cycbot | 0c3dbf68572d567efb371ddcae62f7d46d61b521229f25e5a4ab7d0fe8d2f05f

General

Target

JaffaCakes118_6ae4a2ceb9f9f1ed673bfec8dd83b395.exe
Size

191KB
MD5

6ae4a2ceb9f9f1ed673bfec8dd83b395
SHA1

c19c873e6e8c47ec55f528cd07c25e451276c79a
SHA256

0c3dbf68572d567efb371ddcae62f7d46d61b521229f25e5a4ab7d0fe8d2f05f
SHA512

a9fdeeaf451318e2285ef651d3330e3d65694813d1f77dcc6c32f72e794838c9ad2168b2a86d5a65c0bc28dbbcb8500e0653c7a83bd646d6d5be40bed1d0d723
SSDEEP

3072:OknNn5Ur+pyqj1LWr289k2ipEADxj8t5UK8CAxVOOA4JIA/QdEfFvLeb:TnN5ZHorLH7ADxj8t5eCAxVOOyA/EEte

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/2868-13-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/2944-50-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/1748-108-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/2944-191-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2944-2-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/2868-12-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/2868-13-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/2944-50-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/1748-107-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/1748-108-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/2944-191-0x0000000000400000-0x000000000044E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6ae4a2ceb9f9f1ed673bfec8dd83b395.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6ae4a2ceb9f9f1ed673bfec8dd83b395.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6ae4a2ceb9f9f1ed673bfec8dd83b395.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2868	2944	JaffaCakes118_6ae4a2ceb9f9f1ed673bfec8dd83b395.exe	85
PID 2944 wrote to memory of 2868	2944	JaffaCakes118_6ae4a2ceb9f9f1ed673bfec8dd83b395.exe	85
PID 2944 wrote to memory of 2868	2944	JaffaCakes118_6ae4a2ceb9f9f1ed673bfec8dd83b395.exe	85
PID 2944 wrote to memory of 1748	2944	JaffaCakes118_6ae4a2ceb9f9f1ed673bfec8dd83b395.exe	87
PID 2944 wrote to memory of 1748	2944	JaffaCakes118_6ae4a2ceb9f9f1ed673bfec8dd83b395.exe	87
PID 2944 wrote to memory of 1748	2944	JaffaCakes118_6ae4a2ceb9f9f1ed673bfec8dd83b395.exe	87

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ae4a2ceb9f9f1ed673bfec8dd83b395.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ae4a2ceb9f9f1ed673bfec8dd83b395.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ae4a2ceb9f9f1ed673bfec8dd83b395.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ae4a2ceb9f9f1ed673bfec8dd83b395.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2868
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ae4a2ceb9f9f1ed673bfec8dd83b395.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ae4a2ceb9f9f1ed673bfec8dd83b395.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\54D7.BB7

Filesize
996B

MD5
12e18f71ade458c30c04656f8f8a1799

SHA1
02c4685aa462fa8b1dcc92cccd16eb9b0bd60d8e

SHA256
351592164e6c594790002c880451f9a096e3583df31e78ac0866e00560745dae

SHA512
964f71c93a8cdfe265a49295edc8d35156a3756ee343e698f317071a024b6ede55c5ab37cd891f409a73b89c4cc6d845055af9e1b7ec01bafedbb1540a9cdb47

Download Submit
C:\Users\Admin\AppData\Roaming\54D7.BB7

Filesize
600B

MD5
c8baba9455c974f75de541d6ee449a56

SHA1
8f74f68dcd02219b02b8fc7d7db14a0f965abc8d

SHA256
25c215036e3c4268fd9cec05f5b62227c2e6d4432ae374e2cfdb2a501130e315

SHA512
ba9e5aba212ab9522aec5a0845e385d762ab490cf78c71d283ee74d94ab16e8e62ca4c18ea2be447e6ebf2e0cc7bb05de127863bbfe929a36c4e6c1a6c01155a

Download Submit
C:\Users\Admin\AppData\Roaming\54D7.BB7

Filesize
1KB

MD5
483acf9c8e7aa8e6d7a525f6c805e9b8

SHA1
b65293e06c733845c44d3066c06c1295937b8bdf

SHA256
132d08587988344201a554c737d7bc555133b77300c18ea3ad2675e138b61516

SHA512
48317b6d4e86e42be6cc2a957a70faf97017ccf87e0aad7ed63900557622bf36a969acc27bbbcfd30dc9e05ee2d1f3bbae098fdaa478c728e8917e7eb35d1cbb

Download Submit
memory/1748-107-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1748-108-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2868-12-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2868-13-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2944-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2944-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2944-50-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2944-191-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing