cycbot | a945f3a101968236ba164b2a00ed13e8c17e3cbea123f7a3ffbd3bd67857ccf2

General

Target

JaffaCakes118_9bfd2fa6615a52ed3eaf3865627643eb.exe
Size

171KB
MD5

9bfd2fa6615a52ed3eaf3865627643eb
SHA1

13874330431da3bbc3033774f9d5cc9ceba30f34
SHA256

a945f3a101968236ba164b2a00ed13e8c17e3cbea123f7a3ffbd3bd67857ccf2
SHA512

dc0f6d0e63cb7aac263c115e5fdc161511cd221533f84c2781e6aacabc8bd11731c9e3621a52e614e185981e96d3a6cfd778b4e3a2c9e9ba7352f278de53151c
SSDEEP

3072:shiTm3SUAh+GU1wijPj3IpgdKxLTTsatKOOy+:sPf4cC4UpgdiHTsoYy+

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/220-20-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral2/memory/2488-21-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral2/memory/1932-92-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral2/memory/2488-198-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2488-2-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/220-13-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/220-17-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/220-20-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2488-21-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1932-90-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1932-92-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2488-198-0x0000000000400000-0x000000000046B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9bfd2fa6615a52ed3eaf3865627643eb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9bfd2fa6615a52ed3eaf3865627643eb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9bfd2fa6615a52ed3eaf3865627643eb.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 220	2488	JaffaCakes118_9bfd2fa6615a52ed3eaf3865627643eb.exe	82
PID 2488 wrote to memory of 220	2488	JaffaCakes118_9bfd2fa6615a52ed3eaf3865627643eb.exe	82
PID 2488 wrote to memory of 220	2488	JaffaCakes118_9bfd2fa6615a52ed3eaf3865627643eb.exe	82
PID 2488 wrote to memory of 1932	2488	JaffaCakes118_9bfd2fa6615a52ed3eaf3865627643eb.exe	87
PID 2488 wrote to memory of 1932	2488	JaffaCakes118_9bfd2fa6615a52ed3eaf3865627643eb.exe	87
PID 2488 wrote to memory of 1932	2488	JaffaCakes118_9bfd2fa6615a52ed3eaf3865627643eb.exe	87

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9bfd2fa6615a52ed3eaf3865627643eb.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9bfd2fa6615a52ed3eaf3865627643eb.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9bfd2fa6615a52ed3eaf3865627643eb.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9bfd2fa6615a52ed3eaf3865627643eb.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:220
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9bfd2fa6615a52ed3eaf3865627643eb.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9bfd2fa6615a52ed3eaf3865627643eb.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\123A.520

Filesize
1KB

MD5
1436d70a9ef0ddd96a60ba8fcd96a12a

SHA1
307dc2a5c44aad911af3e49f9f0ee62609660468

SHA256
fec4adda045a3eeed9811670a34ae27c82aa5d8309919493522d0d9352b6c15e

SHA512
2fef999f7106f1a41e7dcb10ba6e8471bfe80e23a77dc2ef5b72ee4a32b300e1a263585b8d2067790a9f9b65c0eeb629135d6db40ab57f45753cec630561cc0b

Download Submit
C:\Users\Admin\AppData\Roaming\123A.520

Filesize
897B

MD5
ccaec2c0084d11e2255d8bb6bde8a4b5

SHA1
0dfda62b94f3f461715408299cee9192a1c69d71

SHA256
bf9683056995f47bc7a88a3cc6729667148664002ccbedec9c5018495cda86ef

SHA512
9ca5d0ff9a845ba07e2e9d25cb59f2093b9f758fa14e205d0a0f299ef1ce033c590ad6b0960629167add11bf05ac72ece84d0959092e1eace23054dc276bb297

Download Submit
C:\Users\Admin\AppData\Roaming\123A.520

Filesize
597B

MD5
47206e781695879838b5be02b604d9f4

SHA1
f42449995f8638e6e4b17ac8c85ed2c0802d543a

SHA256
08c0162a8ad67bea2aef4a20746d54808624415d9f4c05dd91cb27ef8eb04a4f

SHA512
0f2df06079bd010469b2b9eded03a280e6fc7005f2c1d610c81aeca3bebcf0b9773b153f5dcf1c3749bbbec2fea83bdefec0f0fbf4aae15569ed30e407ebce20

Download Submit
C:\Users\Admin\AppData\Roaming\123A.520

Filesize
1KB

MD5
e571fd670d1dc8239ccc292c3a89f88c

SHA1
cd91cfef1be5affd0c8697c2a4456aa97dcc3b60

SHA256
e24041b4bf849d4d2043ee3f7a8e6d25bc25cefe1031aee611cdc5051f72a2c4

SHA512
dfc853d8760ba34f891820b8ec2156e9e4290dc3ababb4dfe5c428f3f3c9d365207e9bfa59d35b3ad43efd95ce5cf6c7a7dd2aec4b9eadb91567189abe20c8ca

Download Submit
memory/220-13-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/220-17-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/220-20-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1932-90-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1932-89-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1932-92-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2488-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2488-21-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2488-2-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2488-198-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing