cycbot | d0197ce66acc70262f8c61e92b5791c6a21883de2c36e87a9341bf50af89dde5

General

Target

fea600a8de189f2bb2c855d4bb9be01c_JaffaCakes118.exe
Size

170KB
MD5

fea600a8de189f2bb2c855d4bb9be01c
SHA1

5ed7bd9864320e329ab552362fe116c660ddecb2
SHA256

d0197ce66acc70262f8c61e92b5791c6a21883de2c36e87a9341bf50af89dde5
SHA512

5083425bba0d1297436feca6bb2290c0012b9664cdfc7f1aa0b4988899d85f06fbbac052ec0ed82a8853d93fd79875a8f9ce37f3e1bef7082185d9bae98691d6
SSDEEP

3072:mc26ztd+oAyCaGivZcWcrGBsA4Ms+dyE/zoapy9u941LkHC1N9f:J26/3G/WQYs+q9848MB

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/4728-14-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/5032-15-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/5032-16-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral2/memory/4692-111-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/5032-112-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/5032-258-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\0E5ED\\9217E.exe"	fea600a8de189f2bb2c855d4bb9be01c_JaffaCakes118.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5032-2-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4728-13-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4728-14-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/5032-15-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/5032-16-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/4692-109-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4692-111-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/5032-112-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/5032-258-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fea600a8de189f2bb2c855d4bb9be01c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fea600a8de189f2bb2c855d4bb9be01c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fea600a8de189f2bb2c855d4bb9be01c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 4728	5032	fea600a8de189f2bb2c855d4bb9be01c_JaffaCakes118.exe	84
PID 5032 wrote to memory of 4728	5032	fea600a8de189f2bb2c855d4bb9be01c_JaffaCakes118.exe	84
PID 5032 wrote to memory of 4728	5032	fea600a8de189f2bb2c855d4bb9be01c_JaffaCakes118.exe	84
PID 5032 wrote to memory of 4692	5032	fea600a8de189f2bb2c855d4bb9be01c_JaffaCakes118.exe	95
PID 5032 wrote to memory of 4692	5032	fea600a8de189f2bb2c855d4bb9be01c_JaffaCakes118.exe	95
PID 5032 wrote to memory of 4692	5032	fea600a8de189f2bb2c855d4bb9be01c_JaffaCakes118.exe	95

C:\Users\Admin\AppData\Local\Temp\fea600a8de189f2bb2c855d4bb9be01c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fea600a8de189f2bb2c855d4bb9be01c_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Users\Admin\AppData\Local\Temp\fea600a8de189f2bb2c855d4bb9be01c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fea600a8de189f2bb2c855d4bb9be01c_JaffaCakes118.exe startC:\Program Files (x86)\LP\7E00\CA3.exe%C:\Program Files (x86)\LP\7E00
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4728
- C:\Users\Admin\AppData\Local\Temp\fea600a8de189f2bb2c855d4bb9be01c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fea600a8de189f2bb2c855d4bb9be01c_JaffaCakes118.exe startC:\Program Files (x86)\EDEF2\lvvm.exe%C:\Program Files (x86)\EDEF2
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\0E5ED\DEF2.E5E

Filesize
996B

MD5
b2c57fd4671e678da938778d61ca8ac3

SHA1
53e653a15ec816347c21a6d6ce72c0adc2d3680a

SHA256
0337fd2351306651aec5e8b7cf6d05e18ef9e38d7519010fd26b0153b03fd81f

SHA512
d5d0a46000ec9d3f4fd0ec02d6449224f3f6305d29aa3e6aa1a88cc5fe2dfadd86b91b9c4ee86071573df1fda9baade0b13b67e25a1036b86b94c588028cea57

Download Submit
C:\Users\Admin\AppData\Roaming\0E5ED\DEF2.E5E

Filesize
1KB

MD5
7ee17cf719df11f29236ed2441dea715

SHA1
fbba42441bdd4152d0652a67c57935c7b7efdb29

SHA256
8343033e128d1c89314a55423276c2b82624016311f4d09c62a33b069c6edda6

SHA512
d2e25c6cb88c4352f1c92a20afcc89d1c2f70bb50d465e12edc709f0a43c6602913778a81300d7fe7e797df172d1d191c5c97b3a798eb7e3c5a5797fd73d8d78

Download Submit
C:\Users\Admin\AppData\Roaming\0E5ED\DEF2.E5E

Filesize
600B

MD5
a162dc99289a539df6d8d18f91c81101

SHA1
6a3e342f29107ce7ce81814e0f38ca7258b91506

SHA256
775dedcc18cca1cb7e5ff9e4ab4bbece43c6890c4176695d35f3fa5312ac0093

SHA512
baea032bc409db7b04a637b7b51fa817092dab4e4e5ec52839fd4b92940e7b8526f581ba1c5cc463287a33a388054dfd859f6aa6a38671c87708da3ac3e921d6

Download Submit
C:\Users\Admin\AppData\Roaming\0E5ED\DEF2.E5E

Filesize
596B

MD5
cff87b0ad67b187d9990876ed6cd9d7c

SHA1
e5058fefc132785f217e7d4f99e7f6d23f952736

SHA256
f821bce45237f90a2ed495aad5ecc4ea4b81af510fbe612c78954ea1ce737b99

SHA512
e540965a544ea8f3f8048100f3c55d899d2404166df02fb4e19c4bdc98259505aa7115a4978f5f7a256d3534c28c9fb16a660f6354d7cec6ae84959013b98cfe

Download Submit
memory/4692-111-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4692-109-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4728-12-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4728-14-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4728-13-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5032-16-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/5032-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5032-112-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5032-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/5032-2-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5032-258-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads