cycbot | 1fe1dcf18660cbe9cc1493193c00f120a50ba0bb6bedfa7d5798f4a5dc86574a

General

Target

JaffaCakes118_87de8717484a061e9550bb201f235e85.exe
Size

187KB
MD5

87de8717484a061e9550bb201f235e85
SHA1

5cf29b0e66fa023fbc50998d9a882c1362087125
SHA256

1fe1dcf18660cbe9cc1493193c00f120a50ba0bb6bedfa7d5798f4a5dc86574a
SHA512

537b1e882bcdb2712b5831f3e4c4a354f4b82e4c957eb66f0ac444e2d4fee3fb701a76da6958ee8bcdeb37b20e092842f8060aaf307454aaa88c26bd95e6de2e
SSDEEP

3072:F9v+GBLTFMP2/xlWj+/AoShRf3euX81gxclOmEZv7NuksBepLpKfFWfFqb:rv+GNMP2p24cRrXAgxBTsBeBpJfc

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/1188-51-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/920-52-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/4212-119-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/920-120-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/920-219-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_87de8717484a061e9550bb201f235e85.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/920-2-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/1188-51-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/920-52-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/4212-118-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/4212-119-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/920-120-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/920-219-0x0000000000400000-0x000000000044B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_87de8717484a061e9550bb201f235e85.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 1188	920	JaffaCakes118_87de8717484a061e9550bb201f235e85.exe	84
PID 920 wrote to memory of 1188	920	JaffaCakes118_87de8717484a061e9550bb201f235e85.exe	84
PID 920 wrote to memory of 1188	920	JaffaCakes118_87de8717484a061e9550bb201f235e85.exe	84
PID 920 wrote to memory of 4212	920	JaffaCakes118_87de8717484a061e9550bb201f235e85.exe	85
PID 920 wrote to memory of 4212	920	JaffaCakes118_87de8717484a061e9550bb201f235e85.exe	85
PID 920 wrote to memory of 4212	920	JaffaCakes118_87de8717484a061e9550bb201f235e85.exe	85

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87de8717484a061e9550bb201f235e85.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87de8717484a061e9550bb201f235e85.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:920
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87de8717484a061e9550bb201f235e85.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87de8717484a061e9550bb201f235e85.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:1188
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87de8717484a061e9550bb201f235e85.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87de8717484a061e9550bb201f235e85.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:4212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\87F3.B38

Filesize
1KB

MD5
ed4a950488d111f589bba2a999a59237

SHA1
486af757a12181a67a07ee67c535e6f70217b728

SHA256
94a2ed3734dce748f64f715432175ae60100c5f03a19520c8cf84faa1e2106a0

SHA512
8035bbea9a67caf1db82901945b38bd834f3736b18beffd5240e09766f09659302a4ff406626f4bd0f56abec3aff98417ff06b8d586e6b7fcfa6e39c6574cebc

Download Submit
C:\Users\Admin\AppData\Roaming\87F3.B38

Filesize
1KB

MD5
f006cabcfd6e2483a4ee1a67e8ddd6cf

SHA1
4e4c2cde57c805be6e881fc56c42c2edebe5cddc

SHA256
3a9fe0cb984483646ca9620b47c93076aba849757dc9d2340cea63a9cb2f1070

SHA512
431ed78e67bfc856051f210ea9e4fe6418867d12234da4afa34273073b9e6d0bd3e682a8b9027c50d10ba85027e9b061b28f3eeda567fd21edab022f9ef73c2f

Download Submit
C:\Users\Admin\AppData\Roaming\87F3.B38

Filesize
597B

MD5
9a7c92208676fffe38f54f4ddb003b4d

SHA1
b41e329a96269101c3d482f6da30791b8c50b765

SHA256
0105eef45f6a44d4a6934554f79773281336e89e45f7689c8abf6d2595b0f0c3

SHA512
c874a243f7d909a4d2c17f9a0951c1e6c734a2e0917075817e5d2eab393b7b6274794732b7a721083c8a6e873b42347bc4c4e2eecebc253cfe76c8969d4c96cb

Download Submit
C:\Users\Admin\AppData\Roaming\87F3.B38

Filesize
897B

MD5
b3e1e7eddc1007b7a4166db274927832

SHA1
f96b47e4d3d3679e871d942e29ba72b5a62ff258

SHA256
fa684af80a5a139fa2cdfe0d812e63e07074483d209fe9595bca0e990eebc9fe

SHA512
01577aead5e7a24f9967bd94c018b10fe6e3a907a52efd1206772a5a888b3255d4b9596110ec4299495ce8d9f5eef997174b1cb7542a16e4c61658582523ba83

Download Submit
C:\Users\Admin\AppData\Roaming\87F3.B38

Filesize
297B

MD5
043ad7908d4bb6820f05284ac9a53985

SHA1
f005f5668a5cb9fa1103d04930bb9b61fd7d6ff7

SHA256
fe8748c17579bc6e640d5611189a2cf653c60328445ccfd5e03892785d55a263

SHA512
d6c4443eb419154f282b794bf8a3838ab0b77e4799e9dc4a10d9a904b960b1714cf1bf3329ea5cca32451c4af447dcadd8a6135746e7676a065f6275068c82d5

Download Submit
memory/920-52-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/920-1-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/920-120-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/920-2-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/920-219-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1188-51-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4212-118-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4212-119-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads