cycbot | 109808d529a2609c56c95de0316c3bf407d71458856059e687ba2b37c45d50bd

General

Target

JaffaCakes118_b86b1af0c43dd25430b2e55a9d04e792.exe
Size

181KB
MD5

b86b1af0c43dd25430b2e55a9d04e792
SHA1

ddf330615b9b6398f468b463b0c4dcde573ee5ad
SHA256

109808d529a2609c56c95de0316c3bf407d71458856059e687ba2b37c45d50bd
SHA512

e2a033ea72095041335e9d705646a94f33d6f2975b20781abb594a5db366e2c27fd5cc2e9417de68b3b659b388d75d6dbf4d9689541c6fe2de5456de1e230eef
SSDEEP

3072:NMq8g2qgBPBOk0ulYM1agUHqwbhG4hEDD38Xumy94V590m6fXEM1EBs0UFZy/jE:Njz2qQOc1agUKwbhADD37l9uRBs0IEr

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/3516-18-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/2332-20-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/2332-21-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/3660-148-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/2332-336-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2332-4-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/3516-15-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/3516-16-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/3516-18-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/2332-20-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/2332-21-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/3660-148-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/2332-336-0x0000000000400000-0x0000000000454000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b86b1af0c43dd25430b2e55a9d04e792.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b86b1af0c43dd25430b2e55a9d04e792.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b86b1af0c43dd25430b2e55a9d04e792.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 3516	2332	JaffaCakes118_b86b1af0c43dd25430b2e55a9d04e792.exe	82
PID 2332 wrote to memory of 3516	2332	JaffaCakes118_b86b1af0c43dd25430b2e55a9d04e792.exe	82
PID 2332 wrote to memory of 3516	2332	JaffaCakes118_b86b1af0c43dd25430b2e55a9d04e792.exe	82
PID 2332 wrote to memory of 3660	2332	JaffaCakes118_b86b1af0c43dd25430b2e55a9d04e792.exe	83
PID 2332 wrote to memory of 3660	2332	JaffaCakes118_b86b1af0c43dd25430b2e55a9d04e792.exe	83
PID 2332 wrote to memory of 3660	2332	JaffaCakes118_b86b1af0c43dd25430b2e55a9d04e792.exe	83

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b86b1af0c43dd25430b2e55a9d04e792.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b86b1af0c43dd25430b2e55a9d04e792.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b86b1af0c43dd25430b2e55a9d04e792.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b86b1af0c43dd25430b2e55a9d04e792.exe startC:\Program Files (x86)\LP\00BD\B2F.exe%C:\Program Files (x86)\LP\00BD
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3516
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b86b1af0c43dd25430b2e55a9d04e792.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b86b1af0c43dd25430b2e55a9d04e792.exe startC:\Users\Admin\AppData\Roaming\DBB52\3CE00.exe%C:\Users\Admin\AppData\Roaming\DBB52
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DBB52\2A4E.BB5

Filesize
300B

MD5
9fa010822c0bd94730d7cce24c2835c6

SHA1
eabee779d0a8aba0cac0c701f197927ef32c0a07

SHA256
5c4a606b127f9d572fe7c49288b9265128e184f5e74628dc1171722f2f251547

SHA512
2988c5ffef95937bb745ea6c873e2585f3a8ddd463ca254468b1b9c8f1145ace1fc1bfc0d129d716a9d4ad070c4f60b937289d4f423d5dfb96f0ae1d8bc9085f

Download Submit
C:\Users\Admin\AppData\Roaming\DBB52\2A4E.BB5

Filesize
996B

MD5
5b7df2778de4dc986943a5edb52cd108

SHA1
14238c1606f8d7150d044a8c2d54549f95dd5376

SHA256
ac92a70031c37662bea6a711baff9de5a8e33410e16c831050c90c1dfa9e2cb4

SHA512
cb4c33aab7e60523d53378b25330d1fbba5bc52296314f6c0d60752928445765e0a33772d28f33d934cb3e46519446f229475fd07945dec1cddf068ff6c6a7cc

Download Submit
C:\Users\Admin\AppData\Roaming\DBB52\2A4E.BB5

Filesize
600B

MD5
9e8fcb77a15e7ecb999aa061569c4825

SHA1
1c3655dc34ff23605fb8ff68f4cb155b87d828a3

SHA256
69fb00a95beea9016f2e43978b22be4e6c516e62f370af071bd775a39bcbc97e

SHA512
d65e7b86de47f66e68a114700217f7664744ac0ad2d6cc5d399d7a2d7d9c673266d9ac7195dac4cf8a360c99b97bf4a66ae92f0d7b92a9a70854fe717f86a49d

Download Submit
C:\Users\Admin\AppData\Roaming\DBB52\2A4E.BB5

Filesize
1KB

MD5
b464f444691ca277ced59fb737727364

SHA1
d33b1a3ecfec830cc3a2a283f9b80ce2ddd349e4

SHA256
e306f1b989ad90e715d1e1597cee468f59935579ce6ccb73ae28e07b33fd183a

SHA512
f04d19f0609af11d34a9d409b8618e0b4557c5dcd8be417a1f655bab7ec0eb96cdd0a79c1d520b59a254ab45cc7915be805a76db280d3753debc183e1fe70910

Download Submit
memory/2332-1-0x00000000754B0000-0x00000000754E9000-memory.dmp

Filesize
228KB

Download
memory/2332-3-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2332-4-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2332-0-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2332-337-0x00000000754B0000-0x00000000754E9000-memory.dmp

Filesize
228KB

Download
memory/2332-336-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2332-20-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2332-21-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3516-13-0x00000000754B0000-0x00000000754E9000-memory.dmp

Filesize
228KB

Download
memory/3516-18-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3516-19-0x00000000754B0000-0x00000000754E9000-memory.dmp

Filesize
228KB

Download
memory/3516-16-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3516-15-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3660-146-0x00000000754B0000-0x00000000754E9000-memory.dmp

Filesize
228KB

Download
memory/3660-148-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3660-149-0x00000000754B0000-0x00000000754E9000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing