cycbot | 1470e4f143dfbdc0c767131f337d42ff623ab460f8c92c27970310fb24d4f408

General

Target

JaffaCakes118_a0d0a811e95c1520ae41e3b783b56245.exe
Size

184KB
MD5

a0d0a811e95c1520ae41e3b783b56245
SHA1

c968c2f2e7bcf8e8b747860b5dd165d76c50c69d
SHA256

1470e4f143dfbdc0c767131f337d42ff623ab460f8c92c27970310fb24d4f408
SHA512

3a0b20e02fcd20fdc34eedbe2c9df701634ef04cffb56d2db4bbad0c895aedf01b40d6821fd7e23fcffed5573a36050bf5ef581eec9736601fe4964d38a6edbd
SSDEEP

3072:SLIsfb/xwle6EZN62KFGmKsssbNO3vKYm7gz3ClPiG9TEijYcK8fYVLKIitoaW/P:SLRdWeb7vqGPssENO/KY58iqnG8YLetU

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/2348-13-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/1032-14-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/1032-15-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/2336-126-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/1032-293-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1032-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2348-12-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2348-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1032-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1032-15-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/2336-124-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2336-126-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1032-293-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a0d0a811e95c1520ae41e3b783b56245.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a0d0a811e95c1520ae41e3b783b56245.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a0d0a811e95c1520ae41e3b783b56245.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 2348	1032	JaffaCakes118_a0d0a811e95c1520ae41e3b783b56245.exe	82
PID 1032 wrote to memory of 2348	1032	JaffaCakes118_a0d0a811e95c1520ae41e3b783b56245.exe	82
PID 1032 wrote to memory of 2348	1032	JaffaCakes118_a0d0a811e95c1520ae41e3b783b56245.exe	82
PID 1032 wrote to memory of 2336	1032	JaffaCakes118_a0d0a811e95c1520ae41e3b783b56245.exe	88
PID 1032 wrote to memory of 2336	1032	JaffaCakes118_a0d0a811e95c1520ae41e3b783b56245.exe	88
PID 1032 wrote to memory of 2336	1032	JaffaCakes118_a0d0a811e95c1520ae41e3b783b56245.exe	88

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a0d0a811e95c1520ae41e3b783b56245.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a0d0a811e95c1520ae41e3b783b56245.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a0d0a811e95c1520ae41e3b783b56245.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a0d0a811e95c1520ae41e3b783b56245.exe startC:\Program Files (x86)\LP\528D\9D9.exe%C:\Program Files (x86)\LP\528D
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2348
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a0d0a811e95c1520ae41e3b783b56245.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a0d0a811e95c1520ae41e3b783b56245.exe startC:\Users\Admin\AppData\Roaming\DF3BB\6D852.exe%C:\Users\Admin\AppData\Roaming\DF3BB
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DF3BB\B13F.F3B

Filesize
996B

MD5
ba15a239549c0ba5e879630d30026ee5

SHA1
b8c9e51150aa138466c6c20eeb753e9b358f26b5

SHA256
90579d53a5926ad8c199093f5fa0b81fe73a5db5775b5ac0be787630f4561b40

SHA512
7cc3c231fb5d157babdb7e34f51a8bdde25b2f7b94d0127d842753de726573e41d429e36d53fec5b54c2ccb20cccc2cd87878254cb406d21257f8460d8b67bb9

Download Submit
C:\Users\Admin\AppData\Roaming\DF3BB\B13F.F3B

Filesize
600B

MD5
b40188ccc5588d75cff75ddd0af39358

SHA1
1d5bff22616c6b7d5cb5217fbba11d81bdac3d7e

SHA256
da9dc99a1997f85dbef1c21023b31ee5894c6c879a3a123cd6fd76553075ed03

SHA512
5b2926d585cd8948eb9f6270d7f65f9bb1ffaa14b9e1122a7f9ddff4aad635e5d2df9abc3be0a870d9791863967fa390b687c554c52a5269d218800c1f43d787

Download Submit
C:\Users\Admin\AppData\Roaming\DF3BB\B13F.F3B

Filesize
1KB

MD5
79914b51174815782b69097411246d89

SHA1
982f23d5a30a66e8e7b63e930a10d9f209f7d847

SHA256
d323b2514f6648f3d3af3ec1868000dedb906291c165d6a74770678054cce29b

SHA512
4014f798bec33fe60c2ff1d4d5415d90c0dd77e162071552462e7064922f6bed94214d836c1dd1c724cbaa57c6fe39f00ee37ac8ce817c61aab37f881fbc48cc

Download Submit
C:\Users\Admin\AppData\Roaming\DF3BB\B13F.F3B

Filesize
300B

MD5
1181b129be8c6d0afc656ca3cef679c2

SHA1
d35328e236b5df28d509ad3ae4295101dfa87928

SHA256
2862a0bb510b831f7c60c67435481500b13412d4688841c65960df0b7ffb4e48

SHA512
289ecfdfc8605248ffaa1be8eac98c0b1472052fb3f334d7df5c00f28db2c7b9e3189578ca8c4d669e9f3bd8a1b9691968770fef1a51f97575812a4b15d50471

Download Submit
memory/1032-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1032-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1032-293-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1032-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1032-15-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2336-124-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2336-126-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2348-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2348-11-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2348-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing