cycbot | 600407241da060c46887b337564359531405adfbfa92475a3100aaa559807ec5

General

Target

c9f9737348a543e60117ab280dded5cd_JaffaCakes118.exe
Size

173KB
MD5

c9f9737348a543e60117ab280dded5cd
SHA1

6eb3695864b28ebe99b44e2bed88c1f924a3d26c
SHA256

600407241da060c46887b337564359531405adfbfa92475a3100aaa559807ec5
SHA512

c5a5c28e478cfe60f0a19990c4e815934b72e250b625d1f98d722c235c26e5a063459765e162521d4c4c2ea87dfb5b08267c45c362b799a387611b5f7207d455
SSDEEP

3072:i9DX4mWWPLBFls716MUediJUBID4eJJ901FZnE5Fl90H9sTffK3M8fonrhWEByMv:iRFNLBFqXUtUSJy1Q5F0H9wq3Mi8DBHn

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/2696-14-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/4244-15-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/4244-16-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral2/memory/5012-115-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/4244-116-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/4244-306-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\E43F1\\828E7.exe"	c9f9737348a543e60117ab280dded5cd_JaffaCakes118.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4244-2-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/2696-12-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/2696-13-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/2696-14-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4244-15-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4244-16-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/5012-115-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4244-116-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4244-306-0x0000000000400000-0x0000000000490000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c9f9737348a543e60117ab280dded5cd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c9f9737348a543e60117ab280dded5cd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c9f9737348a543e60117ab280dded5cd_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 2696	4244	c9f9737348a543e60117ab280dded5cd_JaffaCakes118.exe	87
PID 4244 wrote to memory of 2696	4244	c9f9737348a543e60117ab280dded5cd_JaffaCakes118.exe	87
PID 4244 wrote to memory of 2696	4244	c9f9737348a543e60117ab280dded5cd_JaffaCakes118.exe	87
PID 4244 wrote to memory of 5012	4244	c9f9737348a543e60117ab280dded5cd_JaffaCakes118.exe	100
PID 4244 wrote to memory of 5012	4244	c9f9737348a543e60117ab280dded5cd_JaffaCakes118.exe	100
PID 4244 wrote to memory of 5012	4244	c9f9737348a543e60117ab280dded5cd_JaffaCakes118.exe	100

C:\Users\Admin\AppData\Local\Temp\c9f9737348a543e60117ab280dded5cd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c9f9737348a543e60117ab280dded5cd_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Users\Admin\AppData\Local\Temp\c9f9737348a543e60117ab280dded5cd_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\c9f9737348a543e60117ab280dded5cd_JaffaCakes118.exe startC:\Program Files (x86)\LP\E79E\A08.exe%C:\Program Files (x86)\LP\E79E
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2696
- C:\Users\Admin\AppData\Local\Temp\c9f9737348a543e60117ab280dded5cd_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\c9f9737348a543e60117ab280dded5cd_JaffaCakes118.exe startC:\Program Files (x86)\F1ABF\lvvm.exe%C:\Program Files (x86)\F1ABF
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\E43F1\1ABF.43F

Filesize
996B

MD5
43f4fff954f0e19f7851f614a83e310f

SHA1
6a386fbadaaa315232b5695bb6d9682d612cbe3f

SHA256
8acd0df721370c06695792e9ab9adc976b52b2a2cbdb26f9b31eb7996fec48e5

SHA512
b33113d05705bc0fc0a5e8abf392632cfd7c93ea1b23dac7d9e870af1e16eae80d571708fef6a1827b0b1f2c65992828f96919d7ac977126ff782e8a169c89ed

Download Submit
C:\Users\Admin\AppData\Roaming\E43F1\1ABF.43F

Filesize
1KB

MD5
7745b962c5752e874112b37817996778

SHA1
9c127f7ff97b858560f676e9d088d20062a40a95

SHA256
109e50c2fdbbb5f4f0f969d52bb67ae24596d7c0ea22906730283c3e219edf00

SHA512
ffdc551a81d4bc86c8ba93adde313440afea4396d4107340c9acfa8d2a04c2ec094464e8744291fff2e0554d06f2300653279c202d1611d9f6ed7215e0837433

Download Submit
C:\Users\Admin\AppData\Roaming\E43F1\1ABF.43F

Filesize
600B

MD5
77fb40132b4052e72bc3124afe427e67

SHA1
cb2cafeee880527bd8f86d54931d7a6e26d8c85c

SHA256
d84adc85aeec9a5ad1087330221f78df9f9918392b4f7f703d43bcae4ff82c42

SHA512
73b711f4eaee932d5c59404793eb4a4b9ff033ef479aa5be623678c84274312c5b39ffd670eebc94643d83c25b9834243b89b7bd523605040b68e4b691a45f2d

Download Submit
memory/2696-12-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2696-13-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2696-14-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4244-15-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4244-16-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4244-116-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4244-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4244-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4244-306-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5012-113-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5012-115-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads