cycbot | 17c286f1836dc8b964fa46ed2b68721d6ee5dfbb42ad269a759017f2abf955e3

General

Target

JaffaCakes118_c8af4339c7fb630d478e0241fc27b188.exe
Size

179KB
MD5

c8af4339c7fb630d478e0241fc27b188
SHA1

677027b99189af73c3f8faa1966e91a3fbcec2b9
SHA256

17c286f1836dc8b964fa46ed2b68721d6ee5dfbb42ad269a759017f2abf955e3
SHA512

766c07d7bce3817c917a08041645f984bdbd89096e284faee223c16663f615fbc014b76207956dfc78e53d17890fb2821de7c2e03e821a1b4227bb688377b05b
SSDEEP

3072:nBvzh6VV1JGGmHyq6WlSjDOW99HSuVVMcuohLegBWKdf4EE1zjJnqQdq2/Og1QPS:5t0rJG/qPOYHSqMcfhKVVEQndRGOV

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/2892-19-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/4872-20-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/4872-21-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/3472-135-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/4872-322-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4872-4-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2892-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2892-16-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2892-19-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4872-20-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/4872-21-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3472-132-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3472-135-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4872-322-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c8af4339c7fb630d478e0241fc27b188.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c8af4339c7fb630d478e0241fc27b188.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c8af4339c7fb630d478e0241fc27b188.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 2892	4872	JaffaCakes118_c8af4339c7fb630d478e0241fc27b188.exe	84
PID 4872 wrote to memory of 2892	4872	JaffaCakes118_c8af4339c7fb630d478e0241fc27b188.exe	84
PID 4872 wrote to memory of 2892	4872	JaffaCakes118_c8af4339c7fb630d478e0241fc27b188.exe	84
PID 4872 wrote to memory of 3472	4872	JaffaCakes118_c8af4339c7fb630d478e0241fc27b188.exe	95
PID 4872 wrote to memory of 3472	4872	JaffaCakes118_c8af4339c7fb630d478e0241fc27b188.exe	95
PID 4872 wrote to memory of 3472	4872	JaffaCakes118_c8af4339c7fb630d478e0241fc27b188.exe	95

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c8af4339c7fb630d478e0241fc27b188.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c8af4339c7fb630d478e0241fc27b188.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c8af4339c7fb630d478e0241fc27b188.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c8af4339c7fb630d478e0241fc27b188.exe startC:\Program Files (x86)\LP\E796\A08.exe%C:\Program Files (x86)\LP\E796
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2892
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c8af4339c7fb630d478e0241fc27b188.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c8af4339c7fb630d478e0241fc27b188.exe startC:\Users\Admin\AppData\Roaming\6432A\828E7.exe%C:\Users\Admin\AppData\Roaming\6432A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\6432A\A575.432

Filesize
996B

MD5
b6a7a697247ba10b6bedc9d23a87bedc

SHA1
5c7299f580688972f53a1b021b7d438146511b41

SHA256
ae4a76444faece77783cc27f20d74e09670fdd03dc91e0a8ab8224d3d6110045

SHA512
5ae9324b5a7637920441e4b3cbbaba7e0ff99daed667d26aa3328c137bcea48637a7ce107c1f9b0e83dc6fe45bb81ae4f90690d9ac06f24771f9cd82ed79563e

Download Submit
C:\Users\Admin\AppData\Roaming\6432A\A575.432

Filesize
600B

MD5
6c0c69124211b2ae66090d4bd1e690d1

SHA1
483fa842f517e032091de86939a1809e78c8d8f7

SHA256
77265a49e98e63621a8015e262d4795e3410dac3f301b1cb526f7291f35eb9d9

SHA512
646a6de1ba38331318fe0cf4bb49809f92969c6ec1f03c3e6aadcc508e30181b92d09a2d76bf032258a984a7f67ec32c26baf535d6394585701bddb54206e142

Download Submit
C:\Users\Admin\AppData\Roaming\6432A\A575.432

Filesize
1KB

MD5
74619110ba039eba66b9a4faa8b61737

SHA1
b99bd06f6c8a3783f29ceac356b34d2298d7318c

SHA256
e0d301dd3c946166145223d10c7db811ca7bafd84cd70cdadeba001bd92c9c4d

SHA512
b83caae2483c8c720f500233422f475521f85e4a1af985f1bda9160b37dc2baf72b195f5add50e72c9d6e6febbf45015c52fdfb1c9051234a15b802ca06f76bd

Download Submit
memory/2892-19-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2892-13-0x0000000075450000-0x0000000075489000-memory.dmp

Filesize
228KB

Download
memory/2892-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2892-16-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2892-18-0x0000000075450000-0x0000000075489000-memory.dmp

Filesize
228KB

Download
memory/3472-134-0x0000000075450000-0x0000000075489000-memory.dmp

Filesize
228KB

Download
memory/3472-130-0x0000000075450000-0x0000000075489000-memory.dmp

Filesize
228KB

Download
memory/3472-132-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3472-135-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4872-20-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4872-21-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4872-4-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4872-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4872-3-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4872-1-0x0000000075450000-0x0000000075489000-memory.dmp

Filesize
228KB

Download
memory/4872-322-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4872-323-0x0000000075450000-0x0000000075489000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing