cycbot | 7872d6bd81f83ae74492b5724bf9cbb69feacb37450cfc5269a719eb1caf0ce8

General

Target

fdbb13ab3047f47d961b7bb814717b0c_JaffaCakes118.exe
Size

184KB
MD5

fdbb13ab3047f47d961b7bb814717b0c
SHA1

b9521309c9241b87867f1bc96d66cf5629f2543b
SHA256

7872d6bd81f83ae74492b5724bf9cbb69feacb37450cfc5269a719eb1caf0ce8
SHA512

2f6c5a69e4c0d43355ddfbe8e32dcb04ff9d0b12214f39ae53dbae87b1a2a7d4452de6832e7fbb286831c88660b8cbf80d6b1b46eeaa124b0ce49f4e0f8dbfa5
SSDEEP

3072:evX3OzJxnt5hxLqPFRs+eEDv0qv+CUqZiu034z3k29eFBtYV8HhC/u8t3uwL:efAVxeRnPtZR1zUgJVMhC3t+wL

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/644-14-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral2/memory/3876-15-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral2/memory/3876-73-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral2/memory/2616-75-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral2/memory/3876-188-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	fdbb13ab3047f47d961b7bb814717b0c_JaffaCakes118.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3876-2-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/644-12-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/644-14-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/3876-15-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/3876-73-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/2616-75-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/3876-188-0x0000000000400000-0x000000000046E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdbb13ab3047f47d961b7bb814717b0c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdbb13ab3047f47d961b7bb814717b0c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdbb13ab3047f47d961b7bb814717b0c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3876 wrote to memory of 644	3876	fdbb13ab3047f47d961b7bb814717b0c_JaffaCakes118.exe	83
PID 3876 wrote to memory of 644	3876	fdbb13ab3047f47d961b7bb814717b0c_JaffaCakes118.exe	83
PID 3876 wrote to memory of 644	3876	fdbb13ab3047f47d961b7bb814717b0c_JaffaCakes118.exe	83
PID 3876 wrote to memory of 2616	3876	fdbb13ab3047f47d961b7bb814717b0c_JaffaCakes118.exe	93
PID 3876 wrote to memory of 2616	3876	fdbb13ab3047f47d961b7bb814717b0c_JaffaCakes118.exe	93
PID 3876 wrote to memory of 2616	3876	fdbb13ab3047f47d961b7bb814717b0c_JaffaCakes118.exe	93

C:\Users\Admin\AppData\Local\Temp\fdbb13ab3047f47d961b7bb814717b0c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fdbb13ab3047f47d961b7bb814717b0c_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Users\Admin\AppData\Local\Temp\fdbb13ab3047f47d961b7bb814717b0c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fdbb13ab3047f47d961b7bb814717b0c_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:644
- C:\Users\Admin\AppData\Local\Temp\fdbb13ab3047f47d961b7bb814717b0c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fdbb13ab3047f47d961b7bb814717b0c_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\947F.1C7

Filesize
1KB

MD5
f3a237489942afa633e8d2e8cf82ac8d

SHA1
5ee7a5e15c0cec6ec6dbb7ac58f98f1408918df8

SHA256
77576f31db6dec5525a5c746f52ea4f7e91c1dcd6bba82cff6ce33334639fb96

SHA512
0bc16b79f85ead2e47170b29ff3735b38895c24ca39593993e3e8ff2e95c49e180b2d807bfe45c2d4e753b6949163ff31452f85fbb705d662befbea5a3fe2a1e

Download Submit
C:\Users\Admin\AppData\Roaming\947F.1C7

Filesize
1KB

MD5
8280b25512e97557339e31112bb82db3

SHA1
3194e8af1bec8c698fad6c846d1108e283202b97

SHA256
d5b66bb6950f63dcdad3904a6241b52f6d162305ec15816bf42878e8d75fd910

SHA512
3c25811e6eec319a90670e26f88533367da205ef595ffd0a4278ab9143d37eedf6ba5850f089dc001d0db11cc643f14d4410503a1d3deeaff4dbecfccb149b0b

Download Submit
C:\Users\Admin\AppData\Roaming\947F.1C7

Filesize
600B

MD5
127bc011107c8ff329c53b37933ed1af

SHA1
48f0157aa3e8cf649a7c81363b19162895469d1d

SHA256
1a918d01b1eceb82a518b153abd454513c2e22da4b8153c8beece7d62c59721e

SHA512
517a0a2fc88d84f8195921165426efc77557d875e3348aab8a23c90c314638543398569dd30b99afd544ea35dc29eda1768577a97f33875f65b047ef71fc593e

Download Submit
C:\Users\Admin\AppData\Roaming\947F.1C7

Filesize
996B

MD5
acec12d94930eb01ac06b0b863f4a0dc

SHA1
219ac04a0cc668c3957430968e7ac162e1cf5d07

SHA256
ace7869dfc2fe0b514e72a91c80984c1ac359d082f72e74a103d188c994719ae

SHA512
c6720fcc73b4907f842678545074e9421ce77badceb2db6a0173eed0de8fff7760b80382876e3ee67897e95c8352a5632ef0dccfb2831d4940e35e5b36436c18

Download Submit
memory/644-12-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/644-14-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2616-75-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3876-1-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3876-2-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3876-15-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3876-73-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3876-188-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads