cycbot | b8d2f66ed43792b1092cc1dbdc462159648740c92232c4cf4727facd9bdeaf7f

General

Target

967366d71b6ff1d93b2037badcaf4089_JaffaCakes118.exe
Size

175KB
MD5

967366d71b6ff1d93b2037badcaf4089
SHA1

abe06b4e27135b587f65c229aca2b602789cc1d3
SHA256

b8d2f66ed43792b1092cc1dbdc462159648740c92232c4cf4727facd9bdeaf7f
SHA512

536e3ba3f094b7b419a316f12370c7bfeae28ec3e402c4edd9e49dbcee63d2b3ac01243165930d542805c2556f9810bdcd311598ee46fd4b02d4ace491f3431c
SSDEEP

3072:Lu8MsX4PrUTpyw7vj89z74nEhg6/Hmhhe7hx3FjW3ydOT8kj:LuRu377nCpHmhEXjW3Jh

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

Processes:

resource	yara_rule
behavioral2/memory/3056-14-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral2/memory/3388-15-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral2/memory/3388-84-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral2/memory/3384-88-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral2/memory/3388-192-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

967366d71b6ff1d93b2037badcaf4089_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	967366d71b6ff1d93b2037badcaf4089_JaffaCakes118.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3388-2-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/3056-8-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/3056-14-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/3388-15-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/3388-84-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/3384-86-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/3384-88-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/3388-192-0x0000000000400000-0x000000000048E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

967366d71b6ff1d93b2037badcaf4089_JaffaCakes118.exe967366d71b6ff1d93b2037badcaf4089_JaffaCakes118.exe967366d71b6ff1d93b2037badcaf4089_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	967366d71b6ff1d93b2037badcaf4089_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	967366d71b6ff1d93b2037badcaf4089_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	967366d71b6ff1d93b2037badcaf4089_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

967366d71b6ff1d93b2037badcaf4089_JaffaCakes118.exe

description	pid	Process	procid_target
PID 3388 wrote to memory of 3056	3388	967366d71b6ff1d93b2037badcaf4089_JaffaCakes118.exe	82
PID 3388 wrote to memory of 3056	3388	967366d71b6ff1d93b2037badcaf4089_JaffaCakes118.exe	82
PID 3388 wrote to memory of 3056	3388	967366d71b6ff1d93b2037badcaf4089_JaffaCakes118.exe	82
PID 3388 wrote to memory of 3384	3388	967366d71b6ff1d93b2037badcaf4089_JaffaCakes118.exe	90
PID 3388 wrote to memory of 3384	3388	967366d71b6ff1d93b2037badcaf4089_JaffaCakes118.exe	90
PID 3388 wrote to memory of 3384	3388	967366d71b6ff1d93b2037badcaf4089_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\967366d71b6ff1d93b2037badcaf4089_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\967366d71b6ff1d93b2037badcaf4089_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3388
- C:\Users\Admin\AppData\Local\Temp\967366d71b6ff1d93b2037badcaf4089_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\967366d71b6ff1d93b2037badcaf4089_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3056
- C:\Users\Admin\AppData\Local\Temp\967366d71b6ff1d93b2037badcaf4089_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\967366d71b6ff1d93b2037badcaf4089_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\074B.3B2

Filesize
1KB

MD5
50b81783da1655b8997d92df054af6fb

SHA1
55fe675cfcff9bf9513bef672fe53a6f6cc36855

SHA256
995e866fac098124df91868ceb7667a6784300b2b1a63c03fc5c1b5677bd8daf

SHA512
c7515068f305a16dfedd23901b4061d0c9618276364127baea3cc87f976ce36a0e366a1cabebea4e0611116df2c32ce0209210d0cdf510f3ba9a75ecfb2711c9

Download Submit
C:\Users\Admin\AppData\Roaming\074B.3B2

Filesize
1KB

MD5
12a99f1303154f505701dea95e4769fd

SHA1
8733a080b0fd1b029f7da39efbeb3b00b1c98439

SHA256
48b566e9bab06373800f8ecaddbdd4ea78166b145c3fd8035a4da760fe384aa0

SHA512
4d7a3cb49bfff51a248178292e45d617c469f8cfc23c7476bb295439c7619fea6ddd72d0c9fb9578241b523bb25f047bbb0d16f3d33eca1f7bcd41feccd624b9

Download Submit
C:\Users\Admin\AppData\Roaming\074B.3B2

Filesize
600B

MD5
2394df870b14f2abff1dcc32b0273b07

SHA1
7377472e36d37e4cb7380b401b57936080ae9a4c

SHA256
a38fccfce9b833a03c543b74b872ae41da0ba2647338b5ef9b28cd55207caf16

SHA512
57bf0febc4e6b500c38a646264d0ee32c8e7ce27fe7d433355897c7c9ad56a05f90ff486fbd8a168a26eade0e680759ad19df9d75b8424038eb76d5723853ce9

Download Submit
C:\Users\Admin\AppData\Roaming\074B.3B2

Filesize
996B

MD5
a560ba1ec2e61679f46f52b15a7e556b

SHA1
99e22d6ee142942781d6188aff0710f18a035f75

SHA256
316a210479af1d341860263545297fc7fda60bae2aa6d1e331b351cf4c2ebf16

SHA512
66eac746b4b39e6d552dbe26f2f649fa4f208e0af874ffe49122f454957f62f32b07ad3304cde822ff90cb3a2709ac2955f6c0daf208416bb3dcd94a9e7e1ace

Download Submit
memory/3056-14-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3056-8-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3384-86-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3384-88-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3388-15-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3388-84-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3388-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3388-2-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3388-192-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads