cycbot | 1df1e2601c47d80034ab65caf1b118627ea0b89439f83d55f7a1425b04c9657a

General

Target

JaffaCakes118_ab9d8676d6267c466fbc98498442392d.exe
Size

187KB
MD5

ab9d8676d6267c466fbc98498442392d
SHA1

2a0ccb91b7b87de5fcaf32c5bdb5cb3e269a45a6
SHA256

1df1e2601c47d80034ab65caf1b118627ea0b89439f83d55f7a1425b04c9657a
SHA512

23bccac7453ac366f3d7d325d8604c3c5b1eb9ac4860e07faf096f79564328634e9d10ca19dd15a9d55b293a7a41bf738e1d6aad6adfbe948eec6feff10c6c11
SSDEEP

3072:Ei5wWW0AYX9dbOKLCNh072GeTm9sZuKp2nPSqgPXWL+T5hC:Ei597diKeCa52Cth

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/4984-12-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/3204-13-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/3204-14-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/2180-139-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/3204-306-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3204-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4984-12-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3204-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3204-14-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/2180-139-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3204-306-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ab9d8676d6267c466fbc98498442392d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ab9d8676d6267c466fbc98498442392d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ab9d8676d6267c466fbc98498442392d.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3204 wrote to memory of 4984	3204	JaffaCakes118_ab9d8676d6267c466fbc98498442392d.exe	84
PID 3204 wrote to memory of 4984	3204	JaffaCakes118_ab9d8676d6267c466fbc98498442392d.exe	84
PID 3204 wrote to memory of 4984	3204	JaffaCakes118_ab9d8676d6267c466fbc98498442392d.exe	84
PID 3204 wrote to memory of 2180	3204	JaffaCakes118_ab9d8676d6267c466fbc98498442392d.exe	99
PID 3204 wrote to memory of 2180	3204	JaffaCakes118_ab9d8676d6267c466fbc98498442392d.exe	99
PID 3204 wrote to memory of 2180	3204	JaffaCakes118_ab9d8676d6267c466fbc98498442392d.exe	99

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ab9d8676d6267c466fbc98498442392d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ab9d8676d6267c466fbc98498442392d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ab9d8676d6267c466fbc98498442392d.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ab9d8676d6267c466fbc98498442392d.exe startC:\Program Files (x86)\LP\1B16\D85.exe%C:\Program Files (x86)\LP\1B16
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4984
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ab9d8676d6267c466fbc98498442392d.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ab9d8676d6267c466fbc98498442392d.exe startC:\Users\Admin\AppData\Roaming\6D86F\6C81B.exe%C:\Users\Admin\AppData\Roaming\6D86F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\6D86F\F020.D86

Filesize
996B

MD5
2244dd62372f1332977f4a78a556203d

SHA1
08fe34708869d6622a86106233a125fca292ed71

SHA256
890b83b1ca84f147f8eaa70732dbae329264893577c2fc7c9e79710c6d43817b

SHA512
7ab4c2990ffc06b5bec7df2beaaaa47c0ee54c3d47c4489ce9476caf6ba12f9f89ad4b685768be9a07a9f182a22531f5bf80c4b3332cb6776056d011036aeac1

Download Submit
C:\Users\Admin\AppData\Roaming\6D86F\F020.D86

Filesize
600B

MD5
6d283b65bc5afb919f818bd9aa5e0441

SHA1
e4fc0e370163c029de6c52f056e88a872aad1f50

SHA256
1c7934b8a8ecce22ad0a2376b60b892631a73769898d6a8473bd00a96c1bccd5

SHA512
80d97b926c610a11aba42922f405a096cdc94047f439d9ae6b0b697645c30c7b61dcd0429e682d0fd707bdf3fa55106d90154147ed25479f7016fc9c58105e76

Download Submit
C:\Users\Admin\AppData\Roaming\6D86F\F020.D86

Filesize
1KB

MD5
217e5fc47633554c8d66d0f5898403c8

SHA1
8bb5abf7beccbc7fb80bf992d69080d79eb396c3

SHA256
4407f862475ef7cfffbd409fa07132d5c8d824978b732e6b3770499795a84bda

SHA512
4404ba65a5ed16fb4ba179181470a603d76ed035f2beea38d1739947f7edef6d3bb3f8e4654c1ff07178bedabc9219b00ad48fde6415aa18f6fa743c576fa290

Download Submit
memory/2180-139-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3204-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3204-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3204-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3204-14-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3204-306-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4984-11-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4984-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing