cycbot | 711546c4a73e555d03231da10dc51251b561de9cf393facca4b3eac262b466f7

General

Target

JaffaCakes118_6cda8b56c8cdb26667912f50a234258f.exe
Size

179KB
MD5

6cda8b56c8cdb26667912f50a234258f
SHA1

a46a2d98553482ef729be3cfbfc4366241304e3e
SHA256

711546c4a73e555d03231da10dc51251b561de9cf393facca4b3eac262b466f7
SHA512

8c3e7e417edab76045406772ecf5bc9a4c7be37bb3765cb41a4be5e9d1e7a073dd2c1e3aaa15e481b400488ec50904deb5b8eb810ae1f23fd13c34e2317c971b
SSDEEP

3072:k0FXNJPY9XjMnklHpMNDWsia4P9Vz8Aji8zVg5zGFcti19D/WcWKEmzr9c:k0lPwNjMnklmWNa4f8AjiKS5qF4i19jK

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/3312-14-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/2408-15-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/2408-78-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/716-82-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/2408-191-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_6cda8b56c8cdb26667912f50a234258f.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2408-2-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/3312-13-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/3312-14-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/2408-15-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/2408-78-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/716-80-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/716-82-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/2408-191-0x0000000000400000-0x000000000044B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6cda8b56c8cdb26667912f50a234258f.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 3312	2408	JaffaCakes118_6cda8b56c8cdb26667912f50a234258f.exe	82
PID 2408 wrote to memory of 3312	2408	JaffaCakes118_6cda8b56c8cdb26667912f50a234258f.exe	82
PID 2408 wrote to memory of 3312	2408	JaffaCakes118_6cda8b56c8cdb26667912f50a234258f.exe	82
PID 2408 wrote to memory of 716	2408	JaffaCakes118_6cda8b56c8cdb26667912f50a234258f.exe	83
PID 2408 wrote to memory of 716	2408	JaffaCakes118_6cda8b56c8cdb26667912f50a234258f.exe	83
PID 2408 wrote to memory of 716	2408	JaffaCakes118_6cda8b56c8cdb26667912f50a234258f.exe	83

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6cda8b56c8cdb26667912f50a234258f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6cda8b56c8cdb26667912f50a234258f.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6cda8b56c8cdb26667912f50a234258f.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6cda8b56c8cdb26667912f50a234258f.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:3312
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6cda8b56c8cdb26667912f50a234258f.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6cda8b56c8cdb26667912f50a234258f.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\FE6D.D0D

Filesize
1KB

MD5
753a80e7eabf937f318094fa26046b6f

SHA1
8100824bb013668b48bfd1d6deae5afd39a8e2ff

SHA256
77025fd83e55f9b619d63181cae8ff0d3d0a9e6e031ae2ffd2f7d781558341b8

SHA512
f4a28f349ea15542089ccab6c7d73b00f3cecb6ca1db60518051d1a1ef685916b8fd3ece509c1efea6a1c515fc931cef4cb3c9b25bfb8b9c14ab39c68a71d963

Download Submit
C:\Users\Admin\AppData\Roaming\FE6D.D0D

Filesize
600B

MD5
fac7305e0d3eabe1462b67f8ef3d10f2

SHA1
a553dd626f171bc4f981e3663f1e34332ebf192d

SHA256
a963790f9350533902b4889e1f9d084f659f22aafbc98bf5743a864a0421ec7e

SHA512
a2ea897c9156fa0246336abceef7405b71828f02ac6b07fe4368f3df1cc1242684e45be0192063a639a9bb870c6ff7e27a714bc40484f663e3291d5928f2c33f

Download Submit
C:\Users\Admin\AppData\Roaming\FE6D.D0D

Filesize
996B

MD5
33d43f1133b32656bb7f0cf42093925e

SHA1
fde55c6872ed826933bd550e98bd6f2b1bebf11a

SHA256
f359f9d232346271854f3d2e03abd7b6081317f9324705f29ab5ba5b99dbab8e

SHA512
4c9b0227f87b803f6f953b985c7e2118f08ca61301943b78dbd26cd29faa54ec31ae8ab3fa990ba1e3562ae9fc021e09837a5fc5278cb2c450bf4c9e76192ae7

Download Submit
memory/716-82-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/716-80-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2408-15-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2408-78-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2408-1-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2408-2-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2408-191-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3312-14-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3312-12-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3312-13-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads