cycbot | 630687176413d8e68dec7840c3c88e1f7a65f8cd6d402f887591b76bf6465d35

General

Target

fb34855b4d25f6d0b5e9cf19333c2567_JaffaCakes118.exe
Size

179KB
MD5

fb34855b4d25f6d0b5e9cf19333c2567
SHA1

76adab16924d612346c0d328bce496be8086ceb8
SHA256

630687176413d8e68dec7840c3c88e1f7a65f8cd6d402f887591b76bf6465d35
SHA512

3e9ea5c5d08eb80c3d32ef7c7574ce88b872447142303bef0f63248c90513f57a8a90a1ed2625a91e86ce8e5e6385bba6d7884b1ae780f9244d941e82dcf60e8
SSDEEP

3072:H/1Y3dTmqeHrJ8rMG9gdy56SineLakifm510IeEUpZ8+SQMqJAK0V:9Y3YqeHrg2sOneLamjcJ/8+SQMsAv

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/1004-14-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/2848-15-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/3636-84-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/2848-147-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/2848-196-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	fb34855b4d25f6d0b5e9cf19333c2567_JaffaCakes118.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2848-2-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/1004-8-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/1004-14-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/2848-15-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/3636-83-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/3636-84-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/2848-147-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/2848-196-0x0000000000400000-0x000000000044B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb34855b4d25f6d0b5e9cf19333c2567_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 1004	2848	fb34855b4d25f6d0b5e9cf19333c2567_JaffaCakes118.exe	82
PID 2848 wrote to memory of 1004	2848	fb34855b4d25f6d0b5e9cf19333c2567_JaffaCakes118.exe	82
PID 2848 wrote to memory of 1004	2848	fb34855b4d25f6d0b5e9cf19333c2567_JaffaCakes118.exe	82
PID 2848 wrote to memory of 3636	2848	fb34855b4d25f6d0b5e9cf19333c2567_JaffaCakes118.exe	87
PID 2848 wrote to memory of 3636	2848	fb34855b4d25f6d0b5e9cf19333c2567_JaffaCakes118.exe	87
PID 2848 wrote to memory of 3636	2848	fb34855b4d25f6d0b5e9cf19333c2567_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\fb34855b4d25f6d0b5e9cf19333c2567_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb34855b4d25f6d0b5e9cf19333c2567_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Local\Temp\fb34855b4d25f6d0b5e9cf19333c2567_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fb34855b4d25f6d0b5e9cf19333c2567_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:1004
- C:\Users\Admin\AppData\Local\Temp\fb34855b4d25f6d0b5e9cf19333c2567_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fb34855b4d25f6d0b5e9cf19333c2567_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1A2E.3DE

Filesize
1KB

MD5
e787705084b7823b7a39a44358e7feab

SHA1
f8027bb5cf817ae0a19d3421e29eddfee04f53cd

SHA256
a6760178dc31271747a01594bafdb5c598e51e7bd56a88c88a751f1b8d4fbde3

SHA512
5717da49f7d42d0bc9fa22c58db5135805e33c13c6495323dcc358c36603e8b604cfa4339acb3080d0fc9f8e2dad230537ef52eb4987ff818755c6a8a4a67e0a

Download Submit
C:\Users\Admin\AppData\Roaming\1A2E.3DE

Filesize
600B

MD5
2aa9d4d9df2acce0a6a5e2875856f2d0

SHA1
cdf6bb94d40b3949d1afb2cf848c8d4f2451e5be

SHA256
d2f27ace1ea16ac3e30365bd7a55f6776bc5027845ad1a3fb54d7ed30c28a0c4

SHA512
359199e88d0bf2dc018a242341b288a06d5052e2b6532d72a800c2fe2df5f6b4e90e6b74a71564efeefdb6e983da7a6bf9184d1b5e2e23e3ca0e5b92d1c873ba

Download Submit
C:\Users\Admin\AppData\Roaming\1A2E.3DE

Filesize
996B

MD5
23ab387cdb0331c4222a11b68739d9ce

SHA1
4d3c166fdf11764891711de03a4519568ca78dea

SHA256
e0a07ed7f39b4d58c70211af19a6ca586c42f093d833b4d522c97fcfb02dda4d

SHA512
374ce8fcb13758a1f3427e6e3f3befece9af3c9a1ed343572688bd66a7beb17f669974b3944dfe9e98e8aa49a660fd13eca6393f29292cc51f48a46e989b9f28

Download Submit
memory/1004-8-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1004-14-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2848-1-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2848-2-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2848-15-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2848-147-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2848-196-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3636-83-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3636-84-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads