cycbot | 0fe6a7d56da95f7fc6941f1a0ca462c2be1524bb2a999e5909bed73deeed7459

General

Target

JaffaCakes118_38d0284f390540324bad53f4fd6a723c.exe
Size

192KB
MD5

38d0284f390540324bad53f4fd6a723c
SHA1

205654b5fe6e8ea6379fb0c02ac801515e9124ed
SHA256

0fe6a7d56da95f7fc6941f1a0ca462c2be1524bb2a999e5909bed73deeed7459
SHA512

732095c4ad9e541931f83113b26d28bf8e9059a5a4ba03c8be866b9df6abd469504995b49e08cd1183a785b77a76fc23daa6ee687e79c3a84000b0fc04bf6e46
SSDEEP

3072:SWtfAwfqNrriq/WkhtqLkiWWxw7R/zr/FJt/XqDXdl+sPT9troqn:XXqJriG7htgT0BJJtCdQsb9tr/

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/916-9-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/2548-14-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/1436-86-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/2548-188-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/2548-199-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2548-2-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/916-8-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/916-9-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/2548-14-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/1436-86-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/2548-188-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/2548-199-0x0000000000400000-0x000000000044E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_38d0284f390540324bad53f4fd6a723c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_38d0284f390540324bad53f4fd6a723c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_38d0284f390540324bad53f4fd6a723c.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 916	2548	JaffaCakes118_38d0284f390540324bad53f4fd6a723c.exe	82
PID 2548 wrote to memory of 916	2548	JaffaCakes118_38d0284f390540324bad53f4fd6a723c.exe	82
PID 2548 wrote to memory of 916	2548	JaffaCakes118_38d0284f390540324bad53f4fd6a723c.exe	82
PID 2548 wrote to memory of 1436	2548	JaffaCakes118_38d0284f390540324bad53f4fd6a723c.exe	88
PID 2548 wrote to memory of 1436	2548	JaffaCakes118_38d0284f390540324bad53f4fd6a723c.exe	88
PID 2548 wrote to memory of 1436	2548	JaffaCakes118_38d0284f390540324bad53f4fd6a723c.exe	88

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_38d0284f390540324bad53f4fd6a723c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_38d0284f390540324bad53f4fd6a723c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_38d0284f390540324bad53f4fd6a723c.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_38d0284f390540324bad53f4fd6a723c.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:916
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_38d0284f390540324bad53f4fd6a723c.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_38d0284f390540324bad53f4fd6a723c.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\C19C.C42

Filesize
300B

MD5
a3ff4a33fe4b6ea357be924b249d521c

SHA1
55faee9dcfc36c833f05069d012f3c8199463d05

SHA256
bf544ddf76c3bc9e54ffec8087e0056b26fa24ca267f55ef25924e1f2ea306e4

SHA512
f45c81dd38b9137f7c399765643c0fd7eba914e90c4a76836d28f6f8d2c5a356af8c31102acafc721ffc80e6fbabe302f5ef1872ab4d675a8b334a98fc8ce2c4

Download Submit
C:\Users\Admin\AppData\Roaming\C19C.C42

Filesize
1KB

MD5
de4b6be38630dac8671f1caced92243b

SHA1
5b83d7caaf1cb7fdb236c40467f2867e92cc85d8

SHA256
cef1fe97a639702b885467d9394b2d99c8608cc1204839006d2c46f0f62d0132

SHA512
c40078556147ad538ab3b6f08977f1ae93c230c5209f1668b9ca0b7a68cf09ede08d4674e47ff3d97d74dc00626d8ad5645f526a6492e02f4666a104dc5661a5

Download Submit
C:\Users\Admin\AppData\Roaming\C19C.C42

Filesize
600B

MD5
fa74d681dab244b59b1cc863deebdf56

SHA1
6f1be59a856791be6b314f6e5c4f68cff2760e88

SHA256
b14e17e76fa242d05fe762c8a37236c330cf5f0615ee3b5f81606ce74bab4b68

SHA512
56964db83d361c164dacb1f7a316191b8fc1dc6075e0cbcf47c90e424f24bf3105d95ee800eec11901e97ff711c8ba949e603ef6b8f26c9ed5c762df1aad5f2e

Download Submit
C:\Users\Admin\AppData\Roaming\C19C.C42

Filesize
996B

MD5
74ce977cd265006beaf6860bbc9b5f36

SHA1
570801eaeb9fa3906cb69a19f61c9e4d53998933

SHA256
ae648795541246f4c35df3c2826a63bf3fea4fe81c78ce66a1e3e3e2eb8f51c7

SHA512
d21fb80be56ae979dad381708e8d72823f9b86c96148911af80794485aa0dc2d05f67bb90ede6f5958d8b36f6b143761d897965cd2d96f22a2e0760637a8f909

Download Submit
memory/916-9-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/916-8-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1436-84-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1436-86-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2548-14-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2548-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2548-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2548-188-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2548-199-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing