cycbot | 73a7c36c46316077f8f6e26c4c0f095f65f19ce2d735851fdeea535dd860334f

General

Target

JaffaCakes118_42d8d4574b0560902ae5d4c1496cda10.exe
Size

180KB
MD5

42d8d4574b0560902ae5d4c1496cda10
SHA1

a9dd3edb68b369deed8799fec8fa7d6cbae4ae82
SHA256

73a7c36c46316077f8f6e26c4c0f095f65f19ce2d735851fdeea535dd860334f
SHA512

03ca6353de58fb966ae0d5b3bb3a1d86d6951878019fc36e638d878300423ad084d6882e410c3fdad06cceb2548c5669cf3dfa24907f32852ebb0505b7eee09b
SSDEEP

3072:n6VNvSDMdkeWP1CSmEp71GA3/0uhc5yIvckEIQnqoPtKV0Sp5ZdVOwR:6ZfybTmcGA3zhc5yIvcSsJtGjp5t

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/2968-19-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/2156-20-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/2156-21-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/5064-149-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/2156-322-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2156-4-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2968-16-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2968-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2968-19-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2156-20-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/2156-21-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/5064-148-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/5064-149-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2156-322-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_42d8d4574b0560902ae5d4c1496cda10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_42d8d4574b0560902ae5d4c1496cda10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_42d8d4574b0560902ae5d4c1496cda10.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2968	2156	JaffaCakes118_42d8d4574b0560902ae5d4c1496cda10.exe	84
PID 2156 wrote to memory of 2968	2156	JaffaCakes118_42d8d4574b0560902ae5d4c1496cda10.exe	84
PID 2156 wrote to memory of 2968	2156	JaffaCakes118_42d8d4574b0560902ae5d4c1496cda10.exe	84
PID 2156 wrote to memory of 5064	2156	JaffaCakes118_42d8d4574b0560902ae5d4c1496cda10.exe	93
PID 2156 wrote to memory of 5064	2156	JaffaCakes118_42d8d4574b0560902ae5d4c1496cda10.exe	93
PID 2156 wrote to memory of 5064	2156	JaffaCakes118_42d8d4574b0560902ae5d4c1496cda10.exe	93

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42d8d4574b0560902ae5d4c1496cda10.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42d8d4574b0560902ae5d4c1496cda10.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42d8d4574b0560902ae5d4c1496cda10.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42d8d4574b0560902ae5d4c1496cda10.exe startC:\Program Files (x86)\LP\F9D4\59B.exe%C:\Program Files (x86)\LP\F9D4
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2968
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42d8d4574b0560902ae5d4c1496cda10.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42d8d4574b0560902ae5d4c1496cda10.exe startC:\Users\Admin\AppData\Roaming\4483A\C41F9.exe%C:\Users\Admin\AppData\Roaming\4483A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\4483A\AE7F.483

Filesize
996B

MD5
e8b58f695675e4b4c112364cb3500e35

SHA1
2a65b8258af6a87491a29d7ed213ab660e161f4d

SHA256
f9a35721bbecd2f22faa37938ce8bffadbd90089f4fd75f20e25b369d6f19366

SHA512
809b80005ac9e5a8c3d57e91fc75d09ee63acecef2b1d060289f1d5c7ca3bc59acd0ff0d011cc07598693f294fd78185ee8e5b865e61300948c0d30463bac362

Download Submit
C:\Users\Admin\AppData\Roaming\4483A\AE7F.483

Filesize
600B

MD5
695fd98ccdaf0a6d9aac0dcfae018df6

SHA1
40bdac35c86f4925ef4f6e11cde143e6889e4b83

SHA256
6529ea9a0613c842e720e9d987b0eb9a7ccf6da7d16d495fc5bcd64bc06f4ab2

SHA512
419592503ca0d7207b66d945c646ed1e8f7828f02b5647982ab3c49e4c7f823b7b3d100ba4aa5023b6430472edb828d3eaf7526f6492105f03fbaf657a4a6a3a

Download Submit
C:\Users\Admin\AppData\Roaming\4483A\AE7F.483

Filesize
1KB

MD5
9d668f336acdee60c2fff456a08b6d28

SHA1
2cc8f36c66dc3f917446a709a9dd2d84223c260e

SHA256
77e103283f99d883dc9312b711dc52a3edb2d26bfbd6c9612e846b9a8b63e9fa

SHA512
38d2e9c0f3fd9c0feac4caeaab6ef35b54550831d9a20c465dde0db0722772f7082b823e3623d7c13c0cb7e840eafc2642c2b368ca0993357ff82a53b2f4cc08

Download Submit
memory/2156-1-0x00000000758E0000-0x0000000075919000-memory.dmp

Filesize
228KB

Download
memory/2156-3-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2156-4-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2156-326-0x00000000758E0000-0x0000000075919000-memory.dmp

Filesize
228KB

Download
memory/2156-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2156-322-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2156-20-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2156-21-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2968-16-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2968-18-0x00000000758E0000-0x0000000075919000-memory.dmp

Filesize
228KB

Download
memory/2968-19-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2968-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2968-13-0x00000000758E0000-0x0000000075919000-memory.dmp

Filesize
228KB

Download
memory/5064-146-0x00000000758E0000-0x0000000075919000-memory.dmp

Filesize
228KB

Download
memory/5064-148-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/5064-149-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/5064-150-0x00000000758E0000-0x0000000075919000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing