cycbot | 1e1a8648fcc1824877f31835fee9f0950898ace33eec5c19680b9afda1245344

General

Target

JaffaCakes118_db841c103fcec7a3e45a1c2857e5ebc6.exe
Size

191KB
MD5

db841c103fcec7a3e45a1c2857e5ebc6
SHA1

5efae0cad307e966149fac21ee8bd375526fe38b
SHA256

1e1a8648fcc1824877f31835fee9f0950898ace33eec5c19680b9afda1245344
SHA512

6a16551a180c8217ac2f7491a7a4404ee748784d79be1df18d15f1380f6f10f39910ee0338611ccd0f020e48a38898c31da92c932f44eb3ef8a0772d82988bf3
SSDEEP

3072:67R597U/Fh0r2AtnrIuxR/BO6TWfgUu1mPNwaRcXmEwMoOf68e89M2:67R597U/LKtnr7BOFgUpPhcXmEEOU8

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/1348-13-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/4620-15-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/4620-14-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/2692-128-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/4620-295-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4620-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1348-12-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1348-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4620-15-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/4620-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2692-128-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4620-295-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_db841c103fcec7a3e45a1c2857e5ebc6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_db841c103fcec7a3e45a1c2857e5ebc6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_db841c103fcec7a3e45a1c2857e5ebc6.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4620 wrote to memory of 1348	4620	JaffaCakes118_db841c103fcec7a3e45a1c2857e5ebc6.exe	82
PID 4620 wrote to memory of 1348	4620	JaffaCakes118_db841c103fcec7a3e45a1c2857e5ebc6.exe	82
PID 4620 wrote to memory of 1348	4620	JaffaCakes118_db841c103fcec7a3e45a1c2857e5ebc6.exe	82
PID 4620 wrote to memory of 2692	4620	JaffaCakes118_db841c103fcec7a3e45a1c2857e5ebc6.exe	88
PID 4620 wrote to memory of 2692	4620	JaffaCakes118_db841c103fcec7a3e45a1c2857e5ebc6.exe	88
PID 4620 wrote to memory of 2692	4620	JaffaCakes118_db841c103fcec7a3e45a1c2857e5ebc6.exe	88

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_db841c103fcec7a3e45a1c2857e5ebc6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_db841c103fcec7a3e45a1c2857e5ebc6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_db841c103fcec7a3e45a1c2857e5ebc6.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_db841c103fcec7a3e45a1c2857e5ebc6.exe startC:\Program Files (x86)\LP\9E9C\1E6.exe%C:\Program Files (x86)\LP\9E9C
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1348
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_db841c103fcec7a3e45a1c2857e5ebc6.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_db841c103fcec7a3e45a1c2857e5ebc6.exe startC:\Users\Admin\AppData\Roaming\C1C48\6BE9E.exe%C:\Users\Admin\AppData\Roaming\C1C48
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\C1C48\8234.1C4

Filesize
996B

MD5
c4b848b4ca92eb727f6aa61243394460

SHA1
a50dd5e807b8e2f8f93da09f0a8501ec5397d2f8

SHA256
eb345b8103ccb3c7c6a0c3e5d93779e56042265208957b756c4b05b216779ba6

SHA512
4c65b5ef73850fa7de96e0c98f6471a3bc1f17036e63f930ac65aa763670d05361fb11afbfd855316d8c1e539b98f3e6606b9c713d374ad64440ed4d1e5edd4c

Download Submit
C:\Users\Admin\AppData\Roaming\C1C48\8234.1C4

Filesize
600B

MD5
46b718c5bc4e4ab60a052bef641c2aca

SHA1
145b1d8d4f63fe18f158a4fe92acef7c1fccf8e5

SHA256
320277b3fb681486c47ea71f242c6cdcc123d40b27b22926dd80066caef8e413

SHA512
b339729dac4876436cdd24f1df92cb672eb9481020f4f787af991c646cd3b06227a3079567185132d486ad6ae34d1d1d9fc2f5e9684b11fa0c01711b84207186

Download Submit
C:\Users\Admin\AppData\Roaming\C1C48\8234.1C4

Filesize
1KB

MD5
2c3235963efc2e3eee18dccacae1a261

SHA1
9435b70dd0d3f0ec3bcf370525bfa0cf6afb3605

SHA256
455d41e3841cee79d91c976717cbb6f7e254e6c334bec8bbd4c6b8b54f520bf1

SHA512
aa480216941715e8b1169a2c11528f94857a95c541910e2ce64bc41224de068f3e7dc4b4484a68ab27c581fa28a5f518986e6e217be83002267c79bd8f5f94c7

Download Submit
C:\Users\Admin\AppData\Roaming\C1C48\8234.1C4

Filesize
300B

MD5
9a912a9d44c024754886bb44cb98c6b1

SHA1
c6a375132e63cbdc09338a7ddc15577d7491e06f

SHA256
d8f3e0304d381c03fd03aa41a0eeba4680b924e6bfba75856574e8bc3e9ea34c

SHA512
7b4be56c632d8d7faa2e9013d683f0d92fea2877b49d2d1f0147ed1ff5c0d14482b40ebf42f97b4d97d446160efdb1c510c6b4607538f1a3cb527e9d9e685e4e

Download Submit
memory/1348-11-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1348-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1348-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2692-128-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4620-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4620-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4620-15-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4620-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4620-295-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing