cycbot | b06f7633690cf1c64abf8a07626a25dccde2fc0913e76b273223e48510e99714

General

Target

da6bda82442c8b13e68b57dcb90d2ceb_JaffaCakes118.exe
Size

165KB
MD5

da6bda82442c8b13e68b57dcb90d2ceb
SHA1

95a6b4f45e5d7c9907fd0640bfe9396a50728859
SHA256

b06f7633690cf1c64abf8a07626a25dccde2fc0913e76b273223e48510e99714
SHA512

fb6f7afa4a2f2067ab4eb1cffdf88ec1d02d92abbb5e38a17c3e8d85534c05730e2f53f8a17a966a6eeb47a4361496d9caf96d016c20152afdda5c4dd5afe6ec
SSDEEP

3072:gYur0TXmLDldYfHJwsC6t4u0GotCyqVfYzUpWjxVhRx5HLniwMIE3:gYUs2LDl/sC6njEqWzpJzMIE3

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/1200-13-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral2/memory/4436-14-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral2/memory/4436-86-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral2/memory/5012-88-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral2/memory/4436-203-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	da6bda82442c8b13e68b57dcb90d2ceb_JaffaCakes118.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4436-2-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/1200-12-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/1200-13-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4436-14-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4436-86-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/5012-88-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4436-203-0x0000000000400000-0x0000000000445000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da6bda82442c8b13e68b57dcb90d2ceb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da6bda82442c8b13e68b57dcb90d2ceb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da6bda82442c8b13e68b57dcb90d2ceb_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4436 wrote to memory of 1200	4436	da6bda82442c8b13e68b57dcb90d2ceb_JaffaCakes118.exe	82
PID 4436 wrote to memory of 1200	4436	da6bda82442c8b13e68b57dcb90d2ceb_JaffaCakes118.exe	82
PID 4436 wrote to memory of 1200	4436	da6bda82442c8b13e68b57dcb90d2ceb_JaffaCakes118.exe	82
PID 4436 wrote to memory of 5012	4436	da6bda82442c8b13e68b57dcb90d2ceb_JaffaCakes118.exe	83
PID 4436 wrote to memory of 5012	4436	da6bda82442c8b13e68b57dcb90d2ceb_JaffaCakes118.exe	83
PID 4436 wrote to memory of 5012	4436	da6bda82442c8b13e68b57dcb90d2ceb_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\da6bda82442c8b13e68b57dcb90d2ceb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\da6bda82442c8b13e68b57dcb90d2ceb_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Users\Admin\AppData\Local\Temp\da6bda82442c8b13e68b57dcb90d2ceb_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\da6bda82442c8b13e68b57dcb90d2ceb_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1200
- C:\Users\Admin\AppData\Local\Temp\da6bda82442c8b13e68b57dcb90d2ceb_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\da6bda82442c8b13e68b57dcb90d2ceb_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\D56E.6B1

Filesize
1KB

MD5
bae6bd7af22d692df855b51baa582ec5

SHA1
1b65f999805a2aa3e1d4805239bce37330e05850

SHA256
31f548f9c75a48611b58885a723bfa42ec0fc28b50d3837723d03bc16ba39c09

SHA512
5d5cacf91765c9882d234ec27d73e5bf62f14c47d62a22def1b9f7d520cc6176f0dd50226aa37b745671ad98ebcb766a743d89d5354a158dadc8ddc8702d3073

Download Submit
C:\Users\Admin\AppData\Roaming\D56E.6B1

Filesize
1KB

MD5
1a1e3d6e3c9e7481d079bd5da01caa58

SHA1
328b836a380fda90365e84a603421eac876692a4

SHA256
31f174d30a8f7423651591eedffa1cf4d885f25be99d201e91b97b3ca01581cb

SHA512
fdd91a201be2b40825eddc29d3355ea199bdb604eefece6d3132a418d1e3cf6fdc3812e40ae4cebcda46bbf31fd3a8e17b976306ac22586fbf2ed3923af18780

Download Submit
C:\Users\Admin\AppData\Roaming\D56E.6B1

Filesize
600B

MD5
037e25bf250c39f11c38fa21599db89f

SHA1
c928c91aef2850a7c9981672c0d19bda2a9af24d

SHA256
b79a1267e8e7e7b603b35c8e429e1ec1fee3dbd2737085d8f44f360e87767add

SHA512
c2d9ebd39e83860c152adb80daf7864ef59b9b040d5730b035086587b22788a821cedfb102ac2d188c7ed4686bcdaeb32ab32add4a010d0bd158450fc4c27eb7

Download Submit
C:\Users\Admin\AppData\Roaming\D56E.6B1

Filesize
996B

MD5
b208f08d435eac6f8b01326ced9b23a5

SHA1
77d29b7bce5a7e19854ba38202aae9f436587b47

SHA256
69950ab018bfd8c7f6659c141f59eed8488ed5fc9f629c61c77147cdc766f9aa

SHA512
e439bd6f8768fe73f2d0549908b6e439f7f37c41815f86694be5b49c90462a405c871074e2bd22ff4cfea6cf451732c168382e9ebae169ded5414a5c16130f6d

Download Submit
memory/1200-12-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1200-13-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4436-1-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4436-2-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4436-14-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4436-86-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4436-203-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5012-88-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads