cycbot | c9375aa7c4ba5f8dea24a40a4dd67e7ffb232f08d63e05c4044b862ced5251c3

General

Target

ec477414a41353fe0ef989b49ee5601b_JaffaCakes118.exe
Size

169KB
MD5

ec477414a41353fe0ef989b49ee5601b
SHA1

7e05292993ffe029a5642cc1b26cd7a0eeaa9c9e
SHA256

c9375aa7c4ba5f8dea24a40a4dd67e7ffb232f08d63e05c4044b862ced5251c3
SHA512

645702e775923febe5001eb18954efc76d7b7360107687922f690713f31c8549989d9243cbeb64b4a849849f64103db86300446d4e74c04ddecb985c6df3bd65
SSDEEP

3072:CY1hC/qJjfzN3vb67yN4RpKcZRhBDBRA5bQHACbpb8MO99R/P9NkPOd3MOYs:CYSyh53PNaPZR4VS98bnEPOd3M4

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 7 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2284-9-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2872-11-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral1/memory/2872-12-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2708-75-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral1/memory/2708-74-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2872-72-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2872-146-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\BD427\\D97D0.exe"	ec477414a41353fe0ef989b49ee5601b_JaffaCakes118.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2872-2-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2284-9-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2872-11-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2872-12-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2708-75-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2708-74-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2872-72-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2872-146-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec477414a41353fe0ef989b49ee5601b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec477414a41353fe0ef989b49ee5601b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec477414a41353fe0ef989b49ee5601b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2284	2872	ec477414a41353fe0ef989b49ee5601b_JaffaCakes118.exe	28
PID 2872 wrote to memory of 2284	2872	ec477414a41353fe0ef989b49ee5601b_JaffaCakes118.exe	28
PID 2872 wrote to memory of 2284	2872	ec477414a41353fe0ef989b49ee5601b_JaffaCakes118.exe	28
PID 2872 wrote to memory of 2284	2872	ec477414a41353fe0ef989b49ee5601b_JaffaCakes118.exe	28
PID 2872 wrote to memory of 2708	2872	ec477414a41353fe0ef989b49ee5601b_JaffaCakes118.exe	29
PID 2872 wrote to memory of 2708	2872	ec477414a41353fe0ef989b49ee5601b_JaffaCakes118.exe	29
PID 2872 wrote to memory of 2708	2872	ec477414a41353fe0ef989b49ee5601b_JaffaCakes118.exe	29
PID 2872 wrote to memory of 2708	2872	ec477414a41353fe0ef989b49ee5601b_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\ec477414a41353fe0ef989b49ee5601b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ec477414a41353fe0ef989b49ee5601b_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Local\Temp\ec477414a41353fe0ef989b49ee5601b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ec477414a41353fe0ef989b49ee5601b_JaffaCakes118.exe startC:\Program Files (x86)\LP\D05B\18D.exe%C:\Program Files (x86)\LP\D05B
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2284
- C:\Users\Admin\AppData\Local\Temp\ec477414a41353fe0ef989b49ee5601b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ec477414a41353fe0ef989b49ee5601b_JaffaCakes118.exe startC:\Program Files (x86)\274B6\lvvm.exe%C:\Program Files (x86)\274B6
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\BD427\74B6.D42

Filesize
300B

MD5
0d92ffdf8efbba08a90aed0d5f3bf720

SHA1
9db6118bb5882a777a641b800edaa13a4c8b7875

SHA256
29b0b5f0cdcaaffd30e59e894e8bb9ab0874e16168508338ff68cf3e34fb8e2c

SHA512
28be4c517599659228912f4472cfd7fb651546804a3d91a949689fd7776e31774975dd8c470387d0a003c1e7bd68ddbb9838cd33d88b6746247de243f1bd0d72

Download Submit
C:\Users\Admin\AppData\Roaming\BD427\74B6.D42

Filesize
1KB

MD5
2194dc54494b2a01a32793a39b159850

SHA1
4cb8aae7ec82851f45c0b9080f16e7fd8185584c

SHA256
dcf99162899862c72092de32042a5d78a11793f5b9cde98615917b11d6eb2605

SHA512
586f1c227e5261de477e205ff6bbee2ecd8ad15f5d7c7cd55da75bd4e72944f76668384ca70515ac53ea28fab336e09af3d98f53a80934878344be7e0171038e

Download Submit
C:\Users\Admin\AppData\Roaming\BD427\74B6.D42

Filesize
696B

MD5
776cf0d9e76680aaa52a7c85502f77db

SHA1
856201435b58ff2dfec14c4127eef7528f8ed19c

SHA256
efcff727f2411b936dc60c86acb64180d8e3671d4d08a24710d61e6fa9878932

SHA512
b7937936134ff02e7d14585d806d855fa015c143e6ae2a94852de44e97192e28aba7db1ff8edc8903d2f587c2242f6f99d1f2c796cdc83aad6f437926093458e

Download Submit
memory/2284-8-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2284-9-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2284-10-0x00000000004A0000-0x000000000051B000-memory.dmp

Filesize
492KB

Download
memory/2708-75-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2708-76-0x0000000002170000-0x00000000021EB000-memory.dmp

Filesize
492KB

Download
memory/2708-74-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2872-12-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2872-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2872-72-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2872-11-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2872-146-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2872-2-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads