cycbot | 1ed016998356cbe817d9709515498a65602e1e09297a14c4559395a4a82a25b7

General

Target

JaffaCakes118_d39c67e96d120b78a5d33db7b55d369f.exe
Size

180KB
MD5

d39c67e96d120b78a5d33db7b55d369f
SHA1

e9cb55d6825224ad00a012a9c722f2f823460732
SHA256

1ed016998356cbe817d9709515498a65602e1e09297a14c4559395a4a82a25b7
SHA512

aaa0502c17a0410dea068f00a65b9cc9a9a7f3e76007dbaae69339961d376cbe1da1ce7d5a1d662643c093c7ba87d32e12c0bc03bf081c1b0c665206f57e5bcc
SSDEEP

3072:yLthLeYjope6c0GaKdfNMK14kpwi6Qw0jtqSQRRLt2pT511RRNDfzrdFT:yph/ope7D1hXpwpXUkNRZ6NdzT

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/3736-13-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/1912-14-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/1912-15-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/2276-122-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/1912-281-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1912-2-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/3736-12-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/3736-13-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/1912-14-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/1912-15-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/2276-120-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/2276-122-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/1912-281-0x0000000000400000-0x0000000000454000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d39c67e96d120b78a5d33db7b55d369f.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 3736	1912	JaffaCakes118_d39c67e96d120b78a5d33db7b55d369f.exe	82
PID 1912 wrote to memory of 3736	1912	JaffaCakes118_d39c67e96d120b78a5d33db7b55d369f.exe	82
PID 1912 wrote to memory of 3736	1912	JaffaCakes118_d39c67e96d120b78a5d33db7b55d369f.exe	82
PID 1912 wrote to memory of 2276	1912	JaffaCakes118_d39c67e96d120b78a5d33db7b55d369f.exe	83
PID 1912 wrote to memory of 2276	1912	JaffaCakes118_d39c67e96d120b78a5d33db7b55d369f.exe	83
PID 1912 wrote to memory of 2276	1912	JaffaCakes118_d39c67e96d120b78a5d33db7b55d369f.exe	83

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d39c67e96d120b78a5d33db7b55d369f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d39c67e96d120b78a5d33db7b55d369f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d39c67e96d120b78a5d33db7b55d369f.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d39c67e96d120b78a5d33db7b55d369f.exe startC:\Program Files (x86)\LP\6D38\35B.exe%C:\Program Files (x86)\LP\6D38
  2⤵
  PID:3736
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d39c67e96d120b78a5d33db7b55d369f.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d39c67e96d120b78a5d33db7b55d369f.exe startC:\Users\Admin\AppData\Roaming\8AA39\FAC6D.exe%C:\Users\Admin\AppData\Roaming\8AA39
  2⤵
  PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\8AA39\98D5.AA3

Filesize
996B

MD5
b81848a2bb172c2744cb5f77a6f18afd

SHA1
27433aaffcbe972327be43f6e17414144fc1b2c5

SHA256
71d9b5a188138fee390a83f3e1f54ce99488039e342af16f7612a5451fd25039

SHA512
53c535a4a5b7e16c05d065b7e7a8178ab7a80fa75797258b33e387682663e70438843563e7117bcf0d03dc8e91c908b106cbb841c5b6a409445d2b3b5932eaf0

Download Submit
C:\Users\Admin\AppData\Roaming\8AA39\98D5.AA3

Filesize
600B

MD5
f98b15a7af4c032a0a43ea16e47f2c0b

SHA1
a635680f36f1902d42ffbb5e690ca39941a40f94

SHA256
6ef5d595bc7d8df97cc62897b7f6603059ddc9f4501f60a548b06dc5bc8e2b9b

SHA512
c3ce20d8713b47ff214795619583119460cba53336898800917eaa370635ee17c723dd869363cb524fab91f2f0f4ec230da052d6b641dc4d582cd70bcda43597

Download Submit
C:\Users\Admin\AppData\Roaming\8AA39\98D5.AA3

Filesize
1KB

MD5
3710effd6328272a8a1782f8b9bc8247

SHA1
09a63e6ee6f43bcec282cc132d9d410ceadd0f1b

SHA256
086a6a5189796a83b5d4b5f1edb1dfca4d978f3c9ce8bed6a5e2943ba2b49c04

SHA512
e300dbb9b5d3f7ce3a53ffb611e58dda0cff0ff7f0fda083204585549a66ae0973fee5c94a34163f6daf0980758f43823bb94c3cd076c2d2a4ac009e2321be00

Download Submit
memory/1912-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1912-2-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1912-281-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1912-14-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1912-15-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2276-122-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2276-120-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3736-13-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3736-12-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3736-11-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing