cycbot | 8df096d7ac5fbbf87d5f117c370590f0f177f5963e873171451af1a5674ce521

General

Target

f83d393ededf2766adf11b8e51015a33_JaffaCakes118.exe
Size

168KB
MD5

f83d393ededf2766adf11b8e51015a33
SHA1

ff07e287c98c842ed42e0fbaf8147d3f23f06a6a
SHA256

8df096d7ac5fbbf87d5f117c370590f0f177f5963e873171451af1a5674ce521
SHA512

70a4bd41aa05c53b44c439d5f6c9fa58425a23b520915bc5a2ba7b74e899d199fa5a915f12c95b4321477f8bc66e1745ca955f5bc17207e243184e8d0fe7397e
SSDEEP

3072:k02RCXtj4OB2EEkxjtiLz00T1pOYvcEr4SF6Evm3b2syXxAP:n2QdR2qxjtiX00hcE5xvUHyhK

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/4204-9-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/4880-14-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/4824-85-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/4880-144-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/4880-181-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	f83d393ededf2766adf11b8e51015a33_JaffaCakes118.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4880-2-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4204-9-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4880-14-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4824-84-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4824-85-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4880-144-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4880-181-0x0000000000400000-0x0000000000444000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f83d393ededf2766adf11b8e51015a33_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f83d393ededf2766adf11b8e51015a33_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f83d393ededf2766adf11b8e51015a33_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 4204	4880	f83d393ededf2766adf11b8e51015a33_JaffaCakes118.exe	82
PID 4880 wrote to memory of 4204	4880	f83d393ededf2766adf11b8e51015a33_JaffaCakes118.exe	82
PID 4880 wrote to memory of 4204	4880	f83d393ededf2766adf11b8e51015a33_JaffaCakes118.exe	82
PID 4880 wrote to memory of 4824	4880	f83d393ededf2766adf11b8e51015a33_JaffaCakes118.exe	83
PID 4880 wrote to memory of 4824	4880	f83d393ededf2766adf11b8e51015a33_JaffaCakes118.exe	83
PID 4880 wrote to memory of 4824	4880	f83d393ededf2766adf11b8e51015a33_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\f83d393ededf2766adf11b8e51015a33_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f83d393ededf2766adf11b8e51015a33_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Users\Admin\AppData\Local\Temp\f83d393ededf2766adf11b8e51015a33_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f83d393ededf2766adf11b8e51015a33_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4204
- C:\Users\Admin\AppData\Local\Temp\f83d393ededf2766adf11b8e51015a33_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f83d393ededf2766adf11b8e51015a33_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\06C6.22C

Filesize
1KB

MD5
b77d61558a04049a1f36b0b5bf525f6e

SHA1
92e51f054b81fabcd1c6cb511f17ad1ab51b8a8c

SHA256
3c6c2979660ba9bf126233f6fcee38dd28462d6c4e7d5c2ed9a559a33376980a

SHA512
050b75dc3905d4f910ff1b8b958172defd0ecfdb00472a60651789f9a644fc95bf085d853cfdfc455d168579f9f1852f50fa196fe87fc95b14b78ce51a41c6db

Download Submit
C:\Users\Admin\AppData\Roaming\06C6.22C

Filesize
600B

MD5
d825cc0cd841303b7b1dcaa78f262dbe

SHA1
2e16aa5e33e1c9452974efb9f5e15470333346a9

SHA256
14fc112f41f77d8524dd26671f67449d72eb539823eef5303fed6823f7b8ab82

SHA512
5e124cb5985df667599e60e7095b3f11bd17c32bfa0e3306fa507a30eb5c3e07c0f16d4a6284d07110e46d2ade6e9a3f792493dfecd20f8668ed0ce14187bfea

Download Submit
C:\Users\Admin\AppData\Roaming\06C6.22C

Filesize
996B

MD5
35f06f5bdc24652a3f069160c54123da

SHA1
1091453f933da8f9ecb66ba63fed5478c7644ba7

SHA256
bcb4675a06012131c9e1c49fe2759266d83a2f00adc85465964dcb752f7f0085

SHA512
ea82e55b13c2e6e6a66a64d3a26fc0d3c1bf2fc8fc7ba494259290e705046bf5d905336e57ba75c38983445e999d407460ecdceeed69866a59d89eeda9d9168b

Download Submit
memory/4204-9-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4824-83-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4824-84-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4824-85-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4880-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4880-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4880-14-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4880-144-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4880-181-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads