cycbot | f59245b84b7115063382965ac68e0e21351e2cd8775512319959698e4fbbb6b2

General

Target

df9793eb2e2ca59a93cf5f81c9d909cc_JaffaCakes118.exe
Size

169KB
MD5

df9793eb2e2ca59a93cf5f81c9d909cc
SHA1

ab2f7c91e16fcaca8d465b3b7ad585629657749f
SHA256

f59245b84b7115063382965ac68e0e21351e2cd8775512319959698e4fbbb6b2
SHA512

60c2fe549a5664d5edf65ff7b3177a8c591e82f69a5a6a550b51e36805fb87996407946d3b4a3e91af15f184eed8e40f95fb89e4827be7378e0006433634290c
SSDEEP

3072:+W/iD3zdj3IKcSIN0IfyoJVSG9M0YFJqnu/PcC1RGM/MXnxxDJCQm:x/iD3zJ3IhSINDa+79M04J7PJRNU3x5m

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 7 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/1752-14-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/3620-15-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral2/memory/3620-16-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/3804-83-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/3620-84-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/3620-184-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/3620-188-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\12AD2\\828E7.exe"	df9793eb2e2ca59a93cf5f81c9d909cc_JaffaCakes118.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3620-2-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/1752-13-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/1752-14-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/3620-15-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral2/memory/3620-16-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/3804-83-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/3620-84-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/3620-184-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/3620-188-0x0000000000400000-0x0000000000490000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df9793eb2e2ca59a93cf5f81c9d909cc_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3620 wrote to memory of 1752	3620	df9793eb2e2ca59a93cf5f81c9d909cc_JaffaCakes118.exe	83
PID 3620 wrote to memory of 1752	3620	df9793eb2e2ca59a93cf5f81c9d909cc_JaffaCakes118.exe	83
PID 3620 wrote to memory of 1752	3620	df9793eb2e2ca59a93cf5f81c9d909cc_JaffaCakes118.exe	83
PID 3620 wrote to memory of 3804	3620	df9793eb2e2ca59a93cf5f81c9d909cc_JaffaCakes118.exe	85
PID 3620 wrote to memory of 3804	3620	df9793eb2e2ca59a93cf5f81c9d909cc_JaffaCakes118.exe	85
PID 3620 wrote to memory of 3804	3620	df9793eb2e2ca59a93cf5f81c9d909cc_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\df9793eb2e2ca59a93cf5f81c9d909cc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\df9793eb2e2ca59a93cf5f81c9d909cc_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Users\Admin\AppData\Local\Temp\df9793eb2e2ca59a93cf5f81c9d909cc_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\df9793eb2e2ca59a93cf5f81c9d909cc_JaffaCakes118.exe startC:\Program Files (x86)\LP\E791\A08.exe%C:\Program Files (x86)\LP\E791
  2⤵
  PID:1752
- C:\Users\Admin\AppData\Local\Temp\df9793eb2e2ca59a93cf5f81c9d909cc_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\df9793eb2e2ca59a93cf5f81c9d909cc_JaffaCakes118.exe startC:\Program Files (x86)\D2BD4\lvvm.exe%C:\Program Files (x86)\D2BD4
  2⤵
  PID:3804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\12AD2\2BD4.2AD

Filesize
1KB

MD5
608daea9dc5a05cdca8ee131374af51d

SHA1
4e3d028db44091c701ef44aac133c781cf334418

SHA256
268922b7e1de73a788c1c4eb176af268ab5df80d4cd7936dbba4c001127096bb

SHA512
3114c469d77faf1e437c1df19ab92b497eb06b71df3e792b1b9d0ab68457b6c84881a95f8ad93edc8cfd64247f14f3aad913ce33a8c8d38624ba8027d535ac52

Download Submit
C:\Users\Admin\AppData\Roaming\12AD2\2BD4.2AD

Filesize
600B

MD5
fe7219b5cbfc64d42275702ab5609bfe

SHA1
5d0a8e3a5c7d5b9f703a75b73f1487d2a6b21923

SHA256
21f96fd5d976ea75fe1be30b270e6dbbdb73ef69e08d7e704d9c888ac7d47e7b

SHA512
defee396ed5cb86d4e07e9d73711a6846da0429ad234ff0d5e9c715cf466aa330bfcba581ce83ca168ac25c608f56df0f7912524fde4532fc4310dc2c50b6320

Download Submit
C:\Users\Admin\AppData\Roaming\12AD2\2BD4.2AD

Filesize
996B

MD5
e9a39d8383c9e430af2d731bcb18dce7

SHA1
457f46a75ae66a8f9192b3a6fc533b43180a7750

SHA256
e5422e5d19b455da0c6635aea2456012a1f72e89abe1d45830e9864fc6f64adc

SHA512
1ba16e3ccb92f411da46fd18a0d9e30415c10d3cdc0fc9ae5d1e7ae3a9c26ccda8aa263a03849c2eeb17224ac652ca9b38d30c06a09c2d41704b048bc8e0a7b0

Download Submit
memory/1752-13-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1752-12-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1752-14-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3620-16-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3620-1-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/3620-84-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3620-15-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/3620-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3620-184-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3620-188-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3804-83-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads