cycbot | 11dbfd2d2b0b7d9b1eef6a2d88a027635b61594964f041d7a95aea4f0a885c54

General

Target

JaffaCakes118_f88d4d084ed98937d3aec41a99577c85.exe
Size

166KB
MD5

f88d4d084ed98937d3aec41a99577c85
SHA1

1db36babbe61a9a4bc7acc7b1b1f6e1d85d052c8
SHA256

11dbfd2d2b0b7d9b1eef6a2d88a027635b61594964f041d7a95aea4f0a885c54
SHA512

3677fbd8ccea612f02935ae005c7f8ce029955ecda1a57369dabff40417f600d02f0cd9b9bc12e20ab762e982992edc45af1e60cf01a8bc5a60f67698dfcf13f
SSDEEP

3072:gJumkEoT7gNXU/piZ8Gfduqllj0dk/VduxPVJh00BWwu5ViLGJ+:gJFkEG7gNXUxCVhlT4oKWC

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/4932-12-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral2/memory/3532-13-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral2/memory/2132-81-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral2/memory/3532-82-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral2/memory/3532-182-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral2/memory/3532-186-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_f88d4d084ed98937d3aec41a99577c85.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3532-1-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4932-12-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/3532-13-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/2132-81-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/3532-82-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/3532-182-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/3532-186-0x0000000000400000-0x0000000000445000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f88d4d084ed98937d3aec41a99577c85.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f88d4d084ed98937d3aec41a99577c85.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f88d4d084ed98937d3aec41a99577c85.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 4932	3532	JaffaCakes118_f88d4d084ed98937d3aec41a99577c85.exe	85
PID 3532 wrote to memory of 4932	3532	JaffaCakes118_f88d4d084ed98937d3aec41a99577c85.exe	85
PID 3532 wrote to memory of 4932	3532	JaffaCakes118_f88d4d084ed98937d3aec41a99577c85.exe	85
PID 3532 wrote to memory of 2132	3532	JaffaCakes118_f88d4d084ed98937d3aec41a99577c85.exe	92
PID 3532 wrote to memory of 2132	3532	JaffaCakes118_f88d4d084ed98937d3aec41a99577c85.exe	92
PID 3532 wrote to memory of 2132	3532	JaffaCakes118_f88d4d084ed98937d3aec41a99577c85.exe	92

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f88d4d084ed98937d3aec41a99577c85.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f88d4d084ed98937d3aec41a99577c85.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f88d4d084ed98937d3aec41a99577c85.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f88d4d084ed98937d3aec41a99577c85.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4932
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f88d4d084ed98937d3aec41a99577c85.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f88d4d084ed98937d3aec41a99577c85.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\26ED.BAA

Filesize
1KB

MD5
052463e23513c8d238a8b7d63947aadf

SHA1
3cf890fb8c19633219170427df2ee64a1b8c2c3b

SHA256
a2c493e9a20323ff7f2917731243e4b100e745d5274a3bf781e35950e08eb23e

SHA512
148ebd3a92ee3f72d6b9d6372f88b9872477b0647d5858c2873ebe5b41856eaf63dd3264235115c2051e23fe67e1ca31f71d19d670d84591f6f4feccb0c735d9

Download Submit
C:\Users\Admin\AppData\Roaming\26ED.BAA

Filesize
600B

MD5
959b86c222a4cf3c4a9a4d0120eb1cb5

SHA1
4b2187feb93cdef311cf1ef7a495bb6c256b0967

SHA256
cec8873466694b408ad5aefc8f45d88fc93861155190694cf0d3acf7c1e997a6

SHA512
5cfe5c6b9ad80b1182ecbd1ad040dec3cc78cc33955931d60a7e06437253c707e71eda7720981bae1132a5aa46cf9d2b75c09952e22fc41e9f02846edf87cad5

Download Submit
C:\Users\Admin\AppData\Roaming\26ED.BAA

Filesize
996B

MD5
809526dac5578bafef9661bf910a9255

SHA1
5619964914987ae76ea8487f5fc55e824cb1a0eb

SHA256
15132c96e95f9e96fc71a324f445b4c918e4c6820ae1e52d13a623497655b911

SHA512
5f7abbedf73e2e5ce0bd60de60098f9df93e2daa1b41f0fc0bc7adee3e6e6c44ab6c95436b490593c48ac2b84846c99639035d325200773a84eb12373384560c

Download Submit
memory/2132-80-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2132-81-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3532-1-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3532-13-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3532-82-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3532-182-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3532-186-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4932-12-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads