cycbot | a30f67a26663ebc6973317fe0354660e1b7beb4c4d8b04108a5ea3a6d3fbc9d6

General

Target

JaffaCakes118_9265ce4b240f3c281fd87c1dc632c669.exe
Size

181KB
MD5

9265ce4b240f3c281fd87c1dc632c669
SHA1

daa047702af56feb0cbbd4967a8e935222d187dd
SHA256

a30f67a26663ebc6973317fe0354660e1b7beb4c4d8b04108a5ea3a6d3fbc9d6
SHA512

3a8e82644bd1b0b890213fe6094781f1221812947913f593ef8a37310485ff99987fa6cfa99d2b0b56e95af479121a250822484dfa23c055485d4e601ae2a5b4
SSDEEP

3072:a6SZtSiXmafJzHfpJvyyY3a2XiIAusM6eUKZ7WJblQ/U:a6KSiWaf8y+yIt6eBYw8

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/2248-12-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/4032-14-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/2632-90-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/4032-199-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4032-2-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/2248-12-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/4032-14-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/2632-89-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/2632-90-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/4032-199-0x0000000000400000-0x000000000044E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9265ce4b240f3c281fd87c1dc632c669.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9265ce4b240f3c281fd87c1dc632c669.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9265ce4b240f3c281fd87c1dc632c669.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4032 wrote to memory of 2248	4032	JaffaCakes118_9265ce4b240f3c281fd87c1dc632c669.exe	83
PID 4032 wrote to memory of 2248	4032	JaffaCakes118_9265ce4b240f3c281fd87c1dc632c669.exe	83
PID 4032 wrote to memory of 2248	4032	JaffaCakes118_9265ce4b240f3c281fd87c1dc632c669.exe	83
PID 4032 wrote to memory of 2632	4032	JaffaCakes118_9265ce4b240f3c281fd87c1dc632c669.exe	95
PID 4032 wrote to memory of 2632	4032	JaffaCakes118_9265ce4b240f3c281fd87c1dc632c669.exe	95
PID 4032 wrote to memory of 2632	4032	JaffaCakes118_9265ce4b240f3c281fd87c1dc632c669.exe	95

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9265ce4b240f3c281fd87c1dc632c669.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9265ce4b240f3c281fd87c1dc632c669.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4032
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9265ce4b240f3c281fd87c1dc632c669.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9265ce4b240f3c281fd87c1dc632c669.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2248
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9265ce4b240f3c281fd87c1dc632c669.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9265ce4b240f3c281fd87c1dc632c669.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\25E4.130

Filesize
1KB

MD5
3811ac38e02b167c75e2be8d38a40246

SHA1
53c39bbb82c34303d30b56d9d78b94ace20e3b3d

SHA256
0a102e5420a0a5896838d06487a0c1a9dfa0aca9b001f674bf17931ca9304766

SHA512
e2a677c3775d3d52ecb036273439a1c6e6d1042f2e7712eae3a5a0c077e0d30db08ad2878fa55429d43e04ac1ae88488c7099340667c2fcef76b2e102fc2661b

Download Submit
C:\Users\Admin\AppData\Roaming\25E4.130

Filesize
600B

MD5
f5c278e41d86e0417a3d81b935d12fd9

SHA1
5f25a553eb7d3f2890b5ee3b1c718e51f2e2ab32

SHA256
97193075995e0007da63aef966a672b3672cea87f6c5336ade7738cf820a7f4b

SHA512
1235abe341ef0201603844b22103d43a9669c89b27296631399c4f07325f098525f50e4eab44be9e9dfa507b95c1224d3e63149c48e307dc45fbca3c51dfb00a

Download Submit
C:\Users\Admin\AppData\Roaming\25E4.130

Filesize
996B

MD5
5aeb12d8c47b6b51546a01d76123d46e

SHA1
084a5b10af58fb5cd2af2be031ceffbaebf20b10

SHA256
f4c7bdd3d7085e454788becc3d933732080f60d021aa160dd5e6224fc804ce00

SHA512
c988958a3c45e01dd5e2e81b94215c3819547e0940adbcfa383e3a5cdde97c92a200ba898f704db46653023f2249ef5ccde1ee6e16afc50c3496017881890d76

Download Submit
memory/2248-12-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2632-89-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2632-88-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2632-90-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4032-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4032-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4032-14-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4032-199-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing