cycbot | 634640d05939c5e3043a290eb6347fc027c88396ff3e84068bc9fd728322312b

General

Target

JaffaCakes118_4ca68bcb4f7534bda135b8c0faadb6de.exe
Size

175KB
MD5

4ca68bcb4f7534bda135b8c0faadb6de
SHA1

e369eff20ac6ced7b390d4b2ad3d12a7596f9d4e
SHA256

634640d05939c5e3043a290eb6347fc027c88396ff3e84068bc9fd728322312b
SHA512

71414ad7fa589f825c3fe82ed470b8496dc2a6b4c861060f019c6b5ba1356adf395faabb0658f6872d57aa1734773820092c259189ef1a8af8f76668859aa05d
SSDEEP

3072:MHPMWaUGlVVA7AimxbMe8g668A4Km+u+vnL3KAmH:OkWanNA7A1598/AqPSI

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/4088-14-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/4588-15-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/4588-16-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/4580-126-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/4588-305-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4588-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4088-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4588-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4588-16-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/4580-126-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4588-305-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4ca68bcb4f7534bda135b8c0faadb6de.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4ca68bcb4f7534bda135b8c0faadb6de.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4ca68bcb4f7534bda135b8c0faadb6de.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 4088	4588	JaffaCakes118_4ca68bcb4f7534bda135b8c0faadb6de.exe	84
PID 4588 wrote to memory of 4088	4588	JaffaCakes118_4ca68bcb4f7534bda135b8c0faadb6de.exe	84
PID 4588 wrote to memory of 4088	4588	JaffaCakes118_4ca68bcb4f7534bda135b8c0faadb6de.exe	84
PID 4588 wrote to memory of 4580	4588	JaffaCakes118_4ca68bcb4f7534bda135b8c0faadb6de.exe	85
PID 4588 wrote to memory of 4580	4588	JaffaCakes118_4ca68bcb4f7534bda135b8c0faadb6de.exe	85
PID 4588 wrote to memory of 4580	4588	JaffaCakes118_4ca68bcb4f7534bda135b8c0faadb6de.exe	85

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ca68bcb4f7534bda135b8c0faadb6de.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ca68bcb4f7534bda135b8c0faadb6de.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ca68bcb4f7534bda135b8c0faadb6de.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ca68bcb4f7534bda135b8c0faadb6de.exe startC:\Program Files (x86)\LP\9B9D\7C9.exe%C:\Program Files (x86)\LP\9B9D
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4088
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ca68bcb4f7534bda135b8c0faadb6de.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ca68bcb4f7534bda135b8c0faadb6de.exe startC:\Users\Admin\AppData\Roaming\D36DD\D2D9B.exe%C:\Users\Admin\AppData\Roaming\D36DD
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\D36DD\D7EC.36D

Filesize
600B

MD5
ce870a4bfe779fb400269e8acd17db59

SHA1
d6de17e32014de8f86c284c01848b8bad05e814c

SHA256
99a1952e0cb463e6512b5191889c6c480f826b15b8d3e753948a02d7680ab591

SHA512
93d6440c91e517e266f8f92f82f0d97318a0b18c39807e955f82f0e39c7f700eea1e956c3658a8db4611617a25656842f5ba28c63cfc9b21be4cc0b183297995

Download Submit
C:\Users\Admin\AppData\Roaming\D36DD\D7EC.36D

Filesize
996B

MD5
342b64f15d62a8d45fe4702db5be03bc

SHA1
ae73a843a4712f6f94803d3a53306f37c45ce253

SHA256
cf58633465df6efc338348de0af4f95f31974a217f06103a40efb611a6e93f5a

SHA512
c42851d3fe72c82dd7d8016dba66c802e265e329514c440a2beef3c873af87464397059728feba5efa53beab010566e017d58622d921c6e355e54bedaaaa4def

Download Submit
C:\Users\Admin\AppData\Roaming\D36DD\D7EC.36D

Filesize
1KB

MD5
80858d112e2947a615ef7bda7c252a6b

SHA1
2b35ad066d8d3afe07b5b9872897d210830b3802

SHA256
55861430e25747269355c7b2648e449b8176ab8b131429f4c59aeb0bb9982026

SHA512
14288da605f090d83b3bf2ed681b3417705061d3d9acda09d09d5d35e4387e90d6050a2f06382d4823bcd1a5da6114a49c45dcd7fd8be4f2069101ab4cd15c74

Download Submit
memory/4088-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4580-126-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4588-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4588-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4588-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4588-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4588-16-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4588-305-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing