cycbot | 59d1a2def07c6d5cbf67773e9d9827d0fabe0e35d3cdd7e2ec30c400eb960d47

General

Target

fa13215c8ba0ad19e145e3ded304594d_JaffaCakes118.exe
Size

166KB
MD5

fa13215c8ba0ad19e145e3ded304594d
SHA1

f32ade890782f003a92b3ddcfb5c7301dfde85dd
SHA256

59d1a2def07c6d5cbf67773e9d9827d0fabe0e35d3cdd7e2ec30c400eb960d47
SHA512

6f25d3660894a919a8fe3540a4d7caaa1c0c8bf452dc203b111ff0e1fa249f9930a404bc6910a5483d3946b15aac53825d536d8a653800d69121de0a0f2f423c
SSDEEP

3072:Yhi/4AH4OZb3GWaef4Sc+ahiagxu2RkGUzu3jOEHNv02+a8lrhN+RF:ei/7zIe3agjHScv+aEE

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/1596-14-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/4928-15-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/4928-16-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral2/memory/4664-124-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/4928-125-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/4928-283-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\900CD\\6C81B.exe"	fa13215c8ba0ad19e145e3ded304594d_JaffaCakes118.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4928-2-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/1596-13-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/1596-12-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/1596-14-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4928-15-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4928-16-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/4664-121-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4664-122-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4664-124-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4928-125-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4928-283-0x0000000000400000-0x0000000000490000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa13215c8ba0ad19e145e3ded304594d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 1596	4928	fa13215c8ba0ad19e145e3ded304594d_JaffaCakes118.exe	83
PID 4928 wrote to memory of 1596	4928	fa13215c8ba0ad19e145e3ded304594d_JaffaCakes118.exe	83
PID 4928 wrote to memory of 1596	4928	fa13215c8ba0ad19e145e3ded304594d_JaffaCakes118.exe	83
PID 4928 wrote to memory of 4664	4928	fa13215c8ba0ad19e145e3ded304594d_JaffaCakes118.exe	94
PID 4928 wrote to memory of 4664	4928	fa13215c8ba0ad19e145e3ded304594d_JaffaCakes118.exe	94
PID 4928 wrote to memory of 4664	4928	fa13215c8ba0ad19e145e3ded304594d_JaffaCakes118.exe	94

C:\Users\Admin\AppData\Local\Temp\fa13215c8ba0ad19e145e3ded304594d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa13215c8ba0ad19e145e3ded304594d_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Users\Admin\AppData\Local\Temp\fa13215c8ba0ad19e145e3ded304594d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fa13215c8ba0ad19e145e3ded304594d_JaffaCakes118.exe startC:\Program Files (x86)\LP\1B19\D85.exe%C:\Program Files (x86)\LP\1B19
  2⤵
  PID:1596
- C:\Users\Admin\AppData\Local\Temp\fa13215c8ba0ad19e145e3ded304594d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fa13215c8ba0ad19e145e3ded304594d_JaffaCakes118.exe startC:\Program Files (x86)\CD8F0\lvvm.exe%C:\Program Files (x86)\CD8F0
  2⤵
  PID:4664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\900CD\D8F0.00C

Filesize
996B

MD5
24da975e38948fd7cbf0798b5d58d568

SHA1
e8d76376531ff8a9643d7785aaefd6e2c4172972

SHA256
7bdc309127fa805bf78a3c115ef7a48b222bbb924012c4c89aa5a816ffda2277

SHA512
f3c4b0aa22a0c65f4cea4fe911fe1c5c9f5d895d4ce1408be42807d79c5aca2925570236d0234cae1cb8f8b15fbb848b6571b3c1a276a3f3c467075545cac908

Download Submit
C:\Users\Admin\AppData\Roaming\900CD\D8F0.00C

Filesize
600B

MD5
bec0d11e65b2f211dbb01f100d688f27

SHA1
003827670e69de9432045b44c9bc3a88c238f588

SHA256
baa433102ccbbfc0973b7aecdf97a72b189cb299c61e20972046859e18b3afea

SHA512
b82274b8c40ea4e6ce8aae48cb2e49803c9492d3f3199ae8841e3189dec89750cb631c181b02a968f6507b304b923599c7784f4ca4080fc37c1df670c5b248fa

Download Submit
C:\Users\Admin\AppData\Roaming\900CD\D8F0.00C

Filesize
1KB

MD5
532a1f228815c369de59296b4165bc16

SHA1
763eb2fcc9c2ddbd3c58a358cd06b84aae830891

SHA256
c4b2b989aefa2827dc726d86aba5d00eae29bc2e230f182f5255d5919c2646e9

SHA512
dc88af73ee47a8d071474b279c3df5f3162cda6a2cf5d16d82af4c1785c6808229bb9e9d106076ea040d84385656405e83b52d2e7f3c475d57ddce98c1e7b223

Download Submit
memory/1596-13-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1596-12-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1596-14-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4664-122-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4664-121-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4664-124-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4928-16-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4928-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4928-125-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4928-15-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4928-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4928-283-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads