cycbot | aed03500ea174b94cd4382ddf03af3fdbf45df423f3099c9be69cf76abb588c2

General

Target

JaffaCakes118_8888145b33aa163e5735260c9ee4059c.exe
Size

172KB
MD5

8888145b33aa163e5735260c9ee4059c
SHA1

d9745a72ba82507e6ce9013367aa93a89eec03c9
SHA256

aed03500ea174b94cd4382ddf03af3fdbf45df423f3099c9be69cf76abb588c2
SHA512

7bd1c54dc88eece2bd6c3f3b5cdf9c985a531d1429714d7b533cfc0b5b2a57beb71d00a5c865536bee7847e0abee61107ee31c5acb3cc09f3f15142682738273
SSDEEP

3072:boqDGUf0RRfoJLDw76Ixeki38ETjMqcE:boqY0LO6IxekisEa

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/1496-13-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral2/memory/4344-14-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral2/memory/4344-79-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral2/memory/2584-81-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral2/memory/4344-194-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_8888145b33aa163e5735260c9ee4059c.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4344-2-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/1496-12-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/1496-13-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4344-14-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4344-79-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/2584-81-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4344-194-0x0000000000400000-0x0000000000445000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8888145b33aa163e5735260c9ee4059c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8888145b33aa163e5735260c9ee4059c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8888145b33aa163e5735260c9ee4059c.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 1496	4344	JaffaCakes118_8888145b33aa163e5735260c9ee4059c.exe	82
PID 4344 wrote to memory of 1496	4344	JaffaCakes118_8888145b33aa163e5735260c9ee4059c.exe	82
PID 4344 wrote to memory of 1496	4344	JaffaCakes118_8888145b33aa163e5735260c9ee4059c.exe	82
PID 4344 wrote to memory of 2584	4344	JaffaCakes118_8888145b33aa163e5735260c9ee4059c.exe	83
PID 4344 wrote to memory of 2584	4344	JaffaCakes118_8888145b33aa163e5735260c9ee4059c.exe	83
PID 4344 wrote to memory of 2584	4344	JaffaCakes118_8888145b33aa163e5735260c9ee4059c.exe	83

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8888145b33aa163e5735260c9ee4059c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8888145b33aa163e5735260c9ee4059c.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8888145b33aa163e5735260c9ee4059c.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8888145b33aa163e5735260c9ee4059c.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1496
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8888145b33aa163e5735260c9ee4059c.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8888145b33aa163e5735260c9ee4059c.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\6B81.504

Filesize
1KB

MD5
526c0c68b2c8f14cf4d0020d73b78672

SHA1
0059648ff16e43250a29f54586a49e9e4f61d58b

SHA256
e4284e410583c556b49211d0f96f3da036839d5a87442fe6523ab9b94b59313a

SHA512
f819dc87873b1dea50fa4810f9b45b135aa6bc4beaf7192d8ec42aa9ac8913297a433a5c6c1c55f58ccc8fcf7e88597a683ced6d33467edd46665074f849a873

Download Submit
C:\Users\Admin\AppData\Roaming\6B81.504

Filesize
600B

MD5
b53c0c76d7e0184db448c79013027ec7

SHA1
fca063d176fc6d24c6168d1a4540ccb108f95ce3

SHA256
88a840fec65d304a429d771f69a41606de04dd169c38bfa6fd62073e2fda5fec

SHA512
c4a5d64e54d8bf6170c519593406f0a620344db562390c191a1f454817a3f32c469e6f5fc4c023c732ff7028014163b1411b20f53dbecbc44820adab10fe719e

Download Submit
C:\Users\Admin\AppData\Roaming\6B81.504

Filesize
996B

MD5
d54262153b4c23a6df2634f6a05a83c1

SHA1
347f777aa386e994baee1e47993d6d7753b5d4b9

SHA256
6ae6dfa20743fa0a16b8c2a409f843b2023aec4c8e090d2fe44136a95b08f642

SHA512
2eafda4918800b1b2401a2d05e146230e23f52d2beaac83d9cb64534af1a72a54a2d9d5de95ede6ad6a44c5462e884702b7f91d5d979ba60677fc132dd720634

Download Submit
memory/1496-12-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1496-13-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2584-81-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4344-1-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4344-2-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4344-14-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4344-79-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4344-194-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads