cycbot | 205d48d3c45a5d7ea5a0a4e475cdc0e2fe02717ce25bf5554367998425298fae

General

Target

JaffaCakes118_b79a6197f84d06dd3dc3a9fc3e1e2cf9.exe
Size

179KB
MD5

b79a6197f84d06dd3dc3a9fc3e1e2cf9
SHA1

f5d245cc75ebd5e517690016be0a5d6b65850df9
SHA256

205d48d3c45a5d7ea5a0a4e475cdc0e2fe02717ce25bf5554367998425298fae
SHA512

b7294e69402d63a0587f0e5c35a0eb89e93d20af915eb8ce8389d65ee236f6c5e652a65ba5c7e58a774d844c3a1ceaead37e2a310b6623fb2207dff70c7ced3b
SSDEEP

3072:G91jjjxUZ0m4uI814ZeNyghmD0Tf+NZw6Oh655cd9eO0e68ZaOpBwcSzvZdcXflN:G4J4uIu4Zebm4TG2h65a95lqcSNdB1Sd

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/4572-14-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/4208-16-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/4208-15-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/2176-122-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/4208-301-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/4208-303-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4208-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4572-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4572-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4208-16-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/4208-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2176-122-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4208-301-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4208-303-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b79a6197f84d06dd3dc3a9fc3e1e2cf9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b79a6197f84d06dd3dc3a9fc3e1e2cf9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b79a6197f84d06dd3dc3a9fc3e1e2cf9.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4208 wrote to memory of 4572	4208	JaffaCakes118_b79a6197f84d06dd3dc3a9fc3e1e2cf9.exe	84
PID 4208 wrote to memory of 4572	4208	JaffaCakes118_b79a6197f84d06dd3dc3a9fc3e1e2cf9.exe	84
PID 4208 wrote to memory of 4572	4208	JaffaCakes118_b79a6197f84d06dd3dc3a9fc3e1e2cf9.exe	84
PID 4208 wrote to memory of 2176	4208	JaffaCakes118_b79a6197f84d06dd3dc3a9fc3e1e2cf9.exe	89
PID 4208 wrote to memory of 2176	4208	JaffaCakes118_b79a6197f84d06dd3dc3a9fc3e1e2cf9.exe	89
PID 4208 wrote to memory of 2176	4208	JaffaCakes118_b79a6197f84d06dd3dc3a9fc3e1e2cf9.exe	89

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b79a6197f84d06dd3dc3a9fc3e1e2cf9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b79a6197f84d06dd3dc3a9fc3e1e2cf9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b79a6197f84d06dd3dc3a9fc3e1e2cf9.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b79a6197f84d06dd3dc3a9fc3e1e2cf9.exe startC:\Program Files (x86)\LP\F0B6\5FB.exe%C:\Program Files (x86)\LP\F0B6
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4572
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b79a6197f84d06dd3dc3a9fc3e1e2cf9.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b79a6197f84d06dd3dc3a9fc3e1e2cf9.exe startC:\Users\Admin\AppData\Roaming\60C1E\447F0.exe%C:\Users\Admin\AppData\Roaming\60C1E
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\60C1E\E007.0C1

Filesize
996B

MD5
67f0892b0014036bf6c0a1ee844de78f

SHA1
3d9df42819630fca5ecb84ca069274ead63d5086

SHA256
47320a98410d91f3af56193fc570bc55d85be978512ed5fcba90f705d537233a

SHA512
97ac23fa459884351300f99c8fbb51c7df8f0b51e22634c51f1aea34a869d78559704c0a956d8c25b1940bd5da2fc500caba7afd0c2d9462dbbc5d9ce1b510b5

Download Submit
C:\Users\Admin\AppData\Roaming\60C1E\E007.0C1

Filesize
600B

MD5
a178509481388d4cc61bba05b2b17c87

SHA1
933139e01bf1c1ca10e4c7c2ac01d419dbe93263

SHA256
ef3204bd3d41b3397f26fba95fb6e80e7082725f9cd06a0fb2b7f71a4d45cef7

SHA512
11fa123d751caaaec2c76f84db66b274612bef7f3e67e334ad6a49043d2bf20785d38e3e274bea662a4476e1d0125a336b2d8319f850ad52c9ff3d7175e15e84

Download Submit
C:\Users\Admin\AppData\Roaming\60C1E\E007.0C1

Filesize
1KB

MD5
882e168356b6e4f4d918e2e4918a3168

SHA1
1c88ea58b865717e76f2c66d6c316de6566b2a86

SHA256
55747e1edd127f20b62b41b792d575c2f6113a27c8bf09e2ee05da297f1cd465

SHA512
b8c89bd1d30ee4d4ad69523e66f3e32738f1303ae30916bd9422992f63d532c8bcb1fb41f0600e167882a4c7006568b50d3dcbcaf42f9ffbe61ff6b3e9810157

Download Submit
memory/2176-122-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4208-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4208-16-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4208-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4208-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4208-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4208-301-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4208-303-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4572-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4572-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing