cycbot | 7dd3ea069bbb1efd94479f96ea5bbe3e8d10190e7b7008dd28a7a85ecb4ccb00

General

Target

9f37efc526ff3b959389520688292e20_JaffaCakes118.exe
Size

175KB
MD5

9f37efc526ff3b959389520688292e20
SHA1

f24defedb1abd4ee05e0a89030a3529b06dfb37a
SHA256

7dd3ea069bbb1efd94479f96ea5bbe3e8d10190e7b7008dd28a7a85ecb4ccb00
SHA512

dc97b44bb635969883590d812126cc244554a7c56ce16fb3028c7702c0a58db1efdf1269470f6076a25f2f04b51a58c34fb39dd686850088204cf72894f8210a
SSDEEP

3072:phSX+Ax0I7UfnHB+cAwqrlJ6fKdSZsak2cc742LS25892FVyyuUagvm:EROIAfnHEwGCfKdMbp9m25bnluae

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/2036-14-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/4332-15-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/4332-16-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral2/memory/4752-125-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/4332-126-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/4332-308-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\BF5CD\\447F0.exe"	9f37efc526ff3b959389520688292e20_JaffaCakes118.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4332-2-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2036-13-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2036-14-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4332-15-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4332-16-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/4752-125-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4332-126-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4332-308-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f37efc526ff3b959389520688292e20_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4332 wrote to memory of 2036	4332	9f37efc526ff3b959389520688292e20_JaffaCakes118.exe	86
PID 4332 wrote to memory of 2036	4332	9f37efc526ff3b959389520688292e20_JaffaCakes118.exe	86
PID 4332 wrote to memory of 2036	4332	9f37efc526ff3b959389520688292e20_JaffaCakes118.exe	86
PID 4332 wrote to memory of 4752	4332	9f37efc526ff3b959389520688292e20_JaffaCakes118.exe	90
PID 4332 wrote to memory of 4752	4332	9f37efc526ff3b959389520688292e20_JaffaCakes118.exe	90
PID 4332 wrote to memory of 4752	4332	9f37efc526ff3b959389520688292e20_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\9f37efc526ff3b959389520688292e20_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9f37efc526ff3b959389520688292e20_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Users\Admin\AppData\Local\Temp\9f37efc526ff3b959389520688292e20_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\9f37efc526ff3b959389520688292e20_JaffaCakes118.exe startC:\Program Files (x86)\LP\F0BB\5FB.exe%C:\Program Files (x86)\LP\F0BB
  2⤵
  PID:2036
- C:\Users\Admin\AppData\Local\Temp\9f37efc526ff3b959389520688292e20_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\9f37efc526ff3b959389520688292e20_JaffaCakes118.exe startC:\Program Files (x86)\CD5CA\lvvm.exe%C:\Program Files (x86)\CD5CA
  2⤵
  PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\BF5CD\D5CA.F5C

Filesize
996B

MD5
8d327c245f6b0cb7a1528ed5470a9f74

SHA1
f20150c5318d411e79dca4f6d87742867e99977e

SHA256
f037006ccb10af29f45ea674e856a567bfaab7cd582dbe216736ed9943cade18

SHA512
a4a8dfa1655c54d93b3c78052334956380686365999d826f58ee88403509eaca61cfe3e1de42c67f386108c88d66809d7062849ffdcf5786be0f5acff0238c96

Download Submit
C:\Users\Admin\AppData\Roaming\BF5CD\D5CA.F5C

Filesize
600B

MD5
f3c09d9f8c56029f196ed79e7fb85f2d

SHA1
271be5573f78bb2444cd5b7262aefd19a90661a4

SHA256
0641c7d45b4bac207e75f32d776d2aae6f4405409edab644848ba112c2cf1321

SHA512
e788551563f2944d921997254334b31cc4460119fb85e47f063aa3073c658f4e5a77bebc11b62643f664fcb55dcf4aaace5e771afa36baedd8a789bfaab733c6

Download Submit
C:\Users\Admin\AppData\Roaming\BF5CD\D5CA.F5C

Filesize
1KB

MD5
47c0e61eb3ed9e1aee39afd24c6e41cd

SHA1
47dca54fcac81ead228240651efa8d398193b63b

SHA256
e908a119643ca7041cbdf20d3fed80cf6beed06c46fd63372a5d1914d032f076

SHA512
abb5402e43f7e7af0f192b0719f8147dd0d4080baea37bd0ba7e3f7add278d11baafb762f0aa2b9ae8cd2364adb438de1cf028a80924e4884bdd42b0ecedaf2e

Download Submit
memory/2036-12-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2036-13-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2036-14-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4332-16-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4332-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4332-126-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4332-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4332-2-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4332-308-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4752-125-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads