cycbot | a4b7f34d146d1aafe9275c39e73b55131dbd3d1cb2025b612aff85b13a1a8e64

General

Target

JaffaCakes118_70a7d9617402b6f535a6968c52cad98a.exe
Size

179KB
MD5

70a7d9617402b6f535a6968c52cad98a
SHA1

3d345b22752a8ee71a5cc30c032852da6f99a087
SHA256

a4b7f34d146d1aafe9275c39e73b55131dbd3d1cb2025b612aff85b13a1a8e64
SHA512

fc09064f2c8d5e0a7b42ce1fe14deca799df66ef4b57f16545711922a82ef8fc6f87fb59098bc6e5bc7d17a4d2c1ce7462085b3f3ddbd815082cd349b881c054
SSDEEP

3072:JPKGw2PCiOWtD3qTsBih0pCKDuGCI3Byl/hsT4l5iilPI:QGw2PCiOWdlBih0p015iw

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/4512-14-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/3412-15-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/3412-16-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/4772-119-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/3412-286-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3412-3-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/4512-13-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/4512-14-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/3412-15-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/3412-16-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/4772-118-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/4772-119-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/3412-286-0x0000000000400000-0x0000000000454000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_70a7d9617402b6f535a6968c52cad98a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_70a7d9617402b6f535a6968c52cad98a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_70a7d9617402b6f535a6968c52cad98a.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3412 wrote to memory of 4512	3412	JaffaCakes118_70a7d9617402b6f535a6968c52cad98a.exe	85
PID 3412 wrote to memory of 4512	3412	JaffaCakes118_70a7d9617402b6f535a6968c52cad98a.exe	85
PID 3412 wrote to memory of 4512	3412	JaffaCakes118_70a7d9617402b6f535a6968c52cad98a.exe	85
PID 3412 wrote to memory of 4772	3412	JaffaCakes118_70a7d9617402b6f535a6968c52cad98a.exe	88
PID 3412 wrote to memory of 4772	3412	JaffaCakes118_70a7d9617402b6f535a6968c52cad98a.exe	88
PID 3412 wrote to memory of 4772	3412	JaffaCakes118_70a7d9617402b6f535a6968c52cad98a.exe	88

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70a7d9617402b6f535a6968c52cad98a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70a7d9617402b6f535a6968c52cad98a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70a7d9617402b6f535a6968c52cad98a.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70a7d9617402b6f535a6968c52cad98a.exe startC:\Program Files (x86)\LP\70D9\CB8.exe%C:\Program Files (x86)\LP\70D9
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4512
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70a7d9617402b6f535a6968c52cad98a.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70a7d9617402b6f535a6968c52cad98a.exe startC:\Users\Admin\AppData\Roaming\9A92D\BC270.exe%C:\Users\Admin\AppData\Roaming\9A92D
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\9A92D\D2F6.A92

Filesize
996B

MD5
7bcd5ea5d908ce976f88eb434eee9032

SHA1
b18e159d75f9b935722c870a2a8c69216f01a493

SHA256
fb18e0aae026ae4d00c26ad4b88cc583520af37449232d57940a66e9d414bb98

SHA512
b36be993d4cf7129f53c7fd665a92cb5bc19c0f0c47206bd37854b3d10359b180b7c40428f759b8ed1a1d33892909ebe49c6f04e4ee941d73808c4f00b453095

Download Submit
C:\Users\Admin\AppData\Roaming\9A92D\D2F6.A92

Filesize
600B

MD5
5ad6ec4116e237a141e16ebf6b6e2b94

SHA1
792063b28be8a8fa6f61ddd2782c0a766f2e25a8

SHA256
ccd0747744d1e079a5fb238d02ec824924ceea8cb39555cc4c6d6e074cc6a408

SHA512
f29f4cc1397c6b37e30fa54e0a571996bfc8670b09b6ff0ae6060d363145e4362fd5afde9b784ccf96b8eb3bd96989328eee272176fe5c1b12bc443f27e2c9ae

Download Submit
C:\Users\Admin\AppData\Roaming\9A92D\D2F6.A92

Filesize
1KB

MD5
c98fa041936a0de77419bc4e5dff627b

SHA1
e355c53915b1cb405ca8966976e0b2afb968161f

SHA256
709f59a03a1361ab9aec59dfadf73b680264eb2cfdaae777304fc6fbb4b307ff

SHA512
fe4565d8652dc11c2160e66212285f123e59bc3c9ceee3300956e78103c8dcd099a5c4dc6d286bcbb64b11d1681104af28347e6a2d3e56ad5c0736562d93d295

Download Submit
memory/3412-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3412-3-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3412-0-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3412-286-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3412-15-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3412-16-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4512-13-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4512-14-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4772-119-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4772-118-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing