cycbot | 28f755ee09403f7d12897917571bdabe00bdc0a973602fd5cd57a18586bcbfce

General

Target

JaffaCakes118_8c3c470d2ab3226e15fbca396c6981b9.exe
Size

180KB
MD5

8c3c470d2ab3226e15fbca396c6981b9
SHA1

a4767fe04a18acd6e60e8d7f1ce81b2d3e4d664c
SHA256

28f755ee09403f7d12897917571bdabe00bdc0a973602fd5cd57a18586bcbfce
SHA512

a88b6aee9594fed50042ea7bf9d4f9e926fc2e2f8299d6d5324a84e973254cb139f513b9e84c04fee748d366328ea5b2abee9639039136d14b2b06f2e17a9a8b
SSDEEP

3072:hYu2CbH1bilWJILB0NpHKgWXnog3B+UsvSYBO6tCDBWpy2NUdnB:hF2CxIWSLBEcRXr+UASYBOYK2CdB

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/672-20-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/3044-21-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/3044-22-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/4880-132-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/3044-303-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3044-3-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/672-18-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/672-19-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/672-20-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/3044-21-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/3044-22-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/4880-132-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/3044-303-0x0000000000400000-0x0000000000454000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8c3c470d2ab3226e15fbca396c6981b9.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 672	3044	JaffaCakes118_8c3c470d2ab3226e15fbca396c6981b9.exe	84
PID 3044 wrote to memory of 672	3044	JaffaCakes118_8c3c470d2ab3226e15fbca396c6981b9.exe	84
PID 3044 wrote to memory of 672	3044	JaffaCakes118_8c3c470d2ab3226e15fbca396c6981b9.exe	84
PID 3044 wrote to memory of 4880	3044	JaffaCakes118_8c3c470d2ab3226e15fbca396c6981b9.exe	90
PID 3044 wrote to memory of 4880	3044	JaffaCakes118_8c3c470d2ab3226e15fbca396c6981b9.exe	90
PID 3044 wrote to memory of 4880	3044	JaffaCakes118_8c3c470d2ab3226e15fbca396c6981b9.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c3c470d2ab3226e15fbca396c6981b9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c3c470d2ab3226e15fbca396c6981b9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c3c470d2ab3226e15fbca396c6981b9.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c3c470d2ab3226e15fbca396c6981b9.exe startC:\Program Files (x86)\LP\B83B\B6C.exe%C:\Program Files (x86)\LP\B83B
  2⤵
  PID:672
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c3c470d2ab3226e15fbca396c6981b9.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c3c470d2ab3226e15fbca396c6981b9.exe startC:\Users\Admin\AppData\Roaming\B27F7\85BB8.exe%C:\Users\Admin\AppData\Roaming\B27F7
  2⤵
  PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\B27F7\78D8.27F

Filesize
597B

MD5
fda0b62040c8ee6e3e16ba3fe62df199

SHA1
45c9bcea0ae1162ee655d5a8472bb86fb503d0b6

SHA256
0ab06663ae1b5f646a78c8db1f37f1f1a8f21bf2049f71dc97e1d84bdc612e80

SHA512
b461a88ec5ce1bbef7b75ae2a3ed637d7dbc35c69db428a7fd1c1082047a81c59371c358e5b46be7d81ebf7cd4a928e82233bba86dd89dbf3524486ae406eeb4

Download Submit
C:\Users\Admin\AppData\Roaming\B27F7\78D8.27F

Filesize
1KB

MD5
b2285e71dc57c6eb339ea17fee1e5a69

SHA1
5d02fed122fbf54bff02abf1b1ff2f8108d40b4f

SHA256
2155ea03afd7de7659e8f8e33e22ea990213ae70438f1a1bb42ffd0a0833b5ef

SHA512
0c9f0230e02078b51fd149abcd19882ee1de5e52025f935a9180d6f701f0bd9d057a283cead15394e2bd6d51c45be53d43280611584ac6a0c43f212b63f2017f

Download Submit
C:\Users\Admin\AppData\Roaming\B27F7\78D8.27F

Filesize
897B

MD5
4abef207cb3e86a01ab6f8de243cec26

SHA1
9cc0fc9bcac48a3ffd9f035827b688107a4f9dd2

SHA256
3b9acef7cbdeba58d3d3f302cbc08417b26978db7f9b4e2f847cbb31878cd4ac

SHA512
3b38948c03698d6c5de4355604a2c3fb70002feb38f73e28c0f780df2b990c55a31e4f6c0bd929e12c7b74416a4c64758901730783632968e08f1cb10ab37f7e

Download Submit
C:\Users\Admin\AppData\Roaming\B27F7\78D8.27F

Filesize
1KB

MD5
0bf52f92195fa76c6fbafd66bc1ccdfb

SHA1
510e5023da54a7e4bb2c3741e33a924603cf1144

SHA256
941c5bfc59bb199fe0c833b232c9b30a82c13588d23edc6a5a4238ed39354854

SHA512
b7936b8ab12c5a4079eb6fb6c8e1e9eb789e8a37cad78527dfdf608be60c11a2b6a7ec7495bd70bb29579c74dafa7d3de01197ab56da8073fd7d77a297c63458

Download Submit
memory/672-18-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/672-19-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/672-20-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3044-3-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3044-21-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3044-22-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3044-0-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3044-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3044-303-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4880-132-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing