cycbot | ae81fee6aa8eb428f282471db50b348b22f0f399d5e9c97a6721f74ad6788b46

General

Target

JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe
Size

172KB
MD5

48c15e2fa6716f40bbe47d31106d7767
SHA1

abd8edafa983c34dbf7961a96106fecbcd603dda
SHA256

ae81fee6aa8eb428f282471db50b348b22f0f399d5e9c97a6721f74ad6788b46
SHA512

7e35e63e71f06a5d2ba0e42f9b800e67fa12c9a7a1ed186d83a733b53b18420b9c410d9b218e76618a6ca50269274fc14d879aa6abf5cd92a44c44880614b73d
SSDEEP

3072:29OqKsgTwk7/5ePtqWIwIax1xEyhUGRjTc2A+WgoW+QxZiFpO2Q2D6:dbwU0cWIPaDxThUKTAcv+QxZi3G

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/5056-13-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral2/memory/4592-14-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral2/memory/1128-77-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral2/memory/4592-138-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral2/memory/4592-188-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4592-1-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/5056-12-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/5056-11-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/5056-13-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4592-14-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/1128-76-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/1128-77-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4592-138-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4592-188-0x0000000000400000-0x0000000000445000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 5056	4592	JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe	82
PID 4592 wrote to memory of 5056	4592	JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe	82
PID 4592 wrote to memory of 5056	4592	JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe	82
PID 4592 wrote to memory of 1128	4592	JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe	83
PID 4592 wrote to memory of 1128	4592	JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe	83
PID 4592 wrote to memory of 1128	4592	JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe	83

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5056
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5FF3.98A

Filesize
1KB

MD5
2759973a2e11dc0dc7c5d166948e6c0c

SHA1
b9e67439338b0c41c7c7ef7486495536bd20993e

SHA256
ca2b1a11714eb0d38e3cc859d9b6e5a8599c325b8b4cd16ecb223c7e1074d10f

SHA512
228103e3360d0809776bd16d9980db80413f09831e1eb1c7ce708334f1900f8cbd79281e2975673dc2a5bfe0e9633d98fc7dfe0aae6433b28e50884ef7201466

Download Submit
C:\Users\Admin\AppData\Roaming\5FF3.98A

Filesize
600B

MD5
cd4da2c071194e4ecbefacef5aeb0665

SHA1
ab499001fe6c67a8091b1ddd9a78f46af38d2191

SHA256
2af173bbcd0e4dc61ce359efe0d2d392ddef163ab25542e11c9bb579003d8d9c

SHA512
d63b02f48519441d0d91c43fa8873f49fb3e59357ebd168d2abbc97d9da541f313801e79fa55648c52bba6ce89ba0afb7e3bb4f42193bc2a292967a229259918

Download Submit
C:\Users\Admin\AppData\Roaming\5FF3.98A

Filesize
996B

MD5
5f63135edaaacd66831d28f23be67875

SHA1
c2319d33e11ebf3afc7995fc47b542e9aa81e983

SHA256
8d3a100ecf45cd4d5a1e501d1a4accbe679e44396d97cb8bad4bdc954ea0becb

SHA512
e6c14dcbade17d40f93fc088db37ef6a0cecc920ee2cf6121c0697600f776e1719dc438681b339bf3b8f62ecd106587bec8b2313368aa956be38275bf0dd980c

Download Submit
memory/1128-75-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1128-76-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1128-77-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4592-14-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4592-1-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4592-138-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4592-188-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5056-13-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5056-11-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5056-12-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads