cycbot | 278f84565d879538acce3295e0257515ec856ebba85cc5aade3ec6b8c4f09230

General

Target

JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe
Size

180KB
MD5

7d54f09d2cd3220d3794dc738fbde3ae
SHA1

130a3e621f60338da373d8dc2b812a4bd938113d
SHA256

278f84565d879538acce3295e0257515ec856ebba85cc5aade3ec6b8c4f09230
SHA512

0132849efe2008610130ff75258661f6a10b5babdb796558c309a215cb2b61467efd7dc672e9b1d4925d37bb3305e2cd6215bef39000c58dd0823c825a5f8b35
SSDEEP

3072:e/oHwqvsl1URuMthYIM2EfqsftIYkGJIurF0eTuVSPChNUmt+QYCZ5RsuT/:e/C0l14uS3ofJIurF0VVSKzUmt+hikur

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/3728-19-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/4116-20-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/4116-21-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/2584-128-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/4116-291-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4116-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3728-18-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3728-19-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4116-20-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4116-21-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/2584-127-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2584-128-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4116-291-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 3728	4116	JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe	84
PID 4116 wrote to memory of 3728	4116	JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe	84
PID 4116 wrote to memory of 3728	4116	JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe	84
PID 4116 wrote to memory of 2584	4116	JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe	95
PID 4116 wrote to memory of 2584	4116	JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe	95
PID 4116 wrote to memory of 2584	4116	JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe	95

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe startC:\Program Files (x86)\LP\504C\11E.exe%C:\Program Files (x86)\LP\504C
  2⤵
  PID:3728
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d54f09d2cd3220d3794dc738fbde3ae.exe startC:\Users\Admin\AppData\Roaming\CB6B4\73050.exe%C:\Users\Admin\AppData\Roaming\CB6B4
  2⤵
  PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\CB6B4\4431.B6B

Filesize
597B

MD5
e32f784d9b41057aac447b431744ce07

SHA1
ee1aaa34f0c0a117900523725262c6512fd1d658

SHA256
cd49381fc7cdf5b8ef6cc5b45b1c97e2cb015e77ef210dc41c70ac71fb94d173

SHA512
c08d917f84d8bb26255e0f5ec6278f3081923430174df5f7ab3c5df4be1b278b276a37abe7836ebabf37160dfaffc49ce3a2dfe7118faa8a0e4f4dfedff6b3d0

Download Submit
C:\Users\Admin\AppData\Roaming\CB6B4\4431.B6B

Filesize
1KB

MD5
2cd653cdd88a1cfcee095f9f0fc856c3

SHA1
10b9b859e8373fb91c0644f9d0619c4a186d4cc0

SHA256
aad4feef7c44dcd735a915fb99426103ec074c4dc59820fd0c427b616fbc7e94

SHA512
928e4b6fc9117ef6340a898adec6834bf14b5ccda5f4a2290ffa72455aaa3cbf94e72f014f0079e490e352898e5a39b73b496eaa318afde322fedd2e481ddc13

Download Submit
C:\Users\Admin\AppData\Roaming\CB6B4\4431.B6B

Filesize
1KB

MD5
5cf625d69d06b91a0fb0b9b187543e4d

SHA1
4dcd316f2c3f110447e3d4fba88836bb79a24132

SHA256
5e4688de50fa6004710fcfa3cb51bf677d9556b4db08bd142683662b355f0c84

SHA512
64c92662d42d3725e0baa0d169bf5b4b397de0a80e2672e62e80d6a04afc075fec0bbf87fdf039b0c3cf39c4efb17b4919c26a12aa9d26a2ed21bfbf9e859259

Download Submit
C:\Users\Admin\AppData\Roaming\CB6B4\4431.B6B

Filesize
897B

MD5
407002d68db47efdef406b720cc73df4

SHA1
2135d7cbc129573d5b7085ba0739dcd275eb07de

SHA256
990fceb1220db40749b9d4369c439ba1c647a9c8e1c9353cc2c1302c46e55778

SHA512
30ee91d95f8fb62fc9b2d655c6a2c7b7db732d9f050b4233de01dd1ceab923ea1e514491f6c83bd6cd00ee1c1a819cd7cbee5e4635949124cc40855a75dea98b

Download Submit
memory/2584-127-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2584-128-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3728-19-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3728-18-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4116-20-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4116-21-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4116-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4116-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4116-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4116-291-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing