2588-292-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_70ab80e5a6464ffb9503e297e92505e1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_70ab80e5a6464ffb9503e297e92505e1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_70ab80e5a6464ffb9503e297e92505e1.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 4332	2588	JaffaCakes118_70ab80e5a6464ffb9503e297e92505e1.exe	84
PID 2588 wrote to memory of 4332	2588	JaffaCakes118_70ab80e5a6464ffb9503e297e92505e1.exe	84
PID 2588 wrote to memory of 4332	2588	JaffaCakes118_70ab80e5a6464ffb9503e297e92505e1.exe	84
PID 2588 wrote to memory of 5080	2588	JaffaCakes118_70ab80e5a6464ffb9503e297e92505e1.exe	95
PID 2588 wrote to memory of 5080	2588	JaffaCakes118_70ab80e5a6464ffb9503e297e92505e1.exe	95
PID 2588 wrote to memory of 5080	2588	JaffaCakes118_70ab80e5a6464ffb9503e297e92505e1.exe	95

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70ab80e5a6464ffb9503e297e92505e1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70ab80e5a6464ffb9503e297e92505e1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70ab80e5a6464ffb9503e297e92505e1.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70ab80e5a6464ffb9503e297e92505e1.exe startC:\Program Files (x86)\LP\7E01\CA3.exe%C:\Program Files (x86)\LP\7E01
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4332
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70ab80e5a6464ffb9503e297e92505e1.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70ab80e5a6464ffb9503e297e92505e1.exe startC:\Users\Admin\AppData\Roaming\1E57F\9217E.exe%C:\Users\Admin\AppData\Roaming\1E57F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1E57F\F939.E57

Filesize
996B

MD5
2d33fbe88689269dd95f08977159fe7d

SHA1
7f4d1fee889451e80c94cd5e5290765589d5907b

SHA256
038bb6697abb6f4d42f90a8b197afadaa5c728acac804c0e19a9baf31b995414

SHA512
5d4820413c71b17cdbe170b63ae06e3b5daeabec3de2b205a7e524cf3f932a6278dbdf13b333e33b1957561925261685d5484e6223fb8b731ecb59320a676325

Download Submit
C:\Users\Admin\AppData\Roaming\1E57F\F939.E57

Filesize
600B

MD5
9249d8c49985c13ed3b128ec1cc892c6

SHA1
9c2cd9adc4bbd87d4343b00291b15e7530d7d677

SHA256
b43ded653cda3b35aa9b7ed2956c70b5bd0063e26ff191cde1900664a671a128

SHA512
a8f5d471f733128e464d071cbda31a0496f24e72526d4c67b3c642458ef8b485f2e6cd595510e256f8f9e8bc20d6ae027669f559044d4b48b215f029592ad41d

Download Submit
C:\Users\Admin\AppData\Roaming\1E57F\F939.E57

Filesize
1KB

MD5
2a87d2faff40d2a3a4bb145ff4b03a59

SHA1
0c01d4f46b2e358b31cddc1b075c7a718dab6a80

SHA256
dfab8d18313336ad7b13948a8e596832a3ec56fce56d7fe275a39dce2f67e9d4

SHA512
c5835864ea212e7850362b4b71797922a8c2fb139840c01b621714e63eca4f6eb046068741f7f981ebd3f3247e1f0f559a5cda1fdaa50de89d0c197a405858bf

Download Submit
memory/2588-1-0x0000000075360000-0x0000000075399000-memory.dmp

Filesize
228KB

Download
memory/2588-3-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2588-4-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2588-293-0x0000000075360000-0x0000000075399000-memory.dmp

Filesize
228KB

Download
memory/2588-16-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2588-292-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2588-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2588-20-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4332-18-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4332-19-0x0000000075360000-0x0000000075399000-memory.dmp

Filesize
228KB

Download
memory/4332-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4332-13-0x0000000075360000-0x0000000075399000-memory.dmp

Filesize
228KB

Download
memory/5080-123-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/5080-124-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/5080-125-0x0000000075360000-0x0000000075399000-memory.dmp

Filesize
228KB

Download
memory/5080-121-0x0000000075360000-0x0000000075399000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing