cycbot | 1c97d2a1eceae2103ae91b9e7843f293d35197b447a7f785913bd63b967449b5

General

Target

JaffaCakes118_1949203e6d457420287be590d762e60b.exe
Size

193KB
MD5

1949203e6d457420287be590d762e60b
SHA1

0e55bfb2db400591f77b81715cd922aafce0c061
SHA256

1c97d2a1eceae2103ae91b9e7843f293d35197b447a7f785913bd63b967449b5
SHA512

3f340a6761d40c3b80f9e79a5ac873b44623f4d692c0c921bc8f46e47d4471a2820d44b9d5b3be72281c4a8fb3e14ce25dec6e56df3bab667911e4b5b26ce57a
SSDEEP

6144:o4EmD56e1xBvEkbLGcAzpMVR2dulRXWJO:MoB8ArR4oln

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/3276-15-0x0000000000400000-0x0000000000470000-memory.dmp	family_cycbot
behavioral2/memory/4260-16-0x0000000000400000-0x0000000000470000-memory.dmp	family_cycbot
behavioral2/memory/3452-102-0x0000000000400000-0x0000000000470000-memory.dmp	family_cycbot
behavioral2/memory/4260-103-0x0000000000400000-0x0000000000470000-memory.dmp	family_cycbot
behavioral2/memory/4260-205-0x0000000000400000-0x0000000000470000-memory.dmp	family_cycbot
behavioral2/memory/4260-208-0x0000000000400000-0x0000000000470000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_1949203e6d457420287be590d762e60b.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4260-2-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/3276-8-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/3276-9-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/3276-15-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/4260-16-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/3452-101-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/3452-102-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/4260-103-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/4260-205-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/4260-208-0x0000000000400000-0x0000000000470000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1949203e6d457420287be590d762e60b.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 3276	4260	JaffaCakes118_1949203e6d457420287be590d762e60b.exe	82
PID 4260 wrote to memory of 3276	4260	JaffaCakes118_1949203e6d457420287be590d762e60b.exe	82
PID 4260 wrote to memory of 3276	4260	JaffaCakes118_1949203e6d457420287be590d762e60b.exe	82
PID 4260 wrote to memory of 3452	4260	JaffaCakes118_1949203e6d457420287be590d762e60b.exe	83
PID 4260 wrote to memory of 3452	4260	JaffaCakes118_1949203e6d457420287be590d762e60b.exe	83
PID 4260 wrote to memory of 3452	4260	JaffaCakes118_1949203e6d457420287be590d762e60b.exe	83

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1949203e6d457420287be590d762e60b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1949203e6d457420287be590d762e60b.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1949203e6d457420287be590d762e60b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1949203e6d457420287be590d762e60b.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:3276
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1949203e6d457420287be590d762e60b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1949203e6d457420287be590d762e60b.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:3452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\A4EA.CA1

Filesize
1KB

MD5
d9f44c7b06f8b7d7e5ea2bd2078e41bb

SHA1
5499d715cd737944ea235359f5bfae18ddb8b790

SHA256
925154ee4e477f6ea62ded4ddc9491db8b50596625ec2d41f2c31d03921d935c

SHA512
b528b09127cf4cd8c02682510bd42b0b86364ac142ae5953b3e5fee6a10b0c1d4fc69a241d5fe240422770fbbc30267fb7ad59e42a6ac2b4b032cc29171dc0c1

Download Submit
C:\Users\Admin\AppData\Roaming\A4EA.CA1

Filesize
1KB

MD5
32cfa97c8c1256bb3fb74484903aad42

SHA1
8f48b16f54e5285141d0e0b6f49585dff60b95d4

SHA256
893ea33ccea79911ee0bdb51bd6cf21c33c94a295b28ea032c00607403b2ec96

SHA512
5a6ed2cf0b133a86741ca48a836f0edd3d325a445c538b3062b82c264fbbffecd1ce00acc26c1489b6beace1b9c1465c40a5919aa37a8941ab331ff4b4fe504f

Download Submit
C:\Users\Admin\AppData\Roaming\A4EA.CA1

Filesize
1KB

MD5
a2aab259d53cd95361d1f984d9c5fb09

SHA1
952a21c413a54d0cfad3fd04640b11518ba984d6

SHA256
def2f53e64466f6dadb0d24371ef0cb9814390fbde44cd569aab506d7e208025

SHA512
e771909792c707b901f73ca62ebd004de662f589da5a4ba62df8cff3eb1467a975539b849878b66d53a3a7722cb13898e0116211e21097848ce5c57c1c3c29d2

Download Submit
C:\Users\Admin\AppData\Roaming\A4EA.CA1

Filesize
600B

MD5
c5bc6566c35f9fd72f6bafaf99a0e314

SHA1
60969f6067129521fa8ad4bda696a91be410301d

SHA256
49b5ce7bba97974289e0ae9a4e19c979c553afba4600e07e6adbab2b27e9a82a

SHA512
4bed5b7bdef5407a1398bdf451d13a31d716f2c98abbbee61a7564492ed860445615d7123b9d5efef14039af428bddc247f7f36d9a948224570b30143ad68552

Download Submit
memory/3276-9-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3276-15-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3276-8-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3452-101-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3452-102-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4260-16-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4260-103-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4260-1-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4260-2-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4260-205-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4260-208-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads