cycbot | 9d00ba1cd833f56e0bdd585ebfeabf89636de6087b1d93596abea6a9cc24f606

General

Target

JaffaCakes118_4c278d66b47d9197115424721afe7994.exe
Size

188KB
MD5

4c278d66b47d9197115424721afe7994
SHA1

fddb144bac6a3b29115bd8db84473b4418d65fa2
SHA256

9d00ba1cd833f56e0bdd585ebfeabf89636de6087b1d93596abea6a9cc24f606
SHA512

447076bc2f4405f64f9f4968efc34e0203b4d2142b51b2a07b788e000ebf9f6379a86001157e63a4fb8e44a8e5ffbab164cacc68b0fb64293e014647e44731e0
SSDEEP

3072:qsZYLfA5WqAx6cXFSjTXnkH8rZhNT+ohPCXa3hLVxBhsS7d/i5LVK3100oPHNV0e:q5fA9Ax6+FS3nkHad+WVBugda5Lg31lw

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/1312-13-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/316-14-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/316-15-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/2860-145-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/316-324-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/316-325-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/316-2-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/1312-12-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/1312-13-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/316-14-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/316-15-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/2860-144-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/2860-145-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/316-324-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/316-325-0x0000000000400000-0x0000000000454000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4c278d66b47d9197115424721afe7994.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 1312	316	JaffaCakes118_4c278d66b47d9197115424721afe7994.exe	84
PID 316 wrote to memory of 1312	316	JaffaCakes118_4c278d66b47d9197115424721afe7994.exe	84
PID 316 wrote to memory of 1312	316	JaffaCakes118_4c278d66b47d9197115424721afe7994.exe	84
PID 316 wrote to memory of 2860	316	JaffaCakes118_4c278d66b47d9197115424721afe7994.exe	90
PID 316 wrote to memory of 2860	316	JaffaCakes118_4c278d66b47d9197115424721afe7994.exe	90
PID 316 wrote to memory of 2860	316	JaffaCakes118_4c278d66b47d9197115424721afe7994.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4c278d66b47d9197115424721afe7994.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4c278d66b47d9197115424721afe7994.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:316
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4c278d66b47d9197115424721afe7994.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4c278d66b47d9197115424721afe7994.exe startC:\Program Files (x86)\LP\1B18\D85.exe%C:\Program Files (x86)\LP\1B18
  2⤵
  PID:1312
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4c278d66b47d9197115424721afe7994.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4c278d66b47d9197115424721afe7994.exe startC:\Users\Admin\AppData\Roaming\84B8C\6C81B.exe%C:\Users\Admin\AppData\Roaming\84B8C
  2⤵
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\84B8C\CC90.4B8

Filesize
996B

MD5
b455de4c564e5aa300871a83d286e464

SHA1
cfd928fbe34ec1e31d610d89f60e964e317bed32

SHA256
c380401253907ff593ae1e1f786afcfe1d1a65aebd209714342a3c1c348d52bc

SHA512
338ee0116084daa011f6c2017deae5b0a3374df278125b9a85bd92f5ac45e617c1b4d28065abb1f2bf1c99f049f626b2807228a8c60deab943f31cdbfb97338a

Download Submit
C:\Users\Admin\AppData\Roaming\84B8C\CC90.4B8

Filesize
1KB

MD5
c051bb180d6dc3dd08e07c138ae396ad

SHA1
dea1e037ae92d6a26e262213c668c216e1bf91e2

SHA256
d62133d3772dc104f63fe25dcd788a102a15bf39c5de39c631b5e5313cc57d7b

SHA512
0eecb367102e047b8353f049b449412c8db761d29dbc443a6b4d282ded81f7d2a0bbecedf69bbb13998ccd26e63f6c65b0a72abec1bb307090c7ce0e080b1879

Download Submit
C:\Users\Admin\AppData\Roaming\84B8C\CC90.4B8

Filesize
600B

MD5
e2cc65ab61864fda05a90d888b3cd07e

SHA1
e414190bb6db3b7c31902a0f5b606e038e23482a

SHA256
95cefc86efd68cb0dc06114a0c2c03e9c262aef238f51c98c7610de20f416ea2

SHA512
c706374b140a0570c15bc6cb3ea35658c1da6367e2a25c84f5e9bd8777f87536936e89257160db81a4c702bcb70a168a782b119f90a635a89e79e5fb7024c6d2

Download Submit
memory/316-2-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/316-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/316-325-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/316-324-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/316-14-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/316-15-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1312-11-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1312-13-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1312-12-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2860-145-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2860-144-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing