cycbot | 18c9bddd29d170371f5658fcc4a848f457c417983038d48ff391cb09a33f65ff

General

Target

JaffaCakes118_7c981c04bba0c25311f3b068b5de8957.exe
Size

185KB
MD5

7c981c04bba0c25311f3b068b5de8957
SHA1

b69217838fb48dbf43a89e3b02b4f46ba7dca0d2
SHA256

18c9bddd29d170371f5658fcc4a848f457c417983038d48ff391cb09a33f65ff
SHA512

448f8e51948028964ac0603452d2181d54ce396d075bbdc32ab74ae196e774dc8d4c36315639d423b14e63223977d6f351b5eb5a4e55a99916425c6f649e8a44
SSDEEP

3072:CFkGPUL3oIEbXDuGtIXZ6OPKQmLo7xw87sXAICyEVHd+u8htw:hKULYIE3u8IXZ663mEW8ByWRn

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/4616-13-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/1904-14-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/1904-15-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/2104-76-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/1904-179-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1904-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4616-12-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4616-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1904-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1904-15-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/2104-76-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1904-179-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7c981c04bba0c25311f3b068b5de8957.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7c981c04bba0c25311f3b068b5de8957.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7c981c04bba0c25311f3b068b5de8957.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 4616	1904	JaffaCakes118_7c981c04bba0c25311f3b068b5de8957.exe	82
PID 1904 wrote to memory of 4616	1904	JaffaCakes118_7c981c04bba0c25311f3b068b5de8957.exe	82
PID 1904 wrote to memory of 4616	1904	JaffaCakes118_7c981c04bba0c25311f3b068b5de8957.exe	82
PID 1904 wrote to memory of 2104	1904	JaffaCakes118_7c981c04bba0c25311f3b068b5de8957.exe	87
PID 1904 wrote to memory of 2104	1904	JaffaCakes118_7c981c04bba0c25311f3b068b5de8957.exe	87
PID 1904 wrote to memory of 2104	1904	JaffaCakes118_7c981c04bba0c25311f3b068b5de8957.exe	87

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7c981c04bba0c25311f3b068b5de8957.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7c981c04bba0c25311f3b068b5de8957.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7c981c04bba0c25311f3b068b5de8957.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7c981c04bba0c25311f3b068b5de8957.exe startC:\Program Files (x86)\LP\2CC1\F46.exe%C:\Program Files (x86)\LP\2CC1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4616
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7c981c04bba0c25311f3b068b5de8957.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7c981c04bba0c25311f3b068b5de8957.exe startC:\Users\Admin\AppData\Roaming\1EE71\9E42C.exe%C:\Users\Admin\AppData\Roaming\1EE71
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1EE71\13B6.EE7

Filesize
1KB

MD5
2bdcd4fcf9068315bc79734471c48ad6

SHA1
09c27fc5e3dc052722cf93770e2fe1e6bab967e3

SHA256
45bb9b149324319fda92b976ac1405d09a955478d4a5e346e20bc840eb3e5b52

SHA512
7bb46b1ca9ab73ac900d44d27bab9825aee45821fcf118b2911b990313efce445622268e33fc1f04657d82e6e1f112180b187283b9f0f4cdccfd39945fdd64f8

Download Submit
C:\Users\Admin\AppData\Roaming\1EE71\13B6.EE7

Filesize
600B

MD5
40a445f14a41ee8b53da08f808181904

SHA1
2fd63bee0930d22772e4f210e773f8aae93e2d7a

SHA256
7f97716805f4d44ad29a02b8110acc97536b1166637ee09858e954e1c18040c8

SHA512
53636c396e2847dd9d42db8ddd6a6e6c6a93238438596b470c5a57840ee6259c51a7583b852781faf8d5f842622ffc261338bc15f026de941657ff9c08eff991

Download Submit
C:\Users\Admin\AppData\Roaming\1EE71\13B6.EE7

Filesize
996B

MD5
934ae43e7f9dedbd14473408c834f602

SHA1
486cc1d31aa6e1e87a056f6a30f8fcdffcda2307

SHA256
51cb4c0596798116089eae033cf7dcc9af42bc5d0fb15a7f892f6b981868cbd9

SHA512
90eeb2686ea5bb5e4edf71346b3c460df7fe9a0130f558d146889f048a8f54aaf772a6872732b8cbda864cff2016d69b49333a6a0908d8fc2ba4980b861a459d

Download Submit
C:\Users\Admin\AppData\Roaming\1EE71\13B6.EE7

Filesize
300B

MD5
4191c00a8d54bf29afb374bd1213dbab

SHA1
e4d68e63ce79710ef6bfa965759ff52e24915aaf

SHA256
ea68c4e8658e73e6afb52fd45ecdbae887326d7924d1db6c0c36aa188eb33795

SHA512
de61e51f7ae6c91e3197bd68d7cebb326fa0ec0a3f140a90670b9a5d365b19e1db4e014c07afc233c8c5963b2645116897071185a1de055221c24d47f6e3db28

Download Submit
memory/1904-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1904-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1904-179-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1904-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1904-15-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2104-76-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4616-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4616-11-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4616-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing