cycbot | b4e7d61c7bc8d1de5cef00631f590944604df0a35c1da3c9387f6ed13ba831a5

General

Target

f22e44ce0a211e269675e7f83a1671ac_JaffaCakes118.exe
Size

172KB
MD5

f22e44ce0a211e269675e7f83a1671ac
SHA1

4aa196c923cb820c5e7c9a73a45ca7051c8995f5
SHA256

b4e7d61c7bc8d1de5cef00631f590944604df0a35c1da3c9387f6ed13ba831a5
SHA512

4bd2180ee5a98effd5fb643f7bb16cbf7d8d919fb32fb3c350d01ab1e664534f3c24dfaaaf1d2ed7a88d3114c2aaf2f4862157faca9744c3010ed24dbffd3271
SSDEEP

3072:jIs0loJfuALqzYjZ6HXg6TdwXy9ngQXcqNhbJVuHE/y/COPfaRYv0qQxA/9T0:7UoNgYjKgmdyigQXHhdoH2yZPftv0+

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/3252-10-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral2/memory/3172-15-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral2/memory/1848-83-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral2/memory/3172-146-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral2/memory/3172-185-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral2/memory/3172-190-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	f22e44ce0a211e269675e7f83a1671ac_JaffaCakes118.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3172-2-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/3252-8-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/3252-9-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/3252-10-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/3172-15-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/1848-82-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/1848-83-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/3172-146-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/3172-185-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/3172-190-0x0000000000400000-0x0000000000445000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f22e44ce0a211e269675e7f83a1671ac_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f22e44ce0a211e269675e7f83a1671ac_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f22e44ce0a211e269675e7f83a1671ac_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 3252	3172	f22e44ce0a211e269675e7f83a1671ac_JaffaCakes118.exe	82
PID 3172 wrote to memory of 3252	3172	f22e44ce0a211e269675e7f83a1671ac_JaffaCakes118.exe	82
PID 3172 wrote to memory of 3252	3172	f22e44ce0a211e269675e7f83a1671ac_JaffaCakes118.exe	82
PID 3172 wrote to memory of 1848	3172	f22e44ce0a211e269675e7f83a1671ac_JaffaCakes118.exe	88
PID 3172 wrote to memory of 1848	3172	f22e44ce0a211e269675e7f83a1671ac_JaffaCakes118.exe	88
PID 3172 wrote to memory of 1848	3172	f22e44ce0a211e269675e7f83a1671ac_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\f22e44ce0a211e269675e7f83a1671ac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f22e44ce0a211e269675e7f83a1671ac_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Users\Admin\AppData\Local\Temp\f22e44ce0a211e269675e7f83a1671ac_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f22e44ce0a211e269675e7f83a1671ac_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3252
- C:\Users\Admin\AppData\Local\Temp\f22e44ce0a211e269675e7f83a1671ac_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f22e44ce0a211e269675e7f83a1671ac_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\7116.254

Filesize
1KB

MD5
9496a68552c3c7711647c27f3c01c2c6

SHA1
cb1920f4aef1a595196e76a898059056017f96bc

SHA256
7f61d54bdfdf9050c061096c501dd77f1f030947ec56c7530be8683b010364f4

SHA512
17caaa8dd67887d75ac130dbef918e2f9d1d56d52e2ffc0adeb8ebb69286bc2a1008c170824729aeba2f790aa2353ab4664f05044cf0676d3223c6d236c81cfc

Download Submit
C:\Users\Admin\AppData\Roaming\7116.254

Filesize
1KB

MD5
3ac9a64413eaf13ffe3299bd93a91acc

SHA1
b79ebe29747c7b11d2432cdef8f615dcc597fe1f

SHA256
bcbe07762d220e5a771b2dd679f364b518f2e8e4f5b15bc01cc42f026c8f2628

SHA512
b8f89514638853254eb2259a0cbd011110281d55355f88e5f6b39ed5b6989900e37cb06ace6a7e227e2472c63ba1ec925edc10d4229ee37650bf3edc84051eea

Download Submit
C:\Users\Admin\AppData\Roaming\7116.254

Filesize
600B

MD5
2900831399ec87631d438f2a9bebe0f1

SHA1
b0f936656858dc1c46bb401cdc35f17680da1fa9

SHA256
a75bddf7616cc2371c14af86209ece8e31619a43218fd85f21a20018c211835e

SHA512
51b3cf694f8f6b59f48b785e33ff65b25f86e3a641ab42f74c6fdec2dd54e9e5cc12d9f2cf2fe2392d4de5a6447aa9b356780595a124fdb426280b6cf368d0a4

Download Submit
C:\Users\Admin\AppData\Roaming\7116.254

Filesize
996B

MD5
96902e13b98285f188802d4a827b4d85

SHA1
0cf118648e547756e02e9365d491419e55dbddb8

SHA256
749c9040defd289a5bc29df24d774e3664df8e578bc07798c44898c87e6ccbe7

SHA512
67369c71fc79b1ecaeeacbde413feee9533209de834262633c4e343448fa786cfe8e06cb4141f134005611dc7e4177e03d36527da35176a43811e86f222538d2

Download Submit
memory/1848-82-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1848-83-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3172-15-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3172-1-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3172-146-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3172-2-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3172-185-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3172-190-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3252-10-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3252-9-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3252-8-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads