cycbot | 1af2ea886f324dcba515df77f70e2a46d567315f17e14bccd40f7372e4de4b50

General

Target

JaffaCakes118_9e5a18b5e18c283ae49451bc8169bc19.exe
Size

179KB
MD5

9e5a18b5e18c283ae49451bc8169bc19
SHA1

51a615c40cc1107faa1fc3a908a8a13e248e7248
SHA256

1af2ea886f324dcba515df77f70e2a46d567315f17e14bccd40f7372e4de4b50
SHA512

c7fda261518c1a1010db513ccb6c1b98d78e12ae8ea2fcfcc153999a53aee8c2585481335929ede33e905902a68666cad7ce686c59e414ae1528d7bcb4d10eaa
SSDEEP

3072:0zZPWZbFjm6s7W65dJd5joxFyjdStbD6qBx39w:0zlWDjmBnjd1QFezqr9

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/368-17-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/5004-19-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/5004-20-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/4404-131-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/5004-303-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5004-4-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/368-16-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/368-17-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/5004-19-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/5004-20-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/4404-131-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/5004-303-0x0000000000400000-0x0000000000454000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9e5a18b5e18c283ae49451bc8169bc19.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9e5a18b5e18c283ae49451bc8169bc19.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9e5a18b5e18c283ae49451bc8169bc19.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 368	5004	JaffaCakes118_9e5a18b5e18c283ae49451bc8169bc19.exe	84
PID 5004 wrote to memory of 368	5004	JaffaCakes118_9e5a18b5e18c283ae49451bc8169bc19.exe	84
PID 5004 wrote to memory of 368	5004	JaffaCakes118_9e5a18b5e18c283ae49451bc8169bc19.exe	84
PID 5004 wrote to memory of 4404	5004	JaffaCakes118_9e5a18b5e18c283ae49451bc8169bc19.exe	95
PID 5004 wrote to memory of 4404	5004	JaffaCakes118_9e5a18b5e18c283ae49451bc8169bc19.exe	95
PID 5004 wrote to memory of 4404	5004	JaffaCakes118_9e5a18b5e18c283ae49451bc8169bc19.exe	95

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e5a18b5e18c283ae49451bc8169bc19.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e5a18b5e18c283ae49451bc8169bc19.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e5a18b5e18c283ae49451bc8169bc19.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e5a18b5e18c283ae49451bc8169bc19.exe startC:\Program Files (x86)\LP\42C2\FF2.exe%C:\Program Files (x86)\LP\42C2
  2⤵
  - System Location Discovery: System Language Discovery
  PID:368
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e5a18b5e18c283ae49451bc8169bc19.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e5a18b5e18c283ae49451bc8169bc19.exe startC:\Users\Admin\AppData\Roaming\24EB4\98442.exe%C:\Users\Admin\AppData\Roaming\24EB4
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\24EB4\4B04.4EB

Filesize
996B

MD5
665980e2b4578c10e89fb3a53a6de914

SHA1
26184738de25315b1714b872b97673bdaa74f9ea

SHA256
b3ceb822b3ae98de6d3bbcb15533486e240dcabf802f82654bdb1762e09db397

SHA512
13fe7d9504f70cca80294b414aecf66f11755ddca13cb140f0533ce5007e70866acd932e5f718b47426191d0138c75968e0a8a73fdea34fc105a31fc94f300f3

Download Submit
C:\Users\Admin\AppData\Roaming\24EB4\4B04.4EB

Filesize
600B

MD5
12bdffb7a35581fedaba1b15303e4bda

SHA1
9c7c9bc340ad9e23a4bb79b41eb9ced82d3340e7

SHA256
d714d8949901cdbb40c2fafed4e0b5fbe73bd12bdbb6b79b3141d2f26e7e351f

SHA512
ece5b89d34baaea21b031b21643341f590143dd2802c2c08632558a25f1e702a4c7484621d51a7bec223f3e7b2ee70c4d96d17f33f0120db5c08bf705396b3ce

Download Submit
C:\Users\Admin\AppData\Roaming\24EB4\4B04.4EB

Filesize
1KB

MD5
48bb081114fdb0f1bfc28d2caa3b102a

SHA1
3be37cee4cdbb43ba7e1def6f1a66b6be84396b1

SHA256
2fa3b195017020389acb2d9ebb74bb465717ce30c3ff645d1ce92ee6e5086338

SHA512
777b617343756cfd1485b1e918822e92169a1ae2fde42289dda9553eb7dd81c2a7e645a9f1abe337c7e92587cfa7cb2f4b69c53249684350c1708dd693367772

Download Submit
memory/368-18-0x0000000075A10000-0x0000000075A49000-memory.dmp

Filesize
228KB

Download
memory/368-13-0x0000000075A10000-0x0000000075A49000-memory.dmp

Filesize
228KB

Download
memory/368-16-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/368-15-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/368-17-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4404-131-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4404-129-0x0000000075A10000-0x0000000075A49000-memory.dmp

Filesize
228KB

Download
memory/4404-132-0x0000000075A10000-0x0000000075A49000-memory.dmp

Filesize
228KB

Download
memory/5004-19-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5004-20-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/5004-4-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/5004-0-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/5004-3-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5004-1-0x0000000075A10000-0x0000000075A49000-memory.dmp

Filesize
228KB

Download
memory/5004-303-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/5004-304-0x0000000075A10000-0x0000000075A49000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing