cycbot | b29badfe1d05f069c0f6e0e63771a11c9e65e18241186d952b9ee1b86dc22a9c

General

Target

fb7ef3489999a8c0dbbf3ab3d1a52e9f_JaffaCakes118.exe
Size

192KB
MD5

fb7ef3489999a8c0dbbf3ab3d1a52e9f
SHA1

c693364964d2eb6089adbf4fea6633759a2f159e
SHA256

b29badfe1d05f069c0f6e0e63771a11c9e65e18241186d952b9ee1b86dc22a9c
SHA512

3aea7c967a3218f3ca1222ab06faa2e0f0b8e1dc463dc4c03d75115025c0cd09ff357ec59737b961cee954ed37edc04af317010002c66e64d4f32d93c73c06a1
SSDEEP

3072:7ZcAnmLBUnEj04GIYOvqdjqyd8KfG4Sd47pXQiBuAPPOQFJsfoCPB:7ZamnEjJGIbCdfbeopXQiBfPLFyoCPB

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/2848-17-0x0000000000400000-0x0000000000470000-memory.dmp	family_cycbot
behavioral2/memory/1404-19-0x0000000000400000-0x0000000000470000-memory.dmp	family_cycbot
behavioral2/memory/1404-78-0x0000000000400000-0x0000000000470000-memory.dmp	family_cycbot
behavioral2/memory/2756-82-0x0000000000400000-0x0000000000470000-memory.dmp	family_cycbot
behavioral2/memory/1404-178-0x0000000000400000-0x0000000000470000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	fb7ef3489999a8c0dbbf3ab3d1a52e9f_JaffaCakes118.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1404-2-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/2848-17-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/1404-19-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/1404-78-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/2756-80-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/2756-82-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/1404-178-0x0000000000400000-0x0000000000470000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb7ef3489999a8c0dbbf3ab3d1a52e9f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 2848	1404	fb7ef3489999a8c0dbbf3ab3d1a52e9f_JaffaCakes118.exe	83
PID 1404 wrote to memory of 2848	1404	fb7ef3489999a8c0dbbf3ab3d1a52e9f_JaffaCakes118.exe	83
PID 1404 wrote to memory of 2848	1404	fb7ef3489999a8c0dbbf3ab3d1a52e9f_JaffaCakes118.exe	83
PID 1404 wrote to memory of 2756	1404	fb7ef3489999a8c0dbbf3ab3d1a52e9f_JaffaCakes118.exe	91
PID 1404 wrote to memory of 2756	1404	fb7ef3489999a8c0dbbf3ab3d1a52e9f_JaffaCakes118.exe	91
PID 1404 wrote to memory of 2756	1404	fb7ef3489999a8c0dbbf3ab3d1a52e9f_JaffaCakes118.exe	91

C:\Users\Admin\AppData\Local\Temp\fb7ef3489999a8c0dbbf3ab3d1a52e9f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb7ef3489999a8c0dbbf3ab3d1a52e9f_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Users\Admin\AppData\Local\Temp\fb7ef3489999a8c0dbbf3ab3d1a52e9f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fb7ef3489999a8c0dbbf3ab3d1a52e9f_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:2848
- C:\Users\Admin\AppData\Local\Temp\fb7ef3489999a8c0dbbf3ab3d1a52e9f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fb7ef3489999a8c0dbbf3ab3d1a52e9f_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\94EE.41F

Filesize
597B

MD5
e88bae1ca87cc68fac7eb0b0774efd6e

SHA1
5e337d518c786fc2368e99cd9d56d85659cf4d0e

SHA256
23d2c395286f5860e94c5ee632b305c2eecf3378006cbef636acc4df744ad7a9

SHA512
44ade30d6d51428df4509b6cf3b8e13b7389607980503eef0f8b72b82f24982f470d3d42a1c6fe3dbf4a27f5f0497e7412581b115d0651521fbc3f53faadff47

Download Submit
C:\Users\Admin\AppData\Roaming\94EE.41F

Filesize
1KB

MD5
0ba2bbc354e070917684db14fd54fe7d

SHA1
386af1d336fb1e9185d43e1e984339b4026c5b8c

SHA256
ecc69e1b7612987dff29cc83c7a8593b890094d97a3b04f0c018aca567d235d2

SHA512
c332fd69d27c941d24e6160f811e83b855542d94be8748877acd60ec250257cf1f096bb5a62b1c800bd8dd2f3f5bdc36b6e85052cc236df682898d69ed719a29

Download Submit
C:\Users\Admin\AppData\Roaming\94EE.41F

Filesize
897B

MD5
71fe6b7e4305a097b78e7fa0f83617b1

SHA1
93fcb8df6f11a62199bf38ddfdc6aaca5eb81a55

SHA256
5c5b182022c2a0021815e573257f8322c9e48622d6ccdffb32b170ab6b745708

SHA512
f7cc7c8e73c93bf7fee4a7bf868521b19d74205e0630cbdb5efd67f800466118f9c8653903d0bf75f201ccc23701d6e4138b504bdc9bd84607814e5450a9a9d0

Download Submit
C:\Users\Admin\AppData\Roaming\94EE.41F

Filesize
1KB

MD5
9e7cdc6d94d365f5dcf113d4754b85d1

SHA1
20d3ff90410a165254454a62e7c03b05b78967b8

SHA256
2d5173cf205393584572ba5dae15b6da184c45873e827120c3ed607027555c48

SHA512
5fa3167bef358fd4431afcc98c1bab609ec1a254721fe926c8e480a37947dc59067e4847c6225c3000f070e691878079accb07080b53e77cf6db2779154d5b12

Download Submit
memory/1404-1-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1404-2-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1404-19-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1404-78-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1404-178-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2756-80-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2756-82-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2848-17-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads