cycbot | 18f114603640083121c1f148744e27c0d0c0af9cd25146a2b56c097df80a4998

General

Target

JaffaCakes118_8ac81173118d243b7fb270429545348c.exe
Size

189KB
MD5

8ac81173118d243b7fb270429545348c
SHA1

2a26665a81b271763ea9b23b8f04ab58d15df80b
SHA256

18f114603640083121c1f148744e27c0d0c0af9cd25146a2b56c097df80a4998
SHA512

fa1f445dac04fe349fe4fee72c99a05b7450a8e8e864f1811534ab9a40a48d8fb7a90542d8ea2cce394917ba76e8daf7fb88f543512ff1ecee2fd6b028ddd02f
SSDEEP

3072:+PuigBQ8TTwN0vQGzaKRK0hAgEgmcUSkYY2ywzO/ewgUb3pARVWP:+PVgTTTLvQuh8CzTLymOG6ybe

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/2252-12-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/1544-13-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/1544-14-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/316-135-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/1544-290-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1544-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2252-12-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1544-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1544-14-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/316-135-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1544-290-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8ac81173118d243b7fb270429545348c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8ac81173118d243b7fb270429545348c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8ac81173118d243b7fb270429545348c.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 2252	1544	JaffaCakes118_8ac81173118d243b7fb270429545348c.exe	84
PID 1544 wrote to memory of 2252	1544	JaffaCakes118_8ac81173118d243b7fb270429545348c.exe	84
PID 1544 wrote to memory of 2252	1544	JaffaCakes118_8ac81173118d243b7fb270429545348c.exe	84
PID 1544 wrote to memory of 316	1544	JaffaCakes118_8ac81173118d243b7fb270429545348c.exe	96
PID 1544 wrote to memory of 316	1544	JaffaCakes118_8ac81173118d243b7fb270429545348c.exe	96
PID 1544 wrote to memory of 316	1544	JaffaCakes118_8ac81173118d243b7fb270429545348c.exe	96

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ac81173118d243b7fb270429545348c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ac81173118d243b7fb270429545348c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ac81173118d243b7fb270429545348c.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ac81173118d243b7fb270429545348c.exe startC:\Program Files (x86)\LP\E931\873.exe%C:\Program Files (x86)\LP\E931
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2252
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ac81173118d243b7fb270429545348c.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ac81173118d243b7fb270429545348c.exe startC:\Users\Admin\AppData\Roaming\17633\AEBE9.exe%C:\Users\Admin\AppData\Roaming\17633
  2⤵
  - System Location Discovery: System Language Discovery
  PID:316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\17633\3EDB.763

Filesize
996B

MD5
96f0625cc0698736470b20a8783061ff

SHA1
faccf95adb18470c70f494c5d85ef41fad233543

SHA256
46fdcdc98dffa8f5d81d2d4c93ea00664cc5a841767c3bfd8088e7c795fdbbe1

SHA512
f316f76f64bd384a6ef966d51a619d85522630a8bbd1ef8fa786bcd73b7e30c065d08fedec8cbf654c7d50c547db4225eff5cfd3a8faf16dc94745833abd5e1a

Download Submit
C:\Users\Admin\AppData\Roaming\17633\3EDB.763

Filesize
600B

MD5
4651c53724d0e00a2db4c29e1febf36b

SHA1
fac988cb4341d4697f9a593c2e8327a3c68cde92

SHA256
d5da88135496a3110c05aab2ac2e507416c968d012d277c50658054b52e78565

SHA512
3c1d3df09ecd6c6944127866a191dce65e120a87f0e761d18e6431a4f784fb803e8e6dfc962135713cd9a79da6d5d7a6dca42ffd945423674a39cb5bfa78d663

Download Submit
C:\Users\Admin\AppData\Roaming\17633\3EDB.763

Filesize
1KB

MD5
ead9ef73c1e0b73ecc77f3f248ff97cc

SHA1
d4d337a959b5b2048ac5d11c60554dda440b5f66

SHA256
c69ab968cde21eb3a441063f2ed4a22d2f1ef3b418a076a8d2677e47ac0ea27f

SHA512
23fb7a1dc7887cc8c2771e8119c016f4c1f0b76b7563721c52458b5fc09056df444bed19b49d62b3fc8ac0a72aabe4f70fed22769af28d811a97d64ecbc66ec2

Download Submit
memory/316-135-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1544-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1544-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1544-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1544-14-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1544-290-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2252-11-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2252-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing