cycbot | 67880949a839dbe013c3835d2ae13346c6e04cf7c905a4b369b5a22ad724c5ab

General

Target

JaffaCakes118_77f507f18e64b9ffe1ae0aee298d0da0.exe
Size

175KB
MD5

77f507f18e64b9ffe1ae0aee298d0da0
SHA1

dffa6a73b70db4339ad1277b285d407b94c5cf58
SHA256

67880949a839dbe013c3835d2ae13346c6e04cf7c905a4b369b5a22ad724c5ab
SHA512

9bb7e8182f965bb743daa6bafd2f57a52f12c71f2d4956ca3d99eafe3cd9a71eab79322ac4cfc51e73c42e1030c110ce72aa287045622026a7cf02d45733d31a
SSDEEP

3072:dud6rklJ9W8wwstPRhJ5mM38xVicj3EvRvrLp8VyFIzLiJ:dudLVW/pRGoKEJ/p8V2Iq

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/2712-14-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/1920-15-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/1920-16-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/3644-118-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral2/memory/1920-285-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1920-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2712-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2712-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1920-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1920-16-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/3644-118-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1920-285-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_77f507f18e64b9ffe1ae0aee298d0da0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_77f507f18e64b9ffe1ae0aee298d0da0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_77f507f18e64b9ffe1ae0aee298d0da0.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 2712	1920	JaffaCakes118_77f507f18e64b9ffe1ae0aee298d0da0.exe	86
PID 1920 wrote to memory of 2712	1920	JaffaCakes118_77f507f18e64b9ffe1ae0aee298d0da0.exe	86
PID 1920 wrote to memory of 2712	1920	JaffaCakes118_77f507f18e64b9ffe1ae0aee298d0da0.exe	86
PID 1920 wrote to memory of 3644	1920	JaffaCakes118_77f507f18e64b9ffe1ae0aee298d0da0.exe	87
PID 1920 wrote to memory of 3644	1920	JaffaCakes118_77f507f18e64b9ffe1ae0aee298d0da0.exe	87
PID 1920 wrote to memory of 3644	1920	JaffaCakes118_77f507f18e64b9ffe1ae0aee298d0da0.exe	87

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77f507f18e64b9ffe1ae0aee298d0da0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77f507f18e64b9ffe1ae0aee298d0da0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77f507f18e64b9ffe1ae0aee298d0da0.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77f507f18e64b9ffe1ae0aee298d0da0.exe startC:\Program Files (x86)\LP\0F4E\C00.exe%C:\Program Files (x86)\LP\0F4E
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2712
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77f507f18e64b9ffe1ae0aee298d0da0.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77f507f18e64b9ffe1ae0aee298d0da0.exe startC:\Users\Admin\AppData\Roaming\ECD0A\D8F0F.exe%C:\Users\Admin\AppData\Roaming\ECD0A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ECD0A\A364.CD0

Filesize
996B

MD5
9f9a90be72e9657b177d4356e0acc1dc

SHA1
70259405a15061fd26a7d33f7016a606d741ecbd

SHA256
e439a3257c67a4eae26d199e51cf4547ae0653bb1a0f5ccfbb3049783f5bc17d

SHA512
3fc11ac7faf20672f809792c09890cdab85420d610021337f86c269024bc8a68e66d4700f77617603d2facf72e94ac4aa29938f210c487bca9a2609cc22933b1

Download Submit
C:\Users\Admin\AppData\Roaming\ECD0A\A364.CD0

Filesize
600B

MD5
40aba79b2311ab89c138f6bde334424a

SHA1
6818ce58e3a53edf3aa9f878a65c262a06d0d740

SHA256
a711f0f8dc7f35d34fb5aa87e07752025d79593c9300273867cf04d3af76bc12

SHA512
8e0c513c81e04f8af8f016462dbd9369d1508c138602a441fc81f5a16aca1dc1661882a57e87bfd955f81e58bfd95cf7cf9970884aa9ee65908c66ad311dd5b7

Download Submit
C:\Users\Admin\AppData\Roaming\ECD0A\A364.CD0

Filesize
1KB

MD5
45c04b15642c60672fee99d1bc498c06

SHA1
f0bb78c1776ebd57d09bb318276e66374dfa8b77

SHA256
fd4daad2491c237b35c4b1e4e3611e42a001054d1a5b2e5f3f6997b89ebb82c8

SHA512
aa25b0364bd784b6fc67ee911124077667c2e6bf4bce6459bc09faad78d4cc339af5c2f457b67b1313e7003d5476a8d372ebb635c1dd49422ce8c6241bd45d32

Download Submit
memory/1920-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1920-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1920-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1920-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1920-16-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1920-285-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2712-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2712-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3644-118-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing