cycbot | 78726bfb351e4abdf70f394a9762947ee88259b70b484992ddfc7cf7ebff3bce

General

Target

JaffaCakes118_75e206cec8611fd0d9bdb83cbf2bfe3b.exe
Size

180KB
MD5

75e206cec8611fd0d9bdb83cbf2bfe3b
SHA1

721952b7103c7d3f313a62614baa243f973548b0
SHA256

78726bfb351e4abdf70f394a9762947ee88259b70b484992ddfc7cf7ebff3bce
SHA512

34eee194e2c7e438e3170ba8517d8bea4c2ab23a5a6c17b64be695f41a42de761c7da2013adccbbd7ad3aec2018d68736d69fea9aed56d48c6335f49381f3bc1
SSDEEP

3072:TFO5ZdBY21g0/KslU8d3elH3FXXlYOd/SiRHwY8Ta50YihQWggcGF:TFcZs90CYUMclYCBRHwY8+GfSi

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/1044-16-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/4696-17-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/4696-18-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/3996-146-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/4696-305-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4696-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1044-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1044-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1044-16-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4696-17-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4696-18-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/3996-144-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3996-146-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4696-305-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_75e206cec8611fd0d9bdb83cbf2bfe3b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_75e206cec8611fd0d9bdb83cbf2bfe3b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_75e206cec8611fd0d9bdb83cbf2bfe3b.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4696 wrote to memory of 1044	4696	JaffaCakes118_75e206cec8611fd0d9bdb83cbf2bfe3b.exe	86
PID 4696 wrote to memory of 1044	4696	JaffaCakes118_75e206cec8611fd0d9bdb83cbf2bfe3b.exe	86
PID 4696 wrote to memory of 1044	4696	JaffaCakes118_75e206cec8611fd0d9bdb83cbf2bfe3b.exe	86
PID 4696 wrote to memory of 3996	4696	JaffaCakes118_75e206cec8611fd0d9bdb83cbf2bfe3b.exe	89
PID 4696 wrote to memory of 3996	4696	JaffaCakes118_75e206cec8611fd0d9bdb83cbf2bfe3b.exe	89
PID 4696 wrote to memory of 3996	4696	JaffaCakes118_75e206cec8611fd0d9bdb83cbf2bfe3b.exe	89

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_75e206cec8611fd0d9bdb83cbf2bfe3b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_75e206cec8611fd0d9bdb83cbf2bfe3b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_75e206cec8611fd0d9bdb83cbf2bfe3b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_75e206cec8611fd0d9bdb83cbf2bfe3b.exe startC:\Program Files (x86)\LP\DDFF\317.exe%C:\Program Files (x86)\LP\DDFF
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1044
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_75e206cec8611fd0d9bdb83cbf2bfe3b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_75e206cec8611fd0d9bdb83cbf2bfe3b.exe startC:\Users\Admin\AppData\Roaming\FE34C\846DD.exe%C:\Users\Admin\AppData\Roaming\FE34C
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\FE34C\CB6C.E34

Filesize
996B

MD5
35659d0306addc8b3d4c0e64c9f9d407

SHA1
b12419a627043aebb7a4e6cbf45ef27cfa7413ab

SHA256
23033cc4a80950f60a9b76892db01a31b03f385ff2e11dba65b9ac600eedb215

SHA512
ecd10620b6097b09b97899e96cbe0ca2625917d5fda40dee72d8df5fbd79a4fd22207f8844b7270d1bbbecda86291a8ac65fda378e4fb84e42a3f572d615d316

Download Submit
C:\Users\Admin\AppData\Roaming\FE34C\CB6C.E34

Filesize
600B

MD5
bc2612ae5692984acffd873cea3aad04

SHA1
0447527eeba4943a6f7051f9d0d85ea6b54770e8

SHA256
c1a70fced7416b9824f0ac213e3d3ce9fb1595aff46ad57d5eea5ffb5b933217

SHA512
a8a0950e85a8a2533b475e1a3d6994d300f325b0d7d31f5a0d89e872b75774176d22c97eb8b40ea2f09e8d4b5a1c286624e14014996bdd5f09fa8688ba30a7d0

Download Submit
C:\Users\Admin\AppData\Roaming\FE34C\CB6C.E34

Filesize
1KB

MD5
ea79857cdac35c3eb47afe000fb668f9

SHA1
8b41c68eebcb74d9dea6826cab5134be03782912

SHA256
9e472454f50a0b1b990481c2a1fe31ab994e47d6fedd304771733ef163691728

SHA512
d4401eca6ea6630cf01b8c0c6ffa91f4c291e7d48948a753ac1e23aba6434c140b4a21fe524de9b717e597cf11dc37dbb042a94600d48a5a9668f46ef3f230f7

Download Submit
memory/1044-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1044-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1044-16-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3996-144-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3996-146-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4696-18-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4696-17-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4696-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4696-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4696-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4696-305-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing