cycbot | 292c20d20889ba64ce3cdbdbb5467786f9ae807e2606aa4a14ec0dbf4c741639

General

Target

JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe
Size

180KB
MD5

9ec6fc94432fa78a7585004d03eceabf
SHA1

d739dab40b405822b4b89ab2ca208731b354f30a
SHA256

292c20d20889ba64ce3cdbdbb5467786f9ae807e2606aa4a14ec0dbf4c741639
SHA512

80bef760aba69cf9b81910a2e10cc5deb44d36501877176d1dc23d43f854c89bdee0b19cac2a2c98197eb3306ec5fa5e4b406ea83bf9c1fbb200b89a89114ab6
SSDEEP

3072:dklnqbpEekz2+pU1LnJAKd5gG8WrjFP0GBLFO4DTgEhtSKJylxq:dInYpEeg2+q1LnJAufgEcKIf

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/2724-14-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/1680-15-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/1680-16-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/680-122-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/1680-269-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1680-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2724-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2724-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1680-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1680-16-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/680-122-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1680-269-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2724	1680	JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe	82
PID 1680 wrote to memory of 2724	1680	JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe	82
PID 1680 wrote to memory of 2724	1680	JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe	82
PID 1680 wrote to memory of 680	1680	JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe	87
PID 1680 wrote to memory of 680	1680	JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe	87
PID 1680 wrote to memory of 680	1680	JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe	87

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe startC:\Program Files (x86)\LP\D48F\C69.exe%C:\Program Files (x86)\LP\D48F
  2⤵
  PID:2724
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe startC:\Users\Admin\AppData\Roaming\F5FE6\F2ED4.exe%C:\Users\Admin\AppData\Roaming\F5FE6
  2⤵
  PID:680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\F5FE6\6895.5FE

Filesize
996B

MD5
001e6a84c067bbc24d68d0aa3b32e9ae

SHA1
87a41820aaa2af4cd23478e69abff87087b6b976

SHA256
73c91f1202efdf67f49f2ad7462929d2f5869f3ad676d47cbe38b36e03f70c24

SHA512
11dd936fb1cbe1be98069684e11c907072a3a7cb3bd8e0942db50bd7b5c1dd423c41fe20946156ca8eedafa19ad624991e0feca5b097c4c93f9ba2cf1e37c444

Download Submit
C:\Users\Admin\AppData\Roaming\F5FE6\6895.5FE

Filesize
600B

MD5
65a9e6fffc2285cf41cc47dc6d5d4e80

SHA1
08512a85553e4756d4b742028aea73f111f463a6

SHA256
10dbeaa778e5f821b865f4eac6232946084a8ef93509095a7d58ad62c623cb2b

SHA512
107e4115c0cb71f22417d2c5a3bd9028b96db30c365e07ba2f990dd36815f2dfd2354fc0a47937d89c03639fc4fc1c6da1e66cb2c99dcfe5f8b7afeaf9de00fc

Download Submit
C:\Users\Admin\AppData\Roaming\F5FE6\6895.5FE

Filesize
1KB

MD5
a8718dfe24c90f298179a1f52777bf8e

SHA1
5333955ddb17da5816dd2f8e989017effd196993

SHA256
d9d2bbe981c8993fd72f32b6380bcb7453b6e15acb0575614b50a8a3580a50d4

SHA512
6ea9c8ae7da32f0306e93917191d3eba52acd87568cb13e881e2b46e2447040a0debce1458621bf9e35f47216c64fb38239f61b8f07a63b907fe56ea4c8aa167

Download Submit
memory/680-122-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1680-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1680-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1680-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1680-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1680-16-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1680-269-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2724-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2724-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing