cycbot | 580ffa3d517ceb84f517877492ff44416ba1418d746fe676fb7b7ddb97b5e2a6

General

Target

d8d429f967e2119013210ef155571d1a_JaffaCakes118.exe
Size

172KB
MD5

d8d429f967e2119013210ef155571d1a
SHA1

1f04289404930e79583345fd555d36f54d13e709
SHA256

580ffa3d517ceb84f517877492ff44416ba1418d746fe676fb7b7ddb97b5e2a6
SHA512

9109f865dac4310bc33fdf6fa6c098829334a642638f0031041e551f40d3240fac4c63f353c92372a662985231cccc6f235eb452508c9f601df0f5e5034afb34
SSDEEP

3072:Pgqw8FIL6q4hrpvB5KMcpnK2W5HoA9jtxG6fgYA31UBrKws:Pgqw8FIL6nxdKM2KfHHjnIxOBDs

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/3556-14-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/2784-15-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/2784-16-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral2/memory/2804-121-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/2784-122-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/2784-300-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\3111E\\FCE24.exe"	d8d429f967e2119013210ef155571d1a_JaffaCakes118.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2784-2-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3556-13-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3556-14-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2784-15-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2784-16-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/2804-121-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2784-122-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2784-300-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d8d429f967e2119013210ef155571d1a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 3556	2784	d8d429f967e2119013210ef155571d1a_JaffaCakes118.exe	82
PID 2784 wrote to memory of 3556	2784	d8d429f967e2119013210ef155571d1a_JaffaCakes118.exe	82
PID 2784 wrote to memory of 3556	2784	d8d429f967e2119013210ef155571d1a_JaffaCakes118.exe	82
PID 2784 wrote to memory of 2804	2784	d8d429f967e2119013210ef155571d1a_JaffaCakes118.exe	90
PID 2784 wrote to memory of 2804	2784	d8d429f967e2119013210ef155571d1a_JaffaCakes118.exe	90
PID 2784 wrote to memory of 2804	2784	d8d429f967e2119013210ef155571d1a_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\d8d429f967e2119013210ef155571d1a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d8d429f967e2119013210ef155571d1a_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Users\Admin\AppData\Local\Temp\d8d429f967e2119013210ef155571d1a_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d8d429f967e2119013210ef155571d1a_JaffaCakes118.exe startC:\Program Files (x86)\LP\24B3\C25.exe%C:\Program Files (x86)\LP\24B3
  2⤵
  PID:3556
- C:\Users\Admin\AppData\Local\Temp\d8d429f967e2119013210ef155571d1a_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d8d429f967e2119013210ef155571d1a_JaffaCakes118.exe startC:\Program Files (x86)\1E2D5\lvvm.exe%C:\Program Files (x86)\1E2D5
  2⤵
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\3111E\E2D5.111

Filesize
996B

MD5
01a1e4d24635a9407ff5b679a355613e

SHA1
9819b56ad4286ae0c970a519d3280976e11c56e6

SHA256
73f7f5ce155380f6bbba7aa49987f64c4f63a906a66b2bbd89745f43112bb051

SHA512
81de234e087408c4a335b2b0fa6cd985585ebf7ca214bea882a40e7f0f8379a62a0ff79a23978e62fa2aa126574f1d80c8a2fa55177b978e32ebc96e9259f1ae

Download Submit
C:\Users\Admin\AppData\Roaming\3111E\E2D5.111

Filesize
600B

MD5
15c302c51abf0373a621a5f8a8c1b428

SHA1
3369ff4797fa2b64ab6149d6c70b4d3d4efa8487

SHA256
e6144feca07b0e264172f0bf9678e5ad7113c687e9f9bb30b64e442c8cee13f7

SHA512
1653c2b5a2be3ba330bcfc827ae3b4b8ce9a0f9baa227c9ada0ad1fbea970efe74c50f73a5ffa2baa2b5517d48d887352fc28542344fa4edec7ac4b8039e8a38

Download Submit
C:\Users\Admin\AppData\Roaming\3111E\E2D5.111

Filesize
1KB

MD5
d5fb528f95b43ea34399b872b19e4a6c

SHA1
02bf6f582fb6d927326bde4a3255bd301f567abc

SHA256
8cc283f0b0f266ca79cf3e5f5a3b613f4338c62c4a364e105d231997583dbe2d

SHA512
66e420d03def57bd7e0f9701e20932780a9fd7194d3f9004a611a40341b2ec52580d8b8de326c8fd578d61cc0187f4e8ad336ce5c397531c3cb71069042d5ab2

Download Submit
C:\Users\Admin\AppData\Roaming\3111E\E2D5.111

Filesize
1KB

MD5
b98affd50bec3f965abc14e1056c437c

SHA1
aa3afab282f1b49001c945730a38dead3d4e87a1

SHA256
bb2d4d33e5fcdd67fdbd52b1c2730d7fe9b58e0c71fbda873922b4a92d005b2d

SHA512
558eb9d8c5409e43222ef1dba9cbc58f369b687b3212a3ea08f10dc96b5a723bd079de47a00a0726bc5c80b56b4dd9c3df941a8fca5ba10804ce9f247e07fadf

Download Submit
C:\Users\Admin\AppData\Roaming\3111E\E2D5.111

Filesize
300B

MD5
aa18dcd992541dac48905f7d62ffc1b3

SHA1
4a2b945db35308116692e674f91717d703d40ea7

SHA256
8756024bd5ee5e81fa3b5761362c6e56e773d126e6a7d6048962cecf2eef3377

SHA512
cdc6bf6a6354f8d9d8cc299972aef01a9ae306b775e159593e9a51c14576a37cc8f7b78d4a644d24d6a2dd00488267e021b16e22da753cdf69ab19a16aeb284e

Download Submit
memory/2784-2-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2784-300-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2784-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2784-16-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2784-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2784-122-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2804-121-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3556-14-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3556-12-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3556-13-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads