cycbot | e66ac22a3de7d5d971c77dae5623c815cc53ab99ffebfb014ac26cd0aea2ab9b

General

Target

JaffaCakes118_210d758e01ef8a01a0808a94f0d4d8dd.exe
Size

180KB
MD5

210d758e01ef8a01a0808a94f0d4d8dd
SHA1

29315f7d862cbfe3eca53ece971dfb338bb21c77
SHA256

e66ac22a3de7d5d971c77dae5623c815cc53ab99ffebfb014ac26cd0aea2ab9b
SHA512

19e3c21099795f421e0fc39025ca5d6482ba1b6477f3b98b87ea758284dd0c08f34059363c1796ca677638342917293ee89f183eab4bd1d47e361dbf2a436747
SSDEEP

3072:p2WY9uNKKyWxchDvfSBmlQ+guC6VSUCIeKEdz8X09zS7gaYAUd:p21uNKKyWKxymlQ+ynGEdYX0S7gaYn

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/3000-14-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/1628-15-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/1628-16-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/3520-130-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/1628-293-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1628-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3000-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3000-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1628-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1628-16-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/3520-130-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1628-293-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_210d758e01ef8a01a0808a94f0d4d8dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_210d758e01ef8a01a0808a94f0d4d8dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_210d758e01ef8a01a0808a94f0d4d8dd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 3000	1628	JaffaCakes118_210d758e01ef8a01a0808a94f0d4d8dd.exe	84
PID 1628 wrote to memory of 3000	1628	JaffaCakes118_210d758e01ef8a01a0808a94f0d4d8dd.exe	84
PID 1628 wrote to memory of 3000	1628	JaffaCakes118_210d758e01ef8a01a0808a94f0d4d8dd.exe	84
PID 1628 wrote to memory of 3520	1628	JaffaCakes118_210d758e01ef8a01a0808a94f0d4d8dd.exe	93
PID 1628 wrote to memory of 3520	1628	JaffaCakes118_210d758e01ef8a01a0808a94f0d4d8dd.exe	93
PID 1628 wrote to memory of 3520	1628	JaffaCakes118_210d758e01ef8a01a0808a94f0d4d8dd.exe	93

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_210d758e01ef8a01a0808a94f0d4d8dd.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_210d758e01ef8a01a0808a94f0d4d8dd.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_210d758e01ef8a01a0808a94f0d4d8dd.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_210d758e01ef8a01a0808a94f0d4d8dd.exe startC:\Program Files (x86)\LP\F9DF\348.exe%C:\Program Files (x86)\LP\F9DF
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3000
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_210d758e01ef8a01a0808a94f0d4d8dd.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_210d758e01ef8a01a0808a94f0d4d8dd.exe startC:\Users\Admin\AppData\Roaming\FF72C\B38F9.exe%C:\Users\Admin\AppData\Roaming\FF72C
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\FF72C\C935.F72

Filesize
996B

MD5
344051ee38b5a9d31f4a724ba2f3ac8d

SHA1
0d8b944c16d691626456cf14e712691d49123319

SHA256
541c50f73765e9bb3fd76af29f6a843ecaf242b16e1b013e73069d0703666e33

SHA512
152f31ccc63cb87bd3e79cbe67ee2c72d07194085b50e0f318698ded18954e817fdcdf4561fd06bdac98f11ea6a1a7705b1f1f13f30204c8497f7d5f4312bd02

Download Submit
C:\Users\Admin\AppData\Roaming\FF72C\C935.F72

Filesize
600B

MD5
b33a256be07b7a56d82e38c658f648da

SHA1
502fc4575b7b77c77ce21d8903b160b02af9ec2a

SHA256
b1d741577fef2a27bd797ee9fbdd062e11ff1eb685ae7111b4000c13095f92d0

SHA512
197a408953d610df3714b15dff1a266aa2608b669ed6d0f7917ba2f9ff4dde418520925e89b3c6712ec2c25de74f8c94920e7a0a9e012835e8d7772fcb20f59d

Download Submit
C:\Users\Admin\AppData\Roaming\FF72C\C935.F72

Filesize
1KB

MD5
002138951b5d0ad803239deef6245d55

SHA1
45b950b0320fc09c93de8f9e28c397a53b379236

SHA256
ea1322b038020f064566596ac71a03fdd5c2b44d92ed40a4b55214d66cc1c304

SHA512
48c551a08817a2ff37e88356fb1d45977dcd0048f41265f6f93fda2f7c5f19c5b78838b2931c5bca61ae592595da86c087b1ee1f307e43d63e87e5f342990df0

Download Submit
memory/1628-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1628-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1628-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1628-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1628-16-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1628-293-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3000-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3000-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3520-130-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing