cycbot | ce69fc82fe74b2e45813d029d908d8ec4d5a788df80c823abe40e11f0a08325b

General

Target

d1cf59b3e6d7bc3cdd521e7158e65d20_JaffaCakes118.exe
Size

167KB
MD5

d1cf59b3e6d7bc3cdd521e7158e65d20
SHA1

baa2f928205102668cb27a8a4e3e6462850ae6d7
SHA256

ce69fc82fe74b2e45813d029d908d8ec4d5a788df80c823abe40e11f0a08325b
SHA512

d08501c0315956ff77dc084325550e198f845e64a32c69de63970ae87fc2740a0cfcfa9dd00ddf102fba8e2e3d60c4a146558662850880cb56d90ec444570f1d
SSDEEP

3072:1/JT+YPf75ysw4dB6eWth+WU8wTtNUFLwvPITiyTRbd0v0m:pJy+24dc7h+p8wwFZiSRbd6

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/4872-13-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral2/memory/3332-14-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral2/memory/3332-79-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral2/memory/2596-83-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral2/memory/3332-203-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	d1cf59b3e6d7bc3cdd521e7158e65d20_JaffaCakes118.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3332-2-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4872-13-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/3332-14-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/3332-79-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/2596-82-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/2596-83-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/3332-203-0x0000000000400000-0x0000000000445000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1cf59b3e6d7bc3cdd521e7158e65d20_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1cf59b3e6d7bc3cdd521e7158e65d20_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1cf59b3e6d7bc3cdd521e7158e65d20_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3332 wrote to memory of 4872	3332	d1cf59b3e6d7bc3cdd521e7158e65d20_JaffaCakes118.exe	82
PID 3332 wrote to memory of 4872	3332	d1cf59b3e6d7bc3cdd521e7158e65d20_JaffaCakes118.exe	82
PID 3332 wrote to memory of 4872	3332	d1cf59b3e6d7bc3cdd521e7158e65d20_JaffaCakes118.exe	82
PID 3332 wrote to memory of 2596	3332	d1cf59b3e6d7bc3cdd521e7158e65d20_JaffaCakes118.exe	88
PID 3332 wrote to memory of 2596	3332	d1cf59b3e6d7bc3cdd521e7158e65d20_JaffaCakes118.exe	88
PID 3332 wrote to memory of 2596	3332	d1cf59b3e6d7bc3cdd521e7158e65d20_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\d1cf59b3e6d7bc3cdd521e7158e65d20_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d1cf59b3e6d7bc3cdd521e7158e65d20_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Users\Admin\AppData\Local\Temp\d1cf59b3e6d7bc3cdd521e7158e65d20_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d1cf59b3e6d7bc3cdd521e7158e65d20_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4872
- C:\Users\Admin\AppData\Local\Temp\d1cf59b3e6d7bc3cdd521e7158e65d20_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d1cf59b3e6d7bc3cdd521e7158e65d20_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5402.879

Filesize
1KB

MD5
ac02b95ba88fde530f93f795c0b8f5a5

SHA1
9289a01c85731a19e3bcc8a330ed96d7349585cf

SHA256
e0828fff99f73a9d275896dfb9f0c22c801e232d8fadfbd67d93fd6ba3ad91c1

SHA512
63c7ca1a0b9851757acb2346151f83f8e3c2f1baffc09fbb1fb93cb19ef981f0a59073b3e6bdcf4fe0a9a95a4c41d1403db5f8e45a9cc7b8204a8c783dd7c2e8

Download Submit
C:\Users\Admin\AppData\Roaming\5402.879

Filesize
600B

MD5
ad2bc5ed919bff953fa12e6b4c72b3b7

SHA1
3601fc394a02ce733bca98427510c3a2e15235ef

SHA256
2c3b9664de754141043ab237a993be1c5c5e9266eca7bbce56c5d6145793e96a

SHA512
1b19338407a0351697a54b5d109c572f81df118df40ef8023e87a20442e3d3e70b875c1b72c373bddd746cd5ef3336ce535e2c27564dfec81f25006fde0073f0

Download Submit
C:\Users\Admin\AppData\Roaming\5402.879

Filesize
996B

MD5
c9343f4e3bac3e1c52e582a0d3c0f41a

SHA1
7452ecd5d8340c9b4412cfde7fb55decf68e9c54

SHA256
c1e527d5b0fb27db7a1a9df576c845d5debf02b63622d6dbb83b91727b502ff2

SHA512
e31c2c58df3fb31955de61238288490c5702ba95868b9ba4116c67414c83ce849c13bea0a99edea62e2eb02ba3280c2f657512a6dc51ccb96242e9aaca24224f

Download Submit
memory/2596-81-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2596-82-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2596-83-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3332-1-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3332-2-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3332-14-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3332-79-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3332-203-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4872-13-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads