cycbot | 1a9bfc6a675e53b2e1fdd150f10aa3d1546b9c63540d0a2dc52113cb434088b9

General

Target

JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe
Size

181KB
MD5

c6a93c5b7fe7915de3b31f133c370ce0
SHA1

984e837a21a137bf6cb74692dcab458ca7507fa4
SHA256

1a9bfc6a675e53b2e1fdd150f10aa3d1546b9c63540d0a2dc52113cb434088b9
SHA512

ccc4732f3eb02c8bd447f0772958e68d43eec18dcf325e6f9139f2d37a0855ba8794afcb9ccf8a1cc937b8578f7ce07a01415a63d1bb25de5d513525f54b260c
SSDEEP

3072:fMyMzQw6ScvdO6gJKYpzKM/zB0E9IGOvNcbTt+vZu9MA4L9oMz:fM+SMgJppnzKIbTt+s9MAI9oA

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/1744-13-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/4696-14-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/4696-15-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/5044-125-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/4696-280-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4696-3-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/1744-13-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/4696-14-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/4696-15-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/5044-125-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/4696-280-0x0000000000400000-0x0000000000454000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4696 wrote to memory of 1744	4696	JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe	84
PID 4696 wrote to memory of 1744	4696	JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe	84
PID 4696 wrote to memory of 1744	4696	JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe	84
PID 4696 wrote to memory of 5044	4696	JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe	94
PID 4696 wrote to memory of 5044	4696	JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe	94
PID 4696 wrote to memory of 5044	4696	JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe	94

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe startC:\Program Files (x86)\LP\2CCA\F46.exe%C:\Program Files (x86)\LP\2CCA
  2⤵
  PID:1744
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe startC:\Users\Admin\AppData\Roaming\A4909\9E42C.exe%C:\Users\Admin\AppData\Roaming\A4909
  2⤵
  PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\A4909\9695.490

Filesize
996B

MD5
7a17fe33a7e2948f14846ca0996f8157

SHA1
54f7fed04d20ce78b64c37f592b9b2835bde8825

SHA256
6c18cccc017f6518ba7e495359423ce0d8dca2cff04477067940fae3bd4bcb49

SHA512
12651f734dada20924e621b58d4dc1f2992bd3567a8082dd2eb3c4e85133350842cf62a6e0f77807093a7ebe91e1c97d8539374fe4a3f38ac0e994e976d03ec0

Download Submit
C:\Users\Admin\AppData\Roaming\A4909\9695.490

Filesize
600B

MD5
8503e20d3dc65931d9ebfb60306c5686

SHA1
3e82fb8742ccc09faa3325aae9d37cf8c7451592

SHA256
00b82557665da0fc7f4b88b073d26120a2fa9c114d6218dd26366277f05c4b71

SHA512
fccffb118fb285fc9644cf7e9746012f7a668d875688265014a2fabdc6c4faa689a521509caa075423c7acf16a756acb540dca0dd51a917954142ebff784a419

Download Submit
C:\Users\Admin\AppData\Roaming\A4909\9695.490

Filesize
1KB

MD5
8b9ac48af6ae148b43bf7c730430d279

SHA1
78d09a1839818ae2ad39aa9536aa8a29d4356b9d

SHA256
a06288aef4cecd6e9d8288f25f8dc95c4807f4c8ddec659348bea4d90734bc4b

SHA512
0e262543a040fd5f61a91db948e231a9d05336b7197376c0d54c2b0944d381b23df89e4f081d689a9ded38e41531abbe198dd9adfe1098fe1e6d629dc6eae651

Download Submit
memory/1744-13-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4696-0-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4696-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4696-3-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4696-14-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4696-15-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4696-280-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/5044-125-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing