cycbot | 8f21d1e948b0b999cc58706dfb5ceb8553ae0368737eecf96d5bc38565bb1bc5

General

Target

JaffaCakes118_6b114e983562a572b9c5cf5d1e8faaaa.exe
Size

177KB
MD5

6b114e983562a572b9c5cf5d1e8faaaa
SHA1

f9544355eb30380263902b13c16bc4f2fb8d1302
SHA256

8f21d1e948b0b999cc58706dfb5ceb8553ae0368737eecf96d5bc38565bb1bc5
SHA512

2fef35dfdf91d54ffa7eb921ab875dfa1b0a044d77967cc780dcef9d18ec4ed09d5a2f4fd143ea0d6ad223355027b2326c73d7f1d7b86ed2ed49eb5a8a665e36
SSDEEP

3072:7J2sg/xi84Z9rVpXWFZk5aDsmWOZHL2CagC1PDxgjjNWLKSDhDjtGsw:7I/74Z9RpXWFu5wnZNIPtgjjNW2SDRG

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/5064-11-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral2/memory/1172-16-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral2/memory/2072-91-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral2/memory/1172-92-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral2/memory/1172-190-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_6b114e983562a572b9c5cf5d1e8faaaa.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1172-2-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/1172-1-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/5064-8-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/5064-9-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/5064-11-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/1172-16-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/2072-91-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/1172-92-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/1172-190-0x0000000000400000-0x000000000046E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6b114e983562a572b9c5cf5d1e8faaaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6b114e983562a572b9c5cf5d1e8faaaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6b114e983562a572b9c5cf5d1e8faaaa.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 5064	1172	JaffaCakes118_6b114e983562a572b9c5cf5d1e8faaaa.exe	82
PID 1172 wrote to memory of 5064	1172	JaffaCakes118_6b114e983562a572b9c5cf5d1e8faaaa.exe	82
PID 1172 wrote to memory of 5064	1172	JaffaCakes118_6b114e983562a572b9c5cf5d1e8faaaa.exe	82
PID 1172 wrote to memory of 2072	1172	JaffaCakes118_6b114e983562a572b9c5cf5d1e8faaaa.exe	83
PID 1172 wrote to memory of 2072	1172	JaffaCakes118_6b114e983562a572b9c5cf5d1e8faaaa.exe	83
PID 1172 wrote to memory of 2072	1172	JaffaCakes118_6b114e983562a572b9c5cf5d1e8faaaa.exe	83

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b114e983562a572b9c5cf5d1e8faaaa.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b114e983562a572b9c5cf5d1e8faaaa.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b114e983562a572b9c5cf5d1e8faaaa.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b114e983562a572b9c5cf5d1e8faaaa.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5064
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b114e983562a572b9c5cf5d1e8faaaa.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b114e983562a572b9c5cf5d1e8faaaa.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\A18B.C13

Filesize
1KB

MD5
d7490237a08c09216ba06656fcc1a47a

SHA1
d4616aab709955d463d3452a2dd32b5383ba47f5

SHA256
d61dd5f52ba16d3ff8ba13dfd464416ffa857791eeffe6f80e7fdf26771e3e02

SHA512
3e8573b93e0866c9f433b56c5385251ceee997b3dea7a1cf7ec04f529eb569f29793115347bcabe758199c57b0c60a8d3474683a258913cffbba4270b1d3d354

Download Submit
C:\Users\Admin\AppData\Roaming\A18B.C13

Filesize
600B

MD5
5fa076451717bae3211d8f6e511835a8

SHA1
d2fca1749b510850b2a739d520945113f632d236

SHA256
d0b881593c563760fb49eb4f79a69c0543eed27d112bcc68aeaeb13a3417a889

SHA512
36a1f25ceca8ffb457bb0faf8840a3195587df53188fa5151d65cd6061dcacb14361be9fba8ab1f719073ae5de0d2eb2db5b14f4f1190adf618cb062d38138db

Download Submit
C:\Users\Admin\AppData\Roaming\A18B.C13

Filesize
996B

MD5
9e8be9fad3b236d1807183ef531f0552

SHA1
db23307a9517a40c3d1d80f418978ada988dd1b4

SHA256
b082e30a12c546f66ec6c72b6feed1ac39da34bca14a6bc38bf8e68e4d156044

SHA512
c2b61c0c8f9d8090bc8b2093f5d07406b547547d4af2d9979882bc497c81380d45f8af891529d633ea20ea3e3dbec3f47e4469ed10dee621b3402d4be2268d6d

Download Submit
memory/1172-92-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1172-16-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1172-2-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1172-1-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1172-190-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2072-90-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2072-91-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/5064-11-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/5064-9-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/5064-8-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads