cycbot | 3a12049b5d15e912e420c9543fc0a376f75a7e425acefc9c2adfa129f119ff77

General

Target

JaffaCakes118_64fbca0499344379db2e554eb5142053.exe
Size

175KB
MD5

64fbca0499344379db2e554eb5142053
SHA1

e2cea775ace9da78646cb34ac07d113affc26b65
SHA256

3a12049b5d15e912e420c9543fc0a376f75a7e425acefc9c2adfa129f119ff77
SHA512

c3656df010b4f823155fa0ec61a3c4a6b70c4295f3f29002fa31ef50c57a7954f29ed5ead0a1bc5c99a0e7528c83312289331460061dd735ac09c071ba1090e2
SSDEEP

3072:IijUgC4ajr0X7bh+k+Hc+2WHF+dWokMKWtnnLjXXX2G3eRk6OMW5JdIRNYHuSF:0glajr0ZT+HcIHF+oodBLXXrikzgRSOS

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/3476-14-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/2320-15-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/2320-16-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral2/memory/2500-130-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/2320-131-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/2320-321-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\00CEF\\B38F9.exe"	JaffaCakes118_64fbca0499344379db2e554eb5142053.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2320-2-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3476-13-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3476-14-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2320-15-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2320-16-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/2500-129-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2500-130-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2320-131-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2320-321-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_64fbca0499344379db2e554eb5142053.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 3476	2320	JaffaCakes118_64fbca0499344379db2e554eb5142053.exe	83
PID 2320 wrote to memory of 3476	2320	JaffaCakes118_64fbca0499344379db2e554eb5142053.exe	83
PID 2320 wrote to memory of 3476	2320	JaffaCakes118_64fbca0499344379db2e554eb5142053.exe	83
PID 2320 wrote to memory of 2500	2320	JaffaCakes118_64fbca0499344379db2e554eb5142053.exe	86
PID 2320 wrote to memory of 2500	2320	JaffaCakes118_64fbca0499344379db2e554eb5142053.exe	86
PID 2320 wrote to memory of 2500	2320	JaffaCakes118_64fbca0499344379db2e554eb5142053.exe	86

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64fbca0499344379db2e554eb5142053.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64fbca0499344379db2e554eb5142053.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64fbca0499344379db2e554eb5142053.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64fbca0499344379db2e554eb5142053.exe startC:\Program Files (x86)\LP\F9D0\348.exe%C:\Program Files (x86)\LP\F9D0
  2⤵
  PID:3476
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64fbca0499344379db2e554eb5142053.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64fbca0499344379db2e554eb5142053.exe startC:\Program Files (x86)\EF6BE\lvvm.exe%C:\Program Files (x86)\EF6BE
  2⤵
  PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\00CEF\F6BE.0CE

Filesize
996B

MD5
6910a9a9301d9ad4f07ae739542b92e3

SHA1
190c534279632993305ccf4888f3cfc53f72d9b9

SHA256
1962c975d419370bb301cedc7353abea99c279fa2d08fce9e59923673ac74de0

SHA512
e37cf34bc4a7f3e03830edbe6de78523009e5d11af91986d742b3f570adedaff428d2d5f6d785d35e1d6ffc81fabcb70f041541047c3e8c7b700bd399018694a

Download Submit
C:\Users\Admin\AppData\Roaming\00CEF\F6BE.0CE

Filesize
600B

MD5
51b8c0e84fe62fb5ac89f00d12bb84f9

SHA1
446d3d632948e06d68c0e4bc825e13dfc49cbd36

SHA256
1d1c0bb9c7db802d25a92f7281bb6333a9df5596a4dc45c05cdfaa3ca0ae7c51

SHA512
098fd014da8250983dc7eae8ec33db03ba807c09a9360609a9c785d301daf7f2878c16163b34be394fbd71afb60f9db9833a51a0b2ccbc4ef8d21e6ff8e82506

Download Submit
C:\Users\Admin\AppData\Roaming\00CEF\F6BE.0CE

Filesize
1KB

MD5
9841833a2b8f7ea5d1b5c0e52e83313f

SHA1
a81050583beee09b0120724a2adc5c86fa22989e

SHA256
eb92ccbc3df54c5da15acd7065bdb8cd4fd504bdd59b39b87cad14b051c8ea7f

SHA512
3e9f938c40e72dbf7d0486526dc951c485d9058a93696d530f857e78520cd9e8b4b94ffe8dee8cff17e93e086c6501a7cb582a7b43e373cab5ef664f89b6470e

Download Submit
memory/2320-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2320-2-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2320-321-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2320-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2320-16-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2320-131-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2500-130-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2500-129-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3476-14-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3476-12-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3476-13-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads