cycbot | 7ce5e5a51e5fe662b5c359ea11af3c88b7e2e71b5f63583c989ca1ca1fe3e7ff

General

Target

JaffaCakes118_617cbbefd15e6c358d640d5d7befab72.exe
Size

164KB
MD5

617cbbefd15e6c358d640d5d7befab72
SHA1

86a567ac4e966fd1442c866fb8e335914eb62109
SHA256

7ce5e5a51e5fe662b5c359ea11af3c88b7e2e71b5f63583c989ca1ca1fe3e7ff
SHA512

9f620b691f05b6b78502fd88f2bf1f152b54363aab4a54a0dd70e0ca400da8b7e45e3ac58e2dc149371fab73e1da6d5bd97c8769e2f386ddef26395d040b5da6
SSDEEP

3072:JtOBwK0TlLm8lirVlOJARb1X28BVmXIVWTjj3vfo69c:J8BO61ZlnzuXIVyHI6+

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/2620-12-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/988-14-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/988-83-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/3240-87-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/988-190-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_617cbbefd15e6c358d640d5d7befab72.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/988-2-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/2620-12-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/988-14-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/988-83-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/3240-86-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/3240-87-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/988-190-0x0000000000400000-0x0000000000444000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_617cbbefd15e6c358d640d5d7befab72.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_617cbbefd15e6c358d640d5d7befab72.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_617cbbefd15e6c358d640d5d7befab72.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 988 wrote to memory of 2620	988	JaffaCakes118_617cbbefd15e6c358d640d5d7befab72.exe	83
PID 988 wrote to memory of 2620	988	JaffaCakes118_617cbbefd15e6c358d640d5d7befab72.exe	83
PID 988 wrote to memory of 2620	988	JaffaCakes118_617cbbefd15e6c358d640d5d7befab72.exe	83
PID 988 wrote to memory of 3240	988	JaffaCakes118_617cbbefd15e6c358d640d5d7befab72.exe	93
PID 988 wrote to memory of 3240	988	JaffaCakes118_617cbbefd15e6c358d640d5d7befab72.exe	93
PID 988 wrote to memory of 3240	988	JaffaCakes118_617cbbefd15e6c358d640d5d7befab72.exe	93

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_617cbbefd15e6c358d640d5d7befab72.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_617cbbefd15e6c358d640d5d7befab72.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:988
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_617cbbefd15e6c358d640d5d7befab72.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_617cbbefd15e6c358d640d5d7befab72.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2620
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_617cbbefd15e6c358d640d5d7befab72.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_617cbbefd15e6c358d640d5d7befab72.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\BD82.183

Filesize
1KB

MD5
8294e6b888c18a1a21f274e45d346122

SHA1
062ea742a469f547c8c09b8343dc28ae9bc4550c

SHA256
64f0db95106183deb18183f743d87f92911007eb02f8bad47f093bdc791294f1

SHA512
57515d8b8232c665ce1a2c8855a58167d2b979b0ec94f62573c28441fd5b970294ead461da024c4762406c3259ce716752a62f3b4213fba3badcb1bb10c7e007

Download Submit
C:\Users\Admin\AppData\Roaming\BD82.183

Filesize
600B

MD5
48364b90c461de3e30c79ad47e5d9963

SHA1
ca142419c7fec6d3aebd796be1a79b248f5a4065

SHA256
086740ac7989707aa8d344a3fada10a979801ecb0f0236be3d1721ed62fda9ce

SHA512
581d5621304c028fb0f28433ba72f195c7473bb7816048f5aa39885873db1b5055ce77bcfb9983df333735ecc4696028e4a7dcfcc316441875482efdb4e63133

Download Submit
C:\Users\Admin\AppData\Roaming\BD82.183

Filesize
996B

MD5
c24bf050391f4c95ccb62fbfd51e9823

SHA1
c726b6c9dfb95096b828f3133b1d1815ad217997

SHA256
a6af79fb485a71dfd120c61e11638f93bfbf8a5b4d41f957dc438a72d67ce845

SHA512
e266449cf48a528ad6c5f47fea8128a39cf31d466fb52e5bfc693958b9d406a8875be9a7983581599320d195f07118dcb91ac416b6917d1f0882ae42213b5c20

Download Submit
memory/988-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/988-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/988-14-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/988-83-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/988-190-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2620-12-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3240-86-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3240-85-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3240-87-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads