cycbot | b42700e37a30c62e93ac6025c363ec4806b96c7115dcbccaceb07d7985a525e0

General

Target

JaffaCakes118_0a7ef0db037432a8e0108bc391a7c95d.exe
Size

180KB
MD5

0a7ef0db037432a8e0108bc391a7c95d
SHA1

f440542b4a2412f2569e47fdaeb7499cffff0205
SHA256

b42700e37a30c62e93ac6025c363ec4806b96c7115dcbccaceb07d7985a525e0
SHA512

36f622dfc5e7146cef4111799c4ad61a13dda5dea60262bb56f57983bbac10af9f65d20b275f61670736bbf2a8dc807f6fc410923dbc3380b135b91dfecee00b
SSDEEP

3072:UhbaPUwzSWpXRnAowR0Hdn+zZnAlu5JTBdZagoye3N2i8luzhtwnaXMMxZ8pGLRU:UhbOWWtWoAid+zZAQRZagoypi8lK9cMz

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/444-14-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/4212-15-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/4212-16-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/1200-126-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/4212-293-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4212-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/444-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/444-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4212-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4212-16-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/1200-126-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4212-293-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0a7ef0db037432a8e0108bc391a7c95d.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4212 wrote to memory of 444	4212	JaffaCakes118_0a7ef0db037432a8e0108bc391a7c95d.exe	82
PID 4212 wrote to memory of 444	4212	JaffaCakes118_0a7ef0db037432a8e0108bc391a7c95d.exe	82
PID 4212 wrote to memory of 444	4212	JaffaCakes118_0a7ef0db037432a8e0108bc391a7c95d.exe	82
PID 4212 wrote to memory of 1200	4212	JaffaCakes118_0a7ef0db037432a8e0108bc391a7c95d.exe	87
PID 4212 wrote to memory of 1200	4212	JaffaCakes118_0a7ef0db037432a8e0108bc391a7c95d.exe	87
PID 4212 wrote to memory of 1200	4212	JaffaCakes118_0a7ef0db037432a8e0108bc391a7c95d.exe	87

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0a7ef0db037432a8e0108bc391a7c95d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0a7ef0db037432a8e0108bc391a7c95d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4212
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0a7ef0db037432a8e0108bc391a7c95d.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0a7ef0db037432a8e0108bc391a7c95d.exe startC:\Program Files (x86)\LP\2CCD\F46.exe%C:\Program Files (x86)\LP\2CCD
  2⤵
  PID:444
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0a7ef0db037432a8e0108bc391a7c95d.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0a7ef0db037432a8e0108bc391a7c95d.exe startC:\Users\Admin\AppData\Roaming\D2744\9E42C.exe%C:\Users\Admin\AppData\Roaming\D2744
  2⤵
  PID:1200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\D2744\43DB.274

Filesize
996B

MD5
adb1bde04fc5070a7927eba0def110bb

SHA1
39e3f651f43f1786160a2698962a911627dbbe4e

SHA256
187c69fef385208716005ccc9d6e133c14288519085dee4ba9369b9ccc98c92b

SHA512
263626bdea74192f866a78f5dd0842d517dee3b5cc0fe8077d6db69a0f80d379b64e152284ed7ea161e1d29a60d975af3bcffd58cbee3d60d04336516e965f00

Download Submit
C:\Users\Admin\AppData\Roaming\D2744\43DB.274

Filesize
600B

MD5
b547c5c6fb86606c252a423a2c4a1647

SHA1
ed2d509d777f7d2abd0dee1534b96666c5240aae

SHA256
81433791c34db006885f155206f02510d0577108089c812cc301bad6faabe614

SHA512
3d7b7a22be2e9c32c5999dacac0b9699e513dcffceba845c2728f7484b0b888bdbdfa2bb5bacafd7cd114c990d658badfab31ad6aeecc7210f6ece3d204cab06

Download Submit
C:\Users\Admin\AppData\Roaming\D2744\43DB.274

Filesize
1KB

MD5
4c10827c8d11d5358b84a97a581d450a

SHA1
42fff52cb5c85046dc9c2fd9ec9557d379aaeb0a

SHA256
63be0814033ad406d40f47c9ce84ef61c959eff4ae6c8528797e20dc22ad0a70

SHA512
ab67a862666456af7dcc83e7e61c147da92099e3d6faabbd105a42013cb2091a62d2cf8d60fd101997adf6fa4bf65ab589be672482d13ca34ce9b28068036811

Download Submit
memory/444-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/444-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1200-126-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4212-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4212-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4212-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4212-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4212-16-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4212-293-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing