cycbot | 71b893c3114cf33324998bbc2a7921feb75a78ff23c95966cb55b92a0f144b4e

General

Target

dc2df23d6d7eb88bc9c262228f8391ba_JaffaCakes118.exe
Size

173KB
MD5

dc2df23d6d7eb88bc9c262228f8391ba
SHA1

41feac1a05b090ade52db12b885570be4f5f0e78
SHA256

71b893c3114cf33324998bbc2a7921feb75a78ff23c95966cb55b92a0f144b4e
SHA512

30a9c015960595b4f66d69fdc4d04f778a7ed536cc29ddb6b797a0dafa1d7baf33fd72b4e205957b04365eb7dc2cb590df685b91611acde17a73f170749cff9c
SSDEEP

3072:BEEGA3tiI4Jay87me/Y4uy5pMeSlY9pjrR:XGA3tMameiy52e2Yzj

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/1244-15-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral2/memory/3716-16-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral2/memory/3716-89-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral2/memory/3392-91-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral2/memory/3716-220-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	dc2df23d6d7eb88bc9c262228f8391ba_JaffaCakes118.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3716-2-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral2/memory/1244-13-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral2/memory/1244-12-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral2/memory/1244-15-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral2/memory/3716-16-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral2/memory/3716-89-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral2/memory/3392-91-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral2/memory/3716-220-0x0000000000400000-0x000000000048D000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc2df23d6d7eb88bc9c262228f8391ba_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc2df23d6d7eb88bc9c262228f8391ba_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc2df23d6d7eb88bc9c262228f8391ba_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3716 wrote to memory of 1244	3716	dc2df23d6d7eb88bc9c262228f8391ba_JaffaCakes118.exe	82
PID 3716 wrote to memory of 1244	3716	dc2df23d6d7eb88bc9c262228f8391ba_JaffaCakes118.exe	82
PID 3716 wrote to memory of 1244	3716	dc2df23d6d7eb88bc9c262228f8391ba_JaffaCakes118.exe	82
PID 3716 wrote to memory of 3392	3716	dc2df23d6d7eb88bc9c262228f8391ba_JaffaCakes118.exe	88
PID 3716 wrote to memory of 3392	3716	dc2df23d6d7eb88bc9c262228f8391ba_JaffaCakes118.exe	88
PID 3716 wrote to memory of 3392	3716	dc2df23d6d7eb88bc9c262228f8391ba_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\dc2df23d6d7eb88bc9c262228f8391ba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc2df23d6d7eb88bc9c262228f8391ba_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3716
- C:\Users\Admin\AppData\Local\Temp\dc2df23d6d7eb88bc9c262228f8391ba_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\dc2df23d6d7eb88bc9c262228f8391ba_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1244
- C:\Users\Admin\AppData\Local\Temp\dc2df23d6d7eb88bc9c262228f8391ba_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\dc2df23d6d7eb88bc9c262228f8391ba_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\E109.6F1

Filesize
1KB

MD5
ebed71d9980bb8d1afe46347018322c0

SHA1
1efcfc61c08f3824fe6f8a0fb2d3a7a29609bf66

SHA256
c0f11920aa887a2f87741f1e5a927d4638874ac969367da3e664fb1d720805d9

SHA512
74770639d4cd45a7fbbd2b9cb3da07d37deb7354248e8225ecc5bfd188e8261af20a6ad6147437a1388c824b0dcb015432a7b6bfe0639baaaec166aa0ac9d159

Download Submit
C:\Users\Admin\AppData\Roaming\E109.6F1

Filesize
1KB

MD5
36643b1b225a519c69492f77973a17be

SHA1
413300dba27924200b6aa82ce25e0ab29d11371c

SHA256
b500f838a314b9d76a5739bc64f158536f5ab86e120868c097ff48459bd74671

SHA512
a813eea874f023cd08ed13f2a8650c1255d1da08b7d0cf77ee51ae34715ed0e8cde0e5b6ec20519e74e42978854867c7a029a843f093b8d172477af5eb1e58c2

Download Submit
C:\Users\Admin\AppData\Roaming\E109.6F1

Filesize
600B

MD5
bcbcd9db4a5b9974708af54d46728fa4

SHA1
8ea5a4b02a2a90dda8d729b6364f23ad5128786f

SHA256
66fe0db8b44176db8a8a92bcf5739be22679856b0fc64012089af3035fed3d73

SHA512
2ac2b92deb68c8a074f286d2f9bae1a297e104a2f7ca2014d1d2ec4a5c467150d190aeed8c4008720d075bcd88650ac74842dc9f956fc3bcf3702b5adb238515

Download Submit
C:\Users\Admin\AppData\Roaming\E109.6F1

Filesize
996B

MD5
ee5266eec6f6620013f5e563f8767084

SHA1
8236721b8210b9656cf23b63d04c8854b96df563

SHA256
e20b664efdfcf04feeec3c9051901b18773e33fa11d253cb546348673980c1c1

SHA512
26169e689ece927f9bf4a75b83e015aae72afc4af498ce3297bc3f44829f34b679aee624488d1078d6c590812ff3a1fbb0b063e99154dbd90ca54142c71f8132

Download Submit
memory/1244-15-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1244-12-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1244-13-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/3392-91-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/3716-16-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/3716-89-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/3716-1-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/3716-2-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/3716-220-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads