cycbot | 5bc8dfe80776ee3b9a43500a2332ae4c7e19b766e894c36261e2c1fffc694dd3

General

Target

JaffaCakes118_9e8caf3bf7ac36b748ed722091c2b164.exe
Size

184KB
MD5

9e8caf3bf7ac36b748ed722091c2b164
SHA1

6dfedbdfdd56e223941f48a784c19b3cf04e1356
SHA256

5bc8dfe80776ee3b9a43500a2332ae4c7e19b766e894c36261e2c1fffc694dd3
SHA512

b4a78d04295c625cbb7de25f03277026ae279071047bb873b74cb5e1c6ddf3d42d0fe22bad6a2df0d64cafa38152a37bb3e609a762aaca365ed03aba5008631a
SSDEEP

3072:4M1BRkx/qI9KN1DbpEAZ/yf496Qh+Yb/jzSlJLJkcqiAzz5MnG8lltxPBJ3wRVVp:4M7e5l6lyAAVQjMdKziG0ltZ/+VVFTRF

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/4876-12-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2456-13-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2456-14-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/1836-115-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2456-282-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2456-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/4876-12-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2456-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2456-14-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1836-115-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2456-282-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9e8caf3bf7ac36b748ed722091c2b164.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9e8caf3bf7ac36b748ed722091c2b164.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9e8caf3bf7ac36b748ed722091c2b164.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 4876	2456	JaffaCakes118_9e8caf3bf7ac36b748ed722091c2b164.exe	94
PID 2456 wrote to memory of 4876	2456	JaffaCakes118_9e8caf3bf7ac36b748ed722091c2b164.exe	94
PID 2456 wrote to memory of 4876	2456	JaffaCakes118_9e8caf3bf7ac36b748ed722091c2b164.exe	94
PID 2456 wrote to memory of 1836	2456	JaffaCakes118_9e8caf3bf7ac36b748ed722091c2b164.exe	98
PID 2456 wrote to memory of 1836	2456	JaffaCakes118_9e8caf3bf7ac36b748ed722091c2b164.exe	98
PID 2456 wrote to memory of 1836	2456	JaffaCakes118_9e8caf3bf7ac36b748ed722091c2b164.exe	98

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e8caf3bf7ac36b748ed722091c2b164.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e8caf3bf7ac36b748ed722091c2b164.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e8caf3bf7ac36b748ed722091c2b164.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e8caf3bf7ac36b748ed722091c2b164.exe startC:\Program Files (x86)\LP\C370\72D.exe%C:\Program Files (x86)\LP\C370
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4876
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e8caf3bf7ac36b748ed722091c2b164.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e8caf3bf7ac36b748ed722091c2b164.exe startC:\Users\Admin\AppData\Roaming\0F243\3D8C3.exe%C:\Users\Admin\AppData\Roaming\0F243
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\0F243\3BF3.F24

Filesize
996B

MD5
8fa0a5ddb44ec750aab696360b56b16e

SHA1
96d2a72f64d79f24b971cad2777574f91358318c

SHA256
f3f8e78f4643710c6291c63cbf5bb724d7cf830041394d2d64d4a0287eb617b7

SHA512
09482b24a1d39d2849f1528d15d82bd198f15df0680f98612f0301d20e14e63d61d907ef5146bc16cda16b4ef7e753cf84ab586becdc4c1cbc2bc1963e061df9

Download Submit
C:\Users\Admin\AppData\Roaming\0F243\3BF3.F24

Filesize
600B

MD5
06967a377ebe42df6acc928ae169e75c

SHA1
6736fd59e12ec08c79ff2ee22c529cd70da20210

SHA256
37aadb1f3bbb82631f54f9eda63cb08ddd2ddbffb1613bee59d89bfe2e6302db

SHA512
ca9f92a4bd8d4842fd8d21c04fea9bab19eb3b1afcee619526556168dd7107660528153ccedb5f2423164c2e86b858b30d4f9cf2c20d2d127a60083b45676935

Download Submit
C:\Users\Admin\AppData\Roaming\0F243\3BF3.F24

Filesize
1KB

MD5
a4c06307662d042efafa534288577899

SHA1
76fc767eb32c7eb5081e4a69a0ed9e82b358311e

SHA256
51fcb94738bd53f6546f8b6c6baf71e29a8fc44d3274b37616e8d8fe113a8782

SHA512
737ded19c9a858770c1fafd7f94d245c53b7cbe4a5e7b9e475016392c040017528cb12ab473c4ee0353dff997bbf83c075f1df59bcb636afdbf5a56adf05e909

Download Submit
memory/1836-115-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2456-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2456-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2456-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2456-14-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2456-282-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4876-11-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4876-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing