cycbot | 1e82c103c4ac3794d519a480508084f4ccce6f5dceb60626bc18ade4e394b86d

General

Target

JaffaCakes118_afc4d116a8db0d69b6aabd2f3b443002.exe
Size

179KB
MD5

afc4d116a8db0d69b6aabd2f3b443002
SHA1

2a410a8263f3d21d825d51790d578fa1ae79a469
SHA256

1e82c103c4ac3794d519a480508084f4ccce6f5dceb60626bc18ade4e394b86d
SHA512

ce33ddcdaa035811c6c4b0d1b3e05df0cbbc72ed2e2b470ed289b85ec28acf192182e862aef40687b2a3b5fa7db1e700adf43df1b4ff60f625ba7c5e4cda8e08
SSDEEP

3072:PWiBsGzqRlIVQGdCRC1L2BIhxBq1cNkOvQnyUs9gZ41I9Kv2uxCrC2JUk3:+iBRzqvIvdUqLXhq1I7QiGjK5YJP

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/2836-13-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/2836-14-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/3956-121-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/2836-288-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2836-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2836-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2836-14-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/3956-120-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3956-121-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2836-288-0x0000000000400000-0x0000000000455000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2144	4840	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_afc4d116a8db0d69b6aabd2f3b443002.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_afc4d116a8db0d69b6aabd2f3b443002.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_afc4d116a8db0d69b6aabd2f3b443002.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 4840	2836	JaffaCakes118_afc4d116a8db0d69b6aabd2f3b443002.exe	86
PID 2836 wrote to memory of 4840	2836	JaffaCakes118_afc4d116a8db0d69b6aabd2f3b443002.exe	86
PID 2836 wrote to memory of 4840	2836	JaffaCakes118_afc4d116a8db0d69b6aabd2f3b443002.exe	86
PID 2836 wrote to memory of 3956	2836	JaffaCakes118_afc4d116a8db0d69b6aabd2f3b443002.exe	101
PID 2836 wrote to memory of 3956	2836	JaffaCakes118_afc4d116a8db0d69b6aabd2f3b443002.exe	101
PID 2836 wrote to memory of 3956	2836	JaffaCakes118_afc4d116a8db0d69b6aabd2f3b443002.exe	101

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_afc4d116a8db0d69b6aabd2f3b443002.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_afc4d116a8db0d69b6aabd2f3b443002.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_afc4d116a8db0d69b6aabd2f3b443002.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_afc4d116a8db0d69b6aabd2f3b443002.exe startC:\Program Files (x86)\LP\2D99\7CD.exe%C:\Program Files (x86)\LP\2D99
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4840
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 396
    3⤵
    - Program crash
    PID:2144
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_afc4d116a8db0d69b6aabd2f3b443002.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_afc4d116a8db0d69b6aabd2f3b443002.exe startC:\Users\Admin\AppData\Roaming\969F3\58F2D.exe%C:\Users\Admin\AppData\Roaming\969F3
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4840 -ip 4840
1⤵
PID:4148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\969F3\3B13.69F

Filesize
996B

MD5
f1b929df757aa6b3748b604673c52a44

SHA1
f6fca93bbeb30f02f3eaf0c3c74bf6c02114aa5a

SHA256
5f0476bdec7cc60dd2deade841575bd79997729c46f7e8f87a3246ac26b8cc7d

SHA512
7361449af5103405e4ee07d1072dc31022b36f72eb76c84dc0ffea236db434588f36dbb4e9de8f2bc0787cd9eac44abce091f54773f451005ce5b737bc558737

Download Submit
C:\Users\Admin\AppData\Roaming\969F3\3B13.69F

Filesize
600B

MD5
332bf1378f86c2a4e1e7a1ef4896716c

SHA1
8eebdac0414d320202a463921b1b3d872a33dbee

SHA256
8426965eb9815bc5f3a0007b039b250b5c9a8d0a03948b5b21aa9cc2da0b0d72

SHA512
bf804b2775260e2bb15f21c1c3e00691e5595256692b5471970916bc229206119148c87ac05dd4a4e48d413b2392322d9acd3e012754a791ee3e8b8fd3b055ec

Download Submit
C:\Users\Admin\AppData\Roaming\969F3\3B13.69F

Filesize
1KB

MD5
b712c0a49486ca5d88c1a5b7cf447e0e

SHA1
04d305524dcf51a821d55853add683bd6498bf98

SHA256
b3ad37bfeab4a58a017b8eab399af5f07626d303ab6fc2f3635ff87d309933db

SHA512
5beb22fe4e4e1674606500ea4f92adc12fe63d93fa9df188395203ead9e045f3cee1e4cd4501766055ecd7930973029b0155f642de95cb461a75298f9b1d0907

Download Submit
memory/2836-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2836-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2836-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2836-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2836-14-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2836-288-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3956-120-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3956-121-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing