cycbot | 67bb091e1283a4cd1b0f081545c613f022c0bcc131d7abc7e77a9fa8941e3469

General

Target

JaffaCakes118_6e5cf8963444efe366f705609c2952b9.exe
Size

174KB
MD5

6e5cf8963444efe366f705609c2952b9
SHA1

52600f4cf68c7d94a023786277fa299e01e48a9e
SHA256

67bb091e1283a4cd1b0f081545c613f022c0bcc131d7abc7e77a9fa8941e3469
SHA512

c965cb93fdc207fee5de03214bac403af9f9eb3a1771864c43fdaf9df1bdc1851ba79a884c7faf80bf11e9b3690399ca69973432c30736a86382add73191c9b6
SSDEEP

3072:FpXkBisIqa2hkrLR9R6dMlL2s2IS0ZrwGLQQjifZGqcM9YJaRydAGAFfkxvfl8Fa:Fp0v6B9R62EDISSrpLQEM9XRy2Gw8vt

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/2188-16-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/2068-17-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/2068-18-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/1740-138-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/2068-309-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2068-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2188-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2188-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2188-16-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2068-17-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2068-18-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/1740-136-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1740-138-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2068-309-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6e5cf8963444efe366f705609c2952b9.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2188	2068	JaffaCakes118_6e5cf8963444efe366f705609c2952b9.exe	82
PID 2068 wrote to memory of 2188	2068	JaffaCakes118_6e5cf8963444efe366f705609c2952b9.exe	82
PID 2068 wrote to memory of 2188	2068	JaffaCakes118_6e5cf8963444efe366f705609c2952b9.exe	82
PID 2068 wrote to memory of 1740	2068	JaffaCakes118_6e5cf8963444efe366f705609c2952b9.exe	83
PID 2068 wrote to memory of 1740	2068	JaffaCakes118_6e5cf8963444efe366f705609c2952b9.exe	83
PID 2068 wrote to memory of 1740	2068	JaffaCakes118_6e5cf8963444efe366f705609c2952b9.exe	83

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6e5cf8963444efe366f705609c2952b9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6e5cf8963444efe366f705609c2952b9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6e5cf8963444efe366f705609c2952b9.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6e5cf8963444efe366f705609c2952b9.exe startC:\Program Files (x86)\LP\2980\E92.exe%C:\Program Files (x86)\LP\2980
  2⤵
  PID:2188
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6e5cf8963444efe366f705609c2952b9.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6e5cf8963444efe366f705609c2952b9.exe startC:\Users\Admin\AppData\Roaming\07AE9\B5429.exe%C:\Users\Admin\AppData\Roaming\07AE9
  2⤵
  PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\07AE9\90F2.7AE

Filesize
996B

MD5
b9b06c7e6a8f94d800a90c6669cc9f70

SHA1
a6f5f1da4c7fdfcc77c2b4651b38f984526367be

SHA256
29d29bd19b70a57f4920336a3416b3c35bf73798b6ed20dd93511c1b4b73db71

SHA512
3e1c5b0fc377ca84847abdab227b54900f56fbcf54be1e1503f1cf7acdd8d455b535ca40cef505b44fe202dce553e14dac0254429838dcac322885c47f3008fd

Download Submit
C:\Users\Admin\AppData\Roaming\07AE9\90F2.7AE

Filesize
600B

MD5
a701a61e79e86a0ac3e98c6181c59a04

SHA1
16e4a2f6ad7de2f6b3fd293d131705bbf6c3823c

SHA256
4f4e4fb6f865a194823a75700d8f8927c9d40f0acebb070d5c43c505a4aca026

SHA512
c8d8300645795eee5cc983d0f0f61a8fbfbe659204565a2ad302e254b67fade952a48f9220e4958e978bb506d828368828e287e7db60943b157d7340c1dbf523

Download Submit
C:\Users\Admin\AppData\Roaming\07AE9\90F2.7AE

Filesize
1KB

MD5
bdafeefedfe0f49c8bc7cebf40b90667

SHA1
743af3e7902b6d3082fdbb77e6bcf4e16c603c74

SHA256
5583c69bb59ecb5236879b6d6fc359e0aa30566b61c74796365589c9801151d5

SHA512
72d079f9b778141938abd57da7406cb2971ddacd08a28b5766864a8fdb70ea0ebd0a8ed56499e2a693897e5c24a205623883b163d417a8d20c84658392f194d0

Download Submit
memory/1740-138-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1740-136-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2068-17-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2068-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2068-18-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2068-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2068-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2068-309-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2188-16-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2188-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2188-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing