cycbot | 69dacf3eed77673675322108c043f74a6ff39150d7d6df18f449c000dab95ac4

General

Target

JaffaCakes118_0b0993a5e841e323bd411033733b1aa5.exe
Size

169KB
MD5

0b0993a5e841e323bd411033733b1aa5
SHA1

f73c29322d8ab5674dfc4b8fb088963fd5837b27
SHA256

69dacf3eed77673675322108c043f74a6ff39150d7d6df18f449c000dab95ac4
SHA512

ae894a1ebad8b8d4e1198819096a584dde3e81b4c5e04737300da3cf7513131476eb37009f9c5fab07e58e6de3b00582b863d2662529967aeb1d3f0d1e70dd20
SSDEEP

3072:wD0f7eo/zMJ9NNx0m41Ps3JiKwRvic9a:wojemMJ9NNGf14ifNz9a

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/4156-14-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/4744-15-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/4744-74-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/4544-77-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/4744-190-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_0b0993a5e841e323bd411033733b1aa5.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4744-2-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4156-12-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4156-14-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4744-15-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4744-74-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4544-76-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4544-77-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4744-190-0x0000000000400000-0x0000000000444000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0b0993a5e841e323bd411033733b1aa5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0b0993a5e841e323bd411033733b1aa5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0b0993a5e841e323bd411033733b1aa5.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 4156	4744	JaffaCakes118_0b0993a5e841e323bd411033733b1aa5.exe	82
PID 4744 wrote to memory of 4156	4744	JaffaCakes118_0b0993a5e841e323bd411033733b1aa5.exe	82
PID 4744 wrote to memory of 4156	4744	JaffaCakes118_0b0993a5e841e323bd411033733b1aa5.exe	82
PID 4744 wrote to memory of 4544	4744	JaffaCakes118_0b0993a5e841e323bd411033733b1aa5.exe	85
PID 4744 wrote to memory of 4544	4744	JaffaCakes118_0b0993a5e841e323bd411033733b1aa5.exe	85
PID 4744 wrote to memory of 4544	4744	JaffaCakes118_0b0993a5e841e323bd411033733b1aa5.exe	85

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b0993a5e841e323bd411033733b1aa5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b0993a5e841e323bd411033733b1aa5.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b0993a5e841e323bd411033733b1aa5.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b0993a5e841e323bd411033733b1aa5.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4156
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b0993a5e841e323bd411033733b1aa5.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b0993a5e841e323bd411033733b1aa5.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\952D.81A

Filesize
1KB

MD5
865ba5687f9d28858cb5175caac1fbac

SHA1
a9cd7ce0354db86192ebffe6a81b80d39c5b750f

SHA256
c9b457860c1be1fc707aaab439cd1108355a3421749ce82480d16a451e14ff1a

SHA512
19c12ce07b63362ad8018309a04ec53328ed7dd66ada1c7ba5ec8cb9c43c75efd25069aa9b5a4b01a8f09b9d54ef77e2752302ede6c19a360bb9aaa9edf779be

Download Submit
C:\Users\Admin\AppData\Roaming\952D.81A

Filesize
600B

MD5
8de835920707cdc1a8e128bff4ef3499

SHA1
e73c373a1cf72723d35b261b502448d71053856c

SHA256
c5bbca4da0f613479825304b7f3c6b8b0ebecd83c813cc5c06d9b21f9c3d6f15

SHA512
2015db8249da43e4342c062e0967407d3836b59a898158aeb73712a62a831e6834cf9080dda80a9c53a19c4238136cb766736e3de5df92d63f585b46743b8c58

Download Submit
C:\Users\Admin\AppData\Roaming\952D.81A

Filesize
996B

MD5
9b9a21e294330ca3df145a182978dd75

SHA1
09845a4fe37486e465f1934bb8796659e734463f

SHA256
e4ea05d8068c7282e33be94e0e606eaa3cafc18f7139eded6d5f95689c1cb14b

SHA512
c1e1d56c0c2eea9a370dcf7bc00984b4b71474e915792c8a11e6702f92dd138f8d13dbd2fe504c049be8bdeb4d017abaad375a0ada7151465e7e5af031a2b002

Download Submit
memory/4156-12-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4156-14-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4544-76-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4544-77-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4744-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4744-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4744-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4744-74-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4744-190-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads