cycbot | 1f6967d2b9a8ae24f5d8a44bd0c937b969eacb043a63986c45d599dc4d5ddfb8

General

Target

JaffaCakes118_0624ab543750b24a452d8564426a368a.exe
Size

276KB
MD5

0624ab543750b24a452d8564426a368a
SHA1

0f1e32bd73713397604bce6dbcc130e4391b1888
SHA256

1f6967d2b9a8ae24f5d8a44bd0c937b969eacb043a63986c45d599dc4d5ddfb8
SHA512

e25e441691a46af6c2b047e531e4bea71e28af5446219fb5b58b3723c14782ceca31107665b5d4caf87167b7000a3a800343314b7f2443e4cb3d65cfb6290be7
SSDEEP

6144:IhfAIAwdWYVPNQhxGe6AR4KWyZxeuedVMzjd5lI5IAs0lkF5ebS:pIRdBPqzX4sj5yyzjdPSIV0l25

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/2332-13-0x0000000000400000-0x00000000004A9000-memory.dmp	family_cycbot
behavioral2/memory/3532-14-0x0000000000400000-0x00000000004A9000-memory.dmp	family_cycbot
behavioral2/memory/3532-79-0x0000000000400000-0x00000000004A9000-memory.dmp	family_cycbot
behavioral2/memory/2540-82-0x0000000000400000-0x00000000004A9000-memory.dmp	family_cycbot
behavioral2/memory/3532-176-0x0000000000400000-0x00000000004A9000-memory.dmp	family_cycbot
behavioral2/memory/3532-179-0x0000000000400000-0x00000000004A9000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\B6EEF\\F3ED3.exe"	JaffaCakes118_0624ab543750b24a452d8564426a368a.exe

Executes dropped EXE 1 IoCs

pid	Process
184	F04B.tmp

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3532-2-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral2/memory/2332-12-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral2/memory/2332-13-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral2/memory/3532-14-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral2/memory/3532-79-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral2/memory/2540-81-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral2/memory/2540-82-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral2/memory/3532-176-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral2/memory/3532-179-0x0000000000400000-0x00000000004A9000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\D3AB\F04B.tmp	JaffaCakes118_0624ab543750b24a452d8564426a368a.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2256	184	WerFault.exe	99

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0624ab543750b24a452d8564426a368a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F04B.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 2332	3532	JaffaCakes118_0624ab543750b24a452d8564426a368a.exe	83
PID 3532 wrote to memory of 2332	3532	JaffaCakes118_0624ab543750b24a452d8564426a368a.exe	83
PID 3532 wrote to memory of 2332	3532	JaffaCakes118_0624ab543750b24a452d8564426a368a.exe	83
PID 3532 wrote to memory of 2540	3532	JaffaCakes118_0624ab543750b24a452d8564426a368a.exe	90
PID 3532 wrote to memory of 2540	3532	JaffaCakes118_0624ab543750b24a452d8564426a368a.exe	90
PID 3532 wrote to memory of 2540	3532	JaffaCakes118_0624ab543750b24a452d8564426a368a.exe	90
PID 3532 wrote to memory of 184	3532	JaffaCakes118_0624ab543750b24a452d8564426a368a.exe	99
PID 3532 wrote to memory of 184	3532	JaffaCakes118_0624ab543750b24a452d8564426a368a.exe	99
PID 3532 wrote to memory of 184	3532	JaffaCakes118_0624ab543750b24a452d8564426a368a.exe	99

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0624ab543750b24a452d8564426a368a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0624ab543750b24a452d8564426a368a.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0624ab543750b24a452d8564426a368a.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0624ab543750b24a452d8564426a368a.exe startC:\Program Files (x86)\Internet Explorer\D3AB\282.exe%C:\Program Files (x86)\Internet Explorer\D3AB
  2⤵
  PID:2332
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0624ab543750b24a452d8564426a368a.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0624ab543750b24a452d8564426a368a.exe startC:\Program Files (x86)\EFE3F\lvvm.exe%C:\Program Files (x86)\EFE3F
  2⤵
  PID:2540
- C:\Program Files (x86)\Internet Explorer\D3AB\F04B.tmp
  "C:\Program Files (x86)\Internet Explorer\D3AB\F04B.tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:184
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 184 -s 344
    3⤵
    - Program crash
    PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 184 -ip 184
1⤵
PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\D3AB\F04B.tmp

Filesize
102KB

MD5
98983d9e6d149afd05c73f9fc444f4a9

SHA1
249cb0c59c29e0ae8940ce6928cb7e6a1d0e5bb9

SHA256
84a1c17937e04bd5090897594950e1aef33acfbbbd675fc7e319d000dfb3110a

SHA512
d94ac1f1b118ae5779458392b31375b064894807e0fc6a3fb9cbc67fb8897ba591054235bf6b52dfd21dd964bb3fe6449bfc6049ccb5466046bfe95361d33fbb

Download Submit
C:\Users\Admin\AppData\Roaming\B6EEF\FE3F.6EE

Filesize
1KB

MD5
2b4976451221d49db1b9ece332728d64

SHA1
a70df6e77050bd8099ae43c341c95e446c2f899a

SHA256
1177d7fc16f9f6a72a048cd0815c1864576f13653013fae2568639d7635016b4

SHA512
88315322e7ed754cb4486837f084011fab3334c2b052bd90a81ce41af8d5515c2ad129e1ead332847c57b6357e4dbca83dab813544ec6396e57aeca5e7e4b647

Download Submit
C:\Users\Admin\AppData\Roaming\B6EEF\FE3F.6EE

Filesize
600B

MD5
daee90a48a0ca9c8cc2906909bb18378

SHA1
9e1fecae9bd6c6e583f48291d15c251c7d631ac7

SHA256
22a7b88365c7320bf92fd54bdbb733a19df619671393fac979520c44ec7c4af0

SHA512
0a243559a4f26f1cc1cc6501c5b53e7e2267502df2fc336508c1dbd1d779ac33d1c8e487a1205e412cfb47b7bb295a8d7268ca415f7514b755d3df557ede36e5

Download Submit
C:\Users\Admin\AppData\Roaming\B6EEF\FE3F.6EE

Filesize
996B

MD5
1e22ea2ef14b658b101e94252737e70f

SHA1
5c615abe05388b9a2b6d58d70a07c0c47148bec0

SHA256
b65a536ef31ea6d10410b29e15e5b16c8ca8222898a36cb2e4b9108b3f1d19d2

SHA512
93fb0be753ad6f52a055270f8c1520e2522fa78224a76d68517864bc62088abc9078ac109af0fe7c6a132d583a780134c3686e20ada49a816ef3d06fbe690d43

Download Submit
memory/2332-13-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2332-12-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2540-81-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2540-82-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3532-14-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3532-79-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3532-1-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3532-2-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3532-176-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3532-179-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads