cycbot | 6511c7451d8c45ad25111e6488bdf7d2ce0f0d91d5d37dbee82a16e738e3b04d

General

Target

JaffaCakes118_7dc18ea3968011baae13911dbfdbc7a4.exe
Size

192KB
MD5

7dc18ea3968011baae13911dbfdbc7a4
SHA1

c40f3ee72d6439a5aea08624b24d8b5d8113a26c
SHA256

6511c7451d8c45ad25111e6488bdf7d2ce0f0d91d5d37dbee82a16e738e3b04d
SHA512

06b3a2239cbf9eff0399d600c16980012396075e136e3b2548b9fadc4c89d2eb2800b34a7b6f581a310d8590a199117f5ac6d4ee7144a5a8940db253ab6877a0
SSDEEP

6144:m3EJLSL/1FuwlymAZc+Jv7FIq4NxevIanpYXQl:YEJLQ/1wo/qrgxevIanpJ

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/2616-11-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/1204-12-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/4112-77-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/1204-187-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1204-1-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2616-11-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1204-12-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4112-77-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1204-187-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7dc18ea3968011baae13911dbfdbc7a4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7dc18ea3968011baae13911dbfdbc7a4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7dc18ea3968011baae13911dbfdbc7a4.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 2616	1204	JaffaCakes118_7dc18ea3968011baae13911dbfdbc7a4.exe	83
PID 1204 wrote to memory of 2616	1204	JaffaCakes118_7dc18ea3968011baae13911dbfdbc7a4.exe	83
PID 1204 wrote to memory of 2616	1204	JaffaCakes118_7dc18ea3968011baae13911dbfdbc7a4.exe	83
PID 1204 wrote to memory of 4112	1204	JaffaCakes118_7dc18ea3968011baae13911dbfdbc7a4.exe	85
PID 1204 wrote to memory of 4112	1204	JaffaCakes118_7dc18ea3968011baae13911dbfdbc7a4.exe	85
PID 1204 wrote to memory of 4112	1204	JaffaCakes118_7dc18ea3968011baae13911dbfdbc7a4.exe	85

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7dc18ea3968011baae13911dbfdbc7a4.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7dc18ea3968011baae13911dbfdbc7a4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7dc18ea3968011baae13911dbfdbc7a4.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7dc18ea3968011baae13911dbfdbc7a4.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2616
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7dc18ea3968011baae13911dbfdbc7a4.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7dc18ea3968011baae13911dbfdbc7a4.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\F72B.14D

Filesize
600B

MD5
96a88e1036e7b44dc8cfc6a23550f1a3

SHA1
4ffc09cf6b613292d595b986571bd24f00101590

SHA256
e908fa4f874ffe16d09192727a3826c62791b8e6964aec35faf01026df7b5994

SHA512
52b7c15b076e7b99c486c4a68786c8b7bd7442c473a155341ed8d243ec3014571a1459a813671e42a1f7763da4fd72c5b62f5d5ca30a3d796d18af8cd60ed6a7

Download Submit
C:\Users\Admin\AppData\Roaming\F72B.14D

Filesize
1KB

MD5
08a4fab36bf3783e61a0d34502ffba30

SHA1
571d44a9cc19c526b1d6373e2d9f7f9d09b4c8ee

SHA256
3c8ef2b2fd3aea25b03fc74d0b165d6dc13544f4ca404b7cc4e47521bd570601

SHA512
4327fccd623ce4ac03eb91cbba108a9f38679ac34ab652d8a0d8cc4a6097208410178e179a2724f455652de1f4de08ec4cb2aebda84ced85491e86ef447c7caa

Download Submit
C:\Users\Admin\AppData\Roaming\F72B.14D

Filesize
996B

MD5
7f64c375316a8d6b7956d3c50bce2f13

SHA1
789f57dd4cca93b70b0624e7bb72b77a2d22437f

SHA256
e03b997c71d0a593cc384e0099eb82aa9fc7d51c819fa0d718e2d8888b42907c

SHA512
d987ecfe3a29babb79dc387c5fc48780ba545c23a0f700b41caaff49f272136d96142be5af740403867f441ed0288334ebcada8ea70318bd3d659a97138b6555

Download Submit
memory/1204-1-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1204-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1204-187-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2616-11-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4112-75-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4112-77-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing