cycbot | a45ddb4804881d076913b60b44a47d418b905dfcceac8a6951747fe3802e7da3

General

Target

JaffaCakes118_d3a5249b1871bb735cc105987cd8e458.exe
Size

183KB
MD5

d3a5249b1871bb735cc105987cd8e458
SHA1

9e2ecf59cf7b0cf25c2df4dbf290c3c1a84521c2
SHA256

a45ddb4804881d076913b60b44a47d418b905dfcceac8a6951747fe3802e7da3
SHA512

4846b44ecb2c0af342a2177c2142247df2d4f8af478fc37c15f5f02adf8c1847bc67241dcf290c09ff28660ce0b20abd89f7f294de00f9e14f108caf42a3d934
SSDEEP

3072:VRUicGA0U0vg2yh7n2t0oTqaQKx2kU54Fyaw0b7vkJciwxNvrJHKmDVe3:RcGngxV+qzK4ke/O9D9DDVe

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/4136-15-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/2800-20-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/4996-91-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/2800-209-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2800-2-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/4136-14-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/4136-13-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/4136-15-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/2800-20-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/4996-89-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/4996-91-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/2800-209-0x0000000000400000-0x000000000044E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d3a5249b1871bb735cc105987cd8e458.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d3a5249b1871bb735cc105987cd8e458.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d3a5249b1871bb735cc105987cd8e458.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 4136	2800	JaffaCakes118_d3a5249b1871bb735cc105987cd8e458.exe	83
PID 2800 wrote to memory of 4136	2800	JaffaCakes118_d3a5249b1871bb735cc105987cd8e458.exe	83
PID 2800 wrote to memory of 4136	2800	JaffaCakes118_d3a5249b1871bb735cc105987cd8e458.exe	83
PID 2800 wrote to memory of 4996	2800	JaffaCakes118_d3a5249b1871bb735cc105987cd8e458.exe	97
PID 2800 wrote to memory of 4996	2800	JaffaCakes118_d3a5249b1871bb735cc105987cd8e458.exe	97
PID 2800 wrote to memory of 4996	2800	JaffaCakes118_d3a5249b1871bb735cc105987cd8e458.exe	97

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d3a5249b1871bb735cc105987cd8e458.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d3a5249b1871bb735cc105987cd8e458.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d3a5249b1871bb735cc105987cd8e458.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d3a5249b1871bb735cc105987cd8e458.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4136
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d3a5249b1871bb735cc105987cd8e458.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d3a5249b1871bb735cc105987cd8e458.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5309.2E5

Filesize
1KB

MD5
a86afb46486c366d384abf0230afa927

SHA1
7f1048b3707f4cec484cde751b48cf5ca364808f

SHA256
0f1fe7deb07ce610408b1848e1742c7f5d540eb05ebac984cea5c649cdc2035b

SHA512
0f617ba20319a3b6fff4c1556df9c093817ccb1dd7b641cecfe677db69045f0a75f643d54ab1127e0ebb0bd1efd210ae746cbd9636814d6c0e81752e96380156

Download Submit
C:\Users\Admin\AppData\Roaming\5309.2E5

Filesize
897B

MD5
fada2a9e79ed452ac6cd60e378bd1048

SHA1
4b6e372e0a712b1203742f9205aedb1c69f3044c

SHA256
aef3076ffee8e5a7327724be0d342299dac259584572f54d1ec3c9b3ba797e78

SHA512
3d1ec55787b29d52ffc0f0674e394671528621b60a8bdf7242d7b5f65192c480057604e65422aaefce14ed48bde1d5166d71888b408f811e20f618a47670aa62

Download Submit
C:\Users\Admin\AppData\Roaming\5309.2E5

Filesize
1KB

MD5
d7f78988f9843940851015f6fed994be

SHA1
2bc8c791b560cee5dac569322274f6e1aa4688be

SHA256
32ebcf441d4c1b27a9abb68a0008920b6a2d7c283bf02a414f8922b83d4f827e

SHA512
4c852017fdcb2b1915b67e79f8c95f7292337bad439001bcef8e4278d9343c728e9d2b1bba77f2a3c7711750adc4275c667d3a5e5e47703712d90f641fbbf94d

Download Submit
C:\Users\Admin\AppData\Roaming\5309.2E5

Filesize
597B

MD5
b1b68e0e8ecfdde093528d97cb424985

SHA1
9612c9df4702964f9940fc81922ca5e3dc8c37fb

SHA256
d42b665ec10c8b19e1be5cc5ec304ccb52b63476ccd230d3c2c97ebf012cb500

SHA512
ce89515f8d6ac70b1f475494b7c332309626dcc60a5aa0253916cdde2a07703a1b9121661db93ab301e206f4e71ab4fe22179fb0b67dcc0e6a9860cca5f4e935

Download Submit
memory/2800-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2800-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2800-209-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2800-20-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4136-14-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4136-15-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4136-13-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4996-89-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4996-91-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing