cycbot | 18b8b770461734681869971080662175b78e19a7d888dddcc363536960ef9632

General

Target

JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe
Size

198KB
MD5

a3a36fec487f44d087bb90f3eb052b6c
SHA1

5387df31b2a60d172fd38b198bc3deeef4f59200
SHA256

18b8b770461734681869971080662175b78e19a7d888dddcc363536960ef9632
SHA512

0b42db3e558cf371161a32454bec0d7a5622543c74d7874fb7c3ae1b5d3a32ca8fddcd9fe3f7c4b2fbb49b01614b9e8fd8af72a4b76b6ca8378867f6e68c8003
SSDEEP

3072:RjcQPoihTA7yirtDRuxErDP1QeaR+GYp2whoD2cRRkxbx1B9EjwB:RjcQPF7uduerL14UGA2whoD2gK+

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/964-13-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/928-14-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/2420-81-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/928-187-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/928-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/964-8-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/964-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/928-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2420-81-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/928-187-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 928 wrote to memory of 964	928	JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe	82
PID 928 wrote to memory of 964	928	JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe	82
PID 928 wrote to memory of 964	928	JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe	82
PID 928 wrote to memory of 2420	928	JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe	87
PID 928 wrote to memory of 2420	928	JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe	87
PID 928 wrote to memory of 2420	928	JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe	87

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:928
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:964
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a3a36fec487f44d087bb90f3eb052b6c.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\118C.FB7

Filesize
1KB

MD5
06a6a8ee090fac6804ed6922e1361c31

SHA1
7fc13276609d5f2beb18b89a20f68aea9f73215c

SHA256
ed9c2a8ce17a4260085bc72a35af32d5b0ceb6d755bad1b737fc72dbc6e06ab5

SHA512
0ba4ac712a7c785ab832c10712bb79e5bb88695643987ddf33b7c415fafe444d1df54569487ee65cf8cb4473c2adfefd3743011f49316a84934e32f91f47665c

Download Submit
C:\Users\Admin\AppData\Roaming\118C.FB7

Filesize
600B

MD5
c0bdfad22a062201d18b3568290c71e5

SHA1
0a29de4d92ed43d99ad97344bc873d5a86507b48

SHA256
7a359c2482da1a713b068917b6d9b57af752ff4f7f749938b6621a5b10fb9480

SHA512
a49be9e8150a7a087b4e4112819db2e8c7a3e8c327db7b88b839c4e74f8e713bfddb1f0e6f20e520b3c10b0018d654ac86737753a37febb7bc6bf937611c439e

Download Submit
C:\Users\Admin\AppData\Roaming\118C.FB7

Filesize
1KB

MD5
f93b60c7e3e043520bdf64d11131a0b4

SHA1
91050efb5d7a46db1eef79c75fe340968f98820b

SHA256
3cae5900d45a19ca1497683d2cc677a4d00cd8dfee41e282d9236d6ba7776037

SHA512
09735f473053f34ad604202fe5a6e4f4fb7e3a0c91b528b7b961d7d213d71927b41f9db4772496087b9533545c941e1d06d8f4b3476a4509c703fc2278bbacf9

Download Submit
C:\Users\Admin\AppData\Roaming\118C.FB7

Filesize
996B

MD5
7d3d5c9fefa25a8b0c3992c67e4a12da

SHA1
df4a8ed14a5acf3a39234a9c79425f7f630ae4a1

SHA256
b206232e5fca9d482b25f91784676d671509e4db9fe96c5eaa7813d856f5085b

SHA512
d78aa84a01c71f0e8a679f1288ce0aad0bfcf004745206c093d768b5b1a0b768457297999aad8350f7b7cf9ad595a811670fb21cec4e335cf39b9f6399b0eab2

Download Submit
memory/928-1-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/928-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/928-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/928-187-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/964-8-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/964-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2420-81-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing