cycbot | 1dbef7d39b87876e5e9f537cbc9dab51dc97e4d213978ce22d8a7954856e0f67

General

Target

JaffaCakes118_ac3e03da2317cf02cab86515ebf72842.exe
Size

188KB
MD5

ac3e03da2317cf02cab86515ebf72842
SHA1

aa7a80734bd47d722690ccdaf6924f074d50e0a7
SHA256

1dbef7d39b87876e5e9f537cbc9dab51dc97e4d213978ce22d8a7954856e0f67
SHA512

d24b449bff2107da2a0787d507903e3c4b9f3616d5d143898bbad2ed33fc81eb056a597dbbee42c50368eda949a352c9054aedc22892e4f159bd4e914cc646b8
SSDEEP

3072:ApQ94NMRe9JtG3x8Ea3omFfypOhXsyEqcu3Ib4+A8yVJ58tClRPXjEx1p4P+u38J:ApQON7s32EaByp8LEqcceVAHYClRPY5p

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/4884-12-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/748-14-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/748-13-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/4604-128-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/748-279-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/748-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4884-12-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/748-14-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/748-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4604-128-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/748-279-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ac3e03da2317cf02cab86515ebf72842.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ac3e03da2317cf02cab86515ebf72842.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ac3e03da2317cf02cab86515ebf72842.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 4884	748	JaffaCakes118_ac3e03da2317cf02cab86515ebf72842.exe	84
PID 748 wrote to memory of 4884	748	JaffaCakes118_ac3e03da2317cf02cab86515ebf72842.exe	84
PID 748 wrote to memory of 4884	748	JaffaCakes118_ac3e03da2317cf02cab86515ebf72842.exe	84
PID 748 wrote to memory of 4604	748	JaffaCakes118_ac3e03da2317cf02cab86515ebf72842.exe	87
PID 748 wrote to memory of 4604	748	JaffaCakes118_ac3e03da2317cf02cab86515ebf72842.exe	87
PID 748 wrote to memory of 4604	748	JaffaCakes118_ac3e03da2317cf02cab86515ebf72842.exe	87

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ac3e03da2317cf02cab86515ebf72842.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ac3e03da2317cf02cab86515ebf72842.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:748
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ac3e03da2317cf02cab86515ebf72842.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ac3e03da2317cf02cab86515ebf72842.exe startC:\Program Files (x86)\LP\00B9\B2F.exe%C:\Program Files (x86)\LP\00B9
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4884
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ac3e03da2317cf02cab86515ebf72842.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ac3e03da2317cf02cab86515ebf72842.exe startC:\Users\Admin\AppData\Roaming\901F4\3CE00.exe%C:\Users\Admin\AppData\Roaming\901F4
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\901F4\4180.01F

Filesize
996B

MD5
fbdfef0b8cb3b7c85edb58378737b61f

SHA1
f1cddd8fe5aa84c1db55f0a761bb838dd49832ff

SHA256
247d0b660d30c53bab31fe1c01fc3fff0cfc34137df070ab208c2ca6a16e9618

SHA512
6e1c51bf21c89319ff432c83aa9d5b0076259f9b3c6c485ebf1dd64dc4e2b0abde9f0c74d8f789d8bbb4749bf959b537ccfa5a69edf4f7782d3ec65d5f52a987

Download Submit
C:\Users\Admin\AppData\Roaming\901F4\4180.01F

Filesize
600B

MD5
e27e1bfb6cf05f8906cb147cdfa6c68c

SHA1
dcf816f970891d587035f4c7b61867e2610c5c90

SHA256
ba4213f7e6a5d5c170e228911781c1906419e89179f359c39a85205af6c5120d

SHA512
b00a8c73ae6b0a36545b809b4fcf6209a700b5af12dbe647f7017f727590a25bc2b1a2afdd06c62d10dc0ffcbbc10d314e57753d0a7b5258a73429dbf5c8b87d

Download Submit
C:\Users\Admin\AppData\Roaming\901F4\4180.01F

Filesize
1KB

MD5
cc43b90d964448370fc8f8b09a2e3031

SHA1
63d9117a49abf24b04bf9653290febdc762c0eb6

SHA256
f5824d5ddb5362d7ed80160dbf28e47a07eacaaccba4b3c70e103f4adc43980e

SHA512
22b5c19a63671483bee68c0519d3ba6a48c12faecf9ed4e82fb19db6fd0f2d6ff8a53e6844605a3fd5821f113e9238ab60c267d2b27e7e736443bb8a9282b935

Download Submit
memory/748-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/748-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/748-14-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/748-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/748-279-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4604-128-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4884-11-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4884-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing