cycbot | 6c1756aa530b36cac92d6ddcd49b9bc2b4b3b72ee86db90963a426c13257fae1

General

Target

efe5a4dc47a3973279f70e844233de67_JaffaCakes118.exe
Size

169KB
MD5

efe5a4dc47a3973279f70e844233de67
SHA1

14deca72174952578ceabb767f58f5ac6dadb638
SHA256

6c1756aa530b36cac92d6ddcd49b9bc2b4b3b72ee86db90963a426c13257fae1
SHA512

f0bd44b4bf10f714b49dc6d8ed675268b3f8ec135b87abfc0887b4bda444d32fea9635c8b9b3a656edf9a304922be82543ec5de2e9e0313e0c5a0f7dca1f0b51
SSDEEP

3072:3YGy9/koA4KzeRZtDb6n7MckPJHgqH9OZxG8YT1jKbvwuCXhgbGtV4tNIHlol49b:oGyNkh8HDEGxgrxpYTNLGtNIul49qSMQ

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/220-14-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/5080-15-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/5080-16-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral2/memory/3984-75-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/5080-76-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/5080-174-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\A7E30\\AEBE9.exe"	efe5a4dc47a3973279f70e844233de67_JaffaCakes118.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5080-2-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/220-13-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/220-14-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/5080-15-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/5080-16-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/3984-75-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/5080-76-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/5080-174-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efe5a4dc47a3973279f70e844233de67_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efe5a4dc47a3973279f70e844233de67_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efe5a4dc47a3973279f70e844233de67_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 220	5080	efe5a4dc47a3973279f70e844233de67_JaffaCakes118.exe	83
PID 5080 wrote to memory of 220	5080	efe5a4dc47a3973279f70e844233de67_JaffaCakes118.exe	83
PID 5080 wrote to memory of 220	5080	efe5a4dc47a3973279f70e844233de67_JaffaCakes118.exe	83
PID 5080 wrote to memory of 3984	5080	efe5a4dc47a3973279f70e844233de67_JaffaCakes118.exe	88
PID 5080 wrote to memory of 3984	5080	efe5a4dc47a3973279f70e844233de67_JaffaCakes118.exe	88
PID 5080 wrote to memory of 3984	5080	efe5a4dc47a3973279f70e844233de67_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\efe5a4dc47a3973279f70e844233de67_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\efe5a4dc47a3973279f70e844233de67_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Users\Admin\AppData\Local\Temp\efe5a4dc47a3973279f70e844233de67_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\efe5a4dc47a3973279f70e844233de67_JaffaCakes118.exe startC:\Program Files (x86)\LP\E93A\873.exe%C:\Program Files (x86)\LP\E93A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:220
- C:\Users\Admin\AppData\Local\Temp\efe5a4dc47a3973279f70e844233de67_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\efe5a4dc47a3973279f70e844233de67_JaffaCakes118.exe startC:\Program Files (x86)\308DC\lvvm.exe%C:\Program Files (x86)\308DC
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\A7E30\08DC.7E3

Filesize
1KB

MD5
de426d32502b42398c66a5b1025fc0a9

SHA1
9c44e61cd1cddc19bc2ce090a4ff206cb8210000

SHA256
c1978da9e6933ea1feea87d31c5e06324a821d9ef3e080098bf7487573c5fcb4

SHA512
1d611fb257c8fd07a089943ae122979984978439b6d9ab0ec11a41c11ae4b2d72d039b8b8063cae1645b771b05b1d7a08f598619cc4ed096924198850df216e0

Download Submit
C:\Users\Admin\AppData\Roaming\A7E30\08DC.7E3

Filesize
600B

MD5
efc4f26980069801a4cab00e1c3bfedf

SHA1
bd0a536ed779a813358e8b9ee746abd64f9053c0

SHA256
dd3599e09713af0c01ec39736365358a7ee3745aea917b3a68d9d971efa4c55b

SHA512
34b447d6d9423c5f3cfe1f195e934c7b1698d582f173465f2274fd352d7bbbfbdf5ebc30bf74712be948b5c8872cbd03809b881e63062fea3a791b06455d5efe

Download Submit
C:\Users\Admin\AppData\Roaming\A7E30\08DC.7E3

Filesize
996B

MD5
52b96e59c321c7ab5554c3d47de1dc0d

SHA1
a375cdea55bdd74268f70fa43491fcdf1f7a9f09

SHA256
e2774372066b2d0fd48191b8b830545989f963da045ad2cf66fe2b06e7ff545e

SHA512
5b3ee951afa65096b2b134625df487feb0783de0f376f4c5fa315a6071666dc4ad06eedd22ea03d37280d035a4b5e909acbdcf1eaba3590bebd56dc776c03ad7

Download Submit
C:\Users\Admin\AppData\Roaming\A7E30\08DC.7E3

Filesize
300B

MD5
d43fc4e02f0886d95fdd0ae84ffd469f

SHA1
598beebd701bf1d6dcdc82c87e09de417a54488c

SHA256
50249f763077298aa3ea3fa6fa3345099b8b65f99c073aabe1209997c161e294

SHA512
89866040a6654fb954bf1c525b9f0e216ccf3324c9f778688f9903370a823a3ce0c46bd878083d54b80c4add0e06ce6aff329dc3fe6dbd35a14039861a0efae2

Download Submit
memory/220-12-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/220-13-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/220-14-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3984-75-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5080-16-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/5080-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/5080-76-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5080-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5080-2-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5080-174-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads