cycbot | 2dbfb33c7983dabc2d94ca0018661a0ac22f3fb212e13fcdc144f6a933bc3761

General

Target

d5eddf7321df60483dec4138d26e2118_JaffaCakes118.exe
Size

170KB
MD5

d5eddf7321df60483dec4138d26e2118
SHA1

3955158ee5711e9ce9cecc5f7146ef931254018e
SHA256

2dbfb33c7983dabc2d94ca0018661a0ac22f3fb212e13fcdc144f6a933bc3761
SHA512

3739d17a9e026618c5af6e2bd6b703b9b16cf8b1ea6ebbba0210df102434984c2ac1bb990cc2ea740af9d64b39168a6a8cba790857577a3ace2a0c66b74e4c9c
SSDEEP

3072:D2d9X4953BCnv+nbPyx/gKeGv6QyqV9ERa9zPdolLPE0wazbIL6TR:DUI9tTbxK/v2qrV9zPOlLPE/Y

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/4756-10-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/1752-15-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/1752-77-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/2216-80-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/1752-173-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	d5eddf7321df60483dec4138d26e2118_JaffaCakes118.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1752-2-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4756-8-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4756-10-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/1752-15-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/1752-77-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/2216-79-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/2216-80-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/1752-173-0x0000000000400000-0x0000000000444000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5eddf7321df60483dec4138d26e2118_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5eddf7321df60483dec4138d26e2118_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5eddf7321df60483dec4138d26e2118_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 4756	1752	d5eddf7321df60483dec4138d26e2118_JaffaCakes118.exe	82
PID 1752 wrote to memory of 4756	1752	d5eddf7321df60483dec4138d26e2118_JaffaCakes118.exe	82
PID 1752 wrote to memory of 4756	1752	d5eddf7321df60483dec4138d26e2118_JaffaCakes118.exe	82
PID 1752 wrote to memory of 2216	1752	d5eddf7321df60483dec4138d26e2118_JaffaCakes118.exe	87
PID 1752 wrote to memory of 2216	1752	d5eddf7321df60483dec4138d26e2118_JaffaCakes118.exe	87
PID 1752 wrote to memory of 2216	1752	d5eddf7321df60483dec4138d26e2118_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\d5eddf7321df60483dec4138d26e2118_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d5eddf7321df60483dec4138d26e2118_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Users\Admin\AppData\Local\Temp\d5eddf7321df60483dec4138d26e2118_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d5eddf7321df60483dec4138d26e2118_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4756
- C:\Users\Admin\AppData\Local\Temp\d5eddf7321df60483dec4138d26e2118_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d5eddf7321df60483dec4138d26e2118_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\56AD.A6F

Filesize
1KB

MD5
e51cc57003e517d903ec66b46410e16b

SHA1
4068a3d16f5e0cdd48826b1388f3a57e94cd347b

SHA256
fcf1a61e6dc5e0b1e28188be13aa991d74d2817271cdb3d248689694359a1bd1

SHA512
e74dd88aa86d00dcaf3458c86bae50a05942d58a105dd8ac7bf3a7706e7bcadc3037bcc736403c27412542302066eac870e3a0dae875d698c5845f5ee7b07943

Download Submit
C:\Users\Admin\AppData\Roaming\56AD.A6F

Filesize
600B

MD5
b8fadef5af636f801a9187a56526f93c

SHA1
87b3146e07024005c1a7a654ee45af169a3d08ea

SHA256
99199ef1ca56c6989a45f7a2b339a8fd14887bc0fbbba8b827e2dc4de8b66165

SHA512
28b7d34e4324dc56a03794e068e23eca2fd263a7886bdb14bdfd642f9ef3428f6751ff5d377e10a1deb33925c1233d105cfb9029382b2e29b99293880fc7690f

Download Submit
C:\Users\Admin\AppData\Roaming\56AD.A6F

Filesize
996B

MD5
6899a6e7dc723ce2662d8ddc4db4214e

SHA1
f70ea73d939aa8fa18736645cd345b751631fa96

SHA256
5e580518947a7366f3a0f97b6e627160423bdb586c3a424ea0565d1d1dd66bd5

SHA512
5faf5f279553046fef0efa3e69ae3bf341268c89c89bbf2242c9383d4bbf5ae860163c2067dc9a10fef6e40216713dfeb1a5de958b56bc9aa9e05c1b0d614415

Download Submit
memory/1752-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1752-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1752-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1752-77-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1752-173-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2216-79-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2216-80-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4756-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4756-10-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads