cycbot | 19e2bae08d547849782f25e89992c03c39d8d0b0e2c310a5ea741b410c2a1120

General

Target

JaffaCakes118_73b5f3d1d62035df6a6ce6e019fde726.exe
Size

184KB
MD5

73b5f3d1d62035df6a6ce6e019fde726
SHA1

d6650d61877e51cb5e3fd080960a17e068c578e0
SHA256

19e2bae08d547849782f25e89992c03c39d8d0b0e2c310a5ea741b410c2a1120
SHA512

671839cbcf892b0aa19c6a2eab6576b2372ab0cc20650aba86ad857ff0f8054fceffa9891abdfbd0313a23f77cc7f00ce3a18f0a803981b4a0a1d5ab21c93c94
SSDEEP

3072:GdP0a1jUBuWgxNtvfKlUiUZtR7x0nWZnEHBGPNqKzdjkinashk/QQfRJ149G8rY4:YYNgBt16nWZn6uNqmdvk/JRJW9tY4

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/540-13-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/3852-14-0x0000000000400000-0x0000000000451000-memory.dmp	family_cycbot
behavioral2/memory/3852-15-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/3944-76-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/3852-178-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/3852-179-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3852-2-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/540-13-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/3852-14-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral2/memory/3852-15-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/3944-75-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/3944-76-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/3852-178-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/3852-179-0x0000000000400000-0x0000000000454000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_73b5f3d1d62035df6a6ce6e019fde726.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3852 wrote to memory of 540	3852	JaffaCakes118_73b5f3d1d62035df6a6ce6e019fde726.exe	82
PID 3852 wrote to memory of 540	3852	JaffaCakes118_73b5f3d1d62035df6a6ce6e019fde726.exe	82
PID 3852 wrote to memory of 540	3852	JaffaCakes118_73b5f3d1d62035df6a6ce6e019fde726.exe	82
PID 3852 wrote to memory of 3944	3852	JaffaCakes118_73b5f3d1d62035df6a6ce6e019fde726.exe	83
PID 3852 wrote to memory of 3944	3852	JaffaCakes118_73b5f3d1d62035df6a6ce6e019fde726.exe	83
PID 3852 wrote to memory of 3944	3852	JaffaCakes118_73b5f3d1d62035df6a6ce6e019fde726.exe	83

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73b5f3d1d62035df6a6ce6e019fde726.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73b5f3d1d62035df6a6ce6e019fde726.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3852
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73b5f3d1d62035df6a6ce6e019fde726.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73b5f3d1d62035df6a6ce6e019fde726.exe startC:\Program Files (x86)\LP\0B07\619.exe%C:\Program Files (x86)\LP\0B07
  2⤵
  PID:540
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73b5f3d1d62035df6a6ce6e019fde726.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73b5f3d1d62035df6a6ce6e019fde726.exe startC:\Users\Admin\AppData\Roaming\797BB\97B0B.exe%C:\Users\Admin\AppData\Roaming\797BB
  2⤵
  PID:3944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\797BB\B113.97B

Filesize
1KB

MD5
565d6a0ef5fb4d13f476214e70e2e88a

SHA1
3160132c26dd306952ce25122f601ca171c7629b

SHA256
8812365aa40764e0353a6fbe7cb87a3bf7cb7f6f1e60e436e54ceaf3b77d7e9b

SHA512
b5c75325e8d781c8f2286d5f6230bd53acf896519914dc854ccbab6991a557127c13e32f12c4c1153b9553ae8f31320f289f3c054b0b5a624a82f707110e241c

Download Submit
C:\Users\Admin\AppData\Roaming\797BB\B113.97B

Filesize
600B

MD5
e6558b3068c751d5efb948d90367a6f2

SHA1
cbefb7951ae221b2ca25559ef5548279861b3c2f

SHA256
8e49e25534bb90c1d0e1fe8468598cc8578746dc8341747696c3122db74efe08

SHA512
b95967a42d732f882694d4bafafea588a90f838daac09e6e5f9086690b113809300f083495d69d257a6cbd038867cf8a9fcf4bcabe24cbefb82376796c0f4582

Download Submit
C:\Users\Admin\AppData\Roaming\797BB\B113.97B

Filesize
996B

MD5
60eec76dfc2257deb570814d95065596

SHA1
b852eaf26829011d93ac71d5292e774c24a02811

SHA256
79e3e75e700704b588ecd88127fac482339816e10661456580c3fa8e1414f7d0

SHA512
a115c665f0d72cb3381e1b99bf98027ed6ad880a27e66101758b43dcd31bee924d1222c9dd236680a160c09d426a8c5fc7ef65e3ca714dc1ed9d46644733d5bc

Download Submit
memory/540-13-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3852-14-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3852-15-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3852-1-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3852-2-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3852-178-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3852-179-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3944-74-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3944-75-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3944-76-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing