cycbot | 757c9ca1cec418b5e813510613fcc838d815fc374f30e029fb7662450b82d31b

General

Target

e5cca1f9f777554ac3bfa08c0f8c377c_JaffaCakes118.exe
Size

168KB
MD5

e5cca1f9f777554ac3bfa08c0f8c377c
SHA1

7b9048b91b70fa398dfaac2b9507f802fff3ca10
SHA256

757c9ca1cec418b5e813510613fcc838d815fc374f30e029fb7662450b82d31b
SHA512

3381c0c229f4e1e4bec47b4604f93ca1f73209e6110816384baa25f81cf203b2a4e9d86732087daf592cd6f5c9bb9a7cb4a03f4d83ec3e7a17ac0768b3e38b6b
SSDEEP

3072:73uMOPcsJXFwc66qzNRx0nktB47zisxr08uIY41+VBQQCFWLx5lU55wJTsYfPqIo:aXFwcePYSAY6iBQbFKvM5+Thf4

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/5020-14-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/2036-15-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/1916-85-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/2036-156-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/2036-203-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	e5cca1f9f777554ac3bfa08c0f8c377c_JaffaCakes118.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2036-2-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/5020-9-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/5020-8-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/5020-14-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/2036-15-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/1916-83-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/1916-85-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/2036-156-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/2036-203-0x0000000000400000-0x0000000000444000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5cca1f9f777554ac3bfa08c0f8c377c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5cca1f9f777554ac3bfa08c0f8c377c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5cca1f9f777554ac3bfa08c0f8c377c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 5020	2036	e5cca1f9f777554ac3bfa08c0f8c377c_JaffaCakes118.exe	83
PID 2036 wrote to memory of 5020	2036	e5cca1f9f777554ac3bfa08c0f8c377c_JaffaCakes118.exe	83
PID 2036 wrote to memory of 5020	2036	e5cca1f9f777554ac3bfa08c0f8c377c_JaffaCakes118.exe	83
PID 2036 wrote to memory of 1916	2036	e5cca1f9f777554ac3bfa08c0f8c377c_JaffaCakes118.exe	94
PID 2036 wrote to memory of 1916	2036	e5cca1f9f777554ac3bfa08c0f8c377c_JaffaCakes118.exe	94
PID 2036 wrote to memory of 1916	2036	e5cca1f9f777554ac3bfa08c0f8c377c_JaffaCakes118.exe	94

C:\Users\Admin\AppData\Local\Temp\e5cca1f9f777554ac3bfa08c0f8c377c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e5cca1f9f777554ac3bfa08c0f8c377c_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Local\Temp\e5cca1f9f777554ac3bfa08c0f8c377c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e5cca1f9f777554ac3bfa08c0f8c377c_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5020
- C:\Users\Admin\AppData\Local\Temp\e5cca1f9f777554ac3bfa08c0f8c377c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e5cca1f9f777554ac3bfa08c0f8c377c_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AB27.35D

Filesize
1KB

MD5
9ed86fd416cc37a5c98c7b4c50d90119

SHA1
8ee3e80dd170f261099fa4b1f9b85bf94a28efcf

SHA256
4dce51e6578e4f89f77fba974b1ae75d363246237883cf4e5040282ca9792a14

SHA512
7223c75615271284c0c0da61655a1b48c2793689a05339e82993b46468697aaeb6f5ccfe2d7e4a5b5853b5021d92a36179ebe131d513156c22855ca567a47b53

Download Submit
C:\Users\Admin\AppData\Roaming\AB27.35D

Filesize
600B

MD5
dc994b1aa01ebdef812e15008d6f8f22

SHA1
7c64eb93e1086b7c6bfc81cfb7632b0146f7e0ee

SHA256
75a3ed12cc865995c16395a1a5071f137d5dd55c10f3a55bdf87886cceca70dd

SHA512
70219246d1eb2b150056143e8534f9fc83cec873c0954d816c4d2101163a484e5716a32750cea656c1a376b075a469603de8bba7b01ffb18606a0b4e6c4402af

Download Submit
C:\Users\Admin\AppData\Roaming\AB27.35D

Filesize
996B

MD5
3ab6459e7f3bb0cf7c041c74f87e3edb

SHA1
5e9697bbbcadaff750004858bc7030b851f3e9fc

SHA256
5f2b0a78656531bd791920e277ac300140c493cfcf1f22c569ff86c84b45ab7a

SHA512
22f51ae46a54c47974d1ee90b0742f8fc9260353defacd683359b92a9dc54971fac692db05f5c5851cc29e82d81e363c1262862b0d5e726f00b8f2d085094e81

Download Submit
memory/1916-82-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1916-83-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1916-85-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2036-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2036-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2036-156-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2036-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2036-203-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5020-14-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5020-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5020-9-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads