cycbot | 8bd403adc225ef5512a309e52822b37c6dfad2905c327da490ab409fd4aea738

General

Target

d35a7352e12a25e36b718b07d2a74d9c_JaffaCakes118.exe
Size

174KB
MD5

d35a7352e12a25e36b718b07d2a74d9c
SHA1

0ea1212e27715dfa2adaac3679622fc8f00a8769
SHA256

8bd403adc225ef5512a309e52822b37c6dfad2905c327da490ab409fd4aea738
SHA512

717768020a4e09868324483ea9bf71b4a68cd87384a2ac4cbf09edabe61c563d7d6dda299c2963eedd75dd6fa39462880fb4b335a91c0aca0b3b25edfea46308
SSDEEP

3072:j3QTXjUhMXiYETuL6Iqp8n3Jgrz7dz8QeZII:sY65dqrVoQ

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/1860-12-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral2/memory/2364-13-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral2/memory/2364-78-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral2/memory/3676-80-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral2/memory/2364-184-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	d35a7352e12a25e36b718b07d2a74d9c_JaffaCakes118.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2364-2-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral2/memory/1860-12-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral2/memory/2364-13-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral2/memory/2364-78-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral2/memory/3676-80-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral2/memory/2364-184-0x0000000000400000-0x000000000048D000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d35a7352e12a25e36b718b07d2a74d9c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d35a7352e12a25e36b718b07d2a74d9c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d35a7352e12a25e36b718b07d2a74d9c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 1860	2364	d35a7352e12a25e36b718b07d2a74d9c_JaffaCakes118.exe	82
PID 2364 wrote to memory of 1860	2364	d35a7352e12a25e36b718b07d2a74d9c_JaffaCakes118.exe	82
PID 2364 wrote to memory of 1860	2364	d35a7352e12a25e36b718b07d2a74d9c_JaffaCakes118.exe	82
PID 2364 wrote to memory of 3676	2364	d35a7352e12a25e36b718b07d2a74d9c_JaffaCakes118.exe	87
PID 2364 wrote to memory of 3676	2364	d35a7352e12a25e36b718b07d2a74d9c_JaffaCakes118.exe	87
PID 2364 wrote to memory of 3676	2364	d35a7352e12a25e36b718b07d2a74d9c_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\d35a7352e12a25e36b718b07d2a74d9c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d35a7352e12a25e36b718b07d2a74d9c_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\d35a7352e12a25e36b718b07d2a74d9c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d35a7352e12a25e36b718b07d2a74d9c_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1860
- C:\Users\Admin\AppData\Local\Temp\d35a7352e12a25e36b718b07d2a74d9c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d35a7352e12a25e36b718b07d2a74d9c_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\2D58.916

Filesize
1KB

MD5
34c583230cd6388768309f1e100af88c

SHA1
5471663919edaecb85ca658c9c42dbbd4aeb49f9

SHA256
5c72f1dae99df30438fc8c4a17bb2c00f654ec11c381476f7588b6ecf227a787

SHA512
471b8de4d256b708f18f5cbae6a3578c2b31d02ff5f91ff951dda2a17d6f2d80cdb459d845f850b79cc9e657798daee41c91d414f68d75dd4ba5edb69c2a70ad

Download Submit
C:\Users\Admin\AppData\Roaming\2D58.916

Filesize
600B

MD5
32bc4056545c139e933a4e6e27596ac2

SHA1
117e2e642167756eb080a5be4c8bb0a40881bdad

SHA256
21eddb8f4cb816f38fe678ce48cc6ada9273b56345d51165d66c9671b3098493

SHA512
d2731b3b64a14bbda6b1ce98b2c043135cfd0af143d34b0e9c5f773a18e4fc88e5237d96589a21cc7570f2fa67900fa93b243b78d2b18f8c22b0e05becd71dcc

Download Submit
C:\Users\Admin\AppData\Roaming\2D58.916

Filesize
996B

MD5
5412ee10d34ec447492347d732ba296b

SHA1
a7c5b49b9538f0b7cbab912fa0d60d07736b5ee0

SHA256
8309bcee96d85cd01d270d9090e4e75299098cf93974851c5aae458e143d0829

SHA512
13b8171bffa1395e2ff8837fae390f32c12a737ee3c66f35ba7dfa2dc51202d5145fe9932827d9edb3a42171dc24bd67fa0bda37bb87e8b162f5eb30ffa73078

Download Submit
memory/1860-12-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2364-1-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2364-2-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2364-13-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2364-78-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2364-184-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/3676-80-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads