cycbot | f65d146960c31b04aaa3afa964e957c8dfc8d476d53280c54713b58c50eafe23

General

Target

JaffaCakes118_36f44fbf3c1845de44bc0816190ba5a6.exe
Size

182KB
MD5

36f44fbf3c1845de44bc0816190ba5a6
SHA1

7ed6c1c16616cef32acb38c505d51077de238828
SHA256

f65d146960c31b04aaa3afa964e957c8dfc8d476d53280c54713b58c50eafe23
SHA512

5097c800fdeb20f054c74059b699c3f760c1bb9a367e62f74d99c242d1e415c2664a86fafd19a5f3ab4edcc4830e0564dd0758b31cab316029fe5f0a69c4c6d2
SSDEEP

3072:/MN3yNiVhbXh4soqvuv+EW5dU1yhOLcr28jCCiLdeZtXfEmZl3lY+r:/M0NYhbx4bouv+bsL0Fj/fEG3lYE

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/4348-14-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/1656-15-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/1656-16-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/3624-123-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/1656-272-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1656-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4348-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4348-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1656-15-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/1656-16-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3624-123-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1656-272-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_36f44fbf3c1845de44bc0816190ba5a6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_36f44fbf3c1845de44bc0816190ba5a6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_36f44fbf3c1845de44bc0816190ba5a6.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 4348	1656	JaffaCakes118_36f44fbf3c1845de44bc0816190ba5a6.exe	86
PID 1656 wrote to memory of 4348	1656	JaffaCakes118_36f44fbf3c1845de44bc0816190ba5a6.exe	86
PID 1656 wrote to memory of 4348	1656	JaffaCakes118_36f44fbf3c1845de44bc0816190ba5a6.exe	86
PID 1656 wrote to memory of 3624	1656	JaffaCakes118_36f44fbf3c1845de44bc0816190ba5a6.exe	89
PID 1656 wrote to memory of 3624	1656	JaffaCakes118_36f44fbf3c1845de44bc0816190ba5a6.exe	89
PID 1656 wrote to memory of 3624	1656	JaffaCakes118_36f44fbf3c1845de44bc0816190ba5a6.exe	89

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_36f44fbf3c1845de44bc0816190ba5a6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_36f44fbf3c1845de44bc0816190ba5a6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_36f44fbf3c1845de44bc0816190ba5a6.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_36f44fbf3c1845de44bc0816190ba5a6.exe startC:\Program Files (x86)\LP\D04B\F88.exe%C:\Program Files (x86)\LP\D04B
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4348
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_36f44fbf3c1845de44bc0816190ba5a6.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_36f44fbf3c1845de44bc0816190ba5a6.exe startC:\Users\Admin\AppData\Roaming\BCAD1\6F8D0.exe%C:\Users\Admin\AppData\Roaming\BCAD1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\BCAD1\1B92.CAD

Filesize
996B

MD5
9fb08017cc3491c3ff8c2297d4ca8dd6

SHA1
4f1eb87e3eeb4e787fadf7d0ff49f60be6d56727

SHA256
952d9c0f547dc73235a51a90799e77d42b5342592afc465cc913596d85ee5ad8

SHA512
190be2b8a79f66bf59d6ce772440aa401e601cd204d32d3fe379d9c887a1400bc9c5951e63a093d9e41880dcf0d8f9c3ff506cdd44e9e04610cd46e71c6a2c3b

Download Submit
C:\Users\Admin\AppData\Roaming\BCAD1\1B92.CAD

Filesize
600B

MD5
364008c00e23a3abfa7db6921c8a2142

SHA1
6a958f6757834c273c761385f3ae91bc62bbb88d

SHA256
fa424eacdd46bf5561378c0053eb2f8df7ea36b51b4ad6c373007f093a23a6d6

SHA512
544c2da09c3ddd235afdceda72fe26a2196e2f8c43b5edabe5386e310680d200051406c967eeb21474a64e2a0cefdafd7bd4a6370db24d0ff7d8b4fbc7a72a3b

Download Submit
C:\Users\Admin\AppData\Roaming\BCAD1\1B92.CAD

Filesize
1KB

MD5
ea2e460a3c2552b26599267ff6fd736d

SHA1
f30c6917ed15399d98cff05c892b72fd74409258

SHA256
11f971342066bcef2286813ed0b5e2019e1bc5e89a261bb03f84ea1fdea90661

SHA512
686f1412eb8e5517ac805bc9eaadf092033b0f77bc743282eb35259f7ebf8d7dba2fd71f524185915e7887840da92f08d54a766cfd36f2f8300061318846f2e1

Download Submit
memory/1656-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1656-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1656-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1656-15-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1656-16-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1656-272-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3624-123-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4348-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4348-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing