cycbot | 1e424f2536d03c57ab46b2c3ef5dd0ba885546d8dcafda676b9a73174a9f2763

General

Target

JaffaCakes118_0bf4554992ee0878a8abb67e4677d80c.exe
Size

164KB
MD5

0bf4554992ee0878a8abb67e4677d80c
SHA1

46aefaf1ab4bf380606fb91d52760a3999186c43
SHA256

1e424f2536d03c57ab46b2c3ef5dd0ba885546d8dcafda676b9a73174a9f2763
SHA512

0b2bcd4a61953679f30b19c4e0950c10f85bce93273feadd94e842cb961feb1d7c73ce99644d28109781c7c63e5849de56af89c3f0e9665a0305c3afd1ad795d
SSDEEP

3072:8E6pnXFXE7Nc1ekFPK3GPNltV8AlsaWQPE0taSk5KipEk7YE+ou9BrO:8fn1XEZFsPzXtaAls/qbtQcipEqYdfO

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/4808-16-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/3176-17-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/3176-18-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral2/memory/1856-128-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/3176-129-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/3176-287-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\64BFB\\5E6C2.exe"	JaffaCakes118_0bf4554992ee0878a8abb67e4677d80c.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3176-3-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4808-14-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4808-15-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4808-16-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3176-17-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3176-18-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/1856-128-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3176-129-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3176-287-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0bf4554992ee0878a8abb67e4677d80c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0bf4554992ee0878a8abb67e4677d80c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0bf4554992ee0878a8abb67e4677d80c.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 4808	3176	JaffaCakes118_0bf4554992ee0878a8abb67e4677d80c.exe	84
PID 3176 wrote to memory of 4808	3176	JaffaCakes118_0bf4554992ee0878a8abb67e4677d80c.exe	84
PID 3176 wrote to memory of 4808	3176	JaffaCakes118_0bf4554992ee0878a8abb67e4677d80c.exe	84
PID 3176 wrote to memory of 1856	3176	JaffaCakes118_0bf4554992ee0878a8abb67e4677d80c.exe	90
PID 3176 wrote to memory of 1856	3176	JaffaCakes118_0bf4554992ee0878a8abb67e4677d80c.exe	90
PID 3176 wrote to memory of 1856	3176	JaffaCakes118_0bf4554992ee0878a8abb67e4677d80c.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0bf4554992ee0878a8abb67e4677d80c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0bf4554992ee0878a8abb67e4677d80c.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0bf4554992ee0878a8abb67e4677d80c.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0bf4554992ee0878a8abb67e4677d80c.exe startC:\Program Files (x86)\LP\C2E6\D78.exe%C:\Program Files (x86)\LP\C2E6
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4808
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0bf4554992ee0878a8abb67e4677d80c.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0bf4554992ee0878a8abb67e4677d80c.exe startC:\Program Files (x86)\FB26A\lvvm.exe%C:\Program Files (x86)\FB26A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\64BFB\B26A.4BF

Filesize
996B

MD5
6aea6bcab35d60b79f24680aaf75a6ba

SHA1
39ac9f72098b06ad1d66ee6ef98523fc48685a6a

SHA256
0e477bc2f83288bf16de46230ac9f04ddbd5ad348960070c0b63de90763da9c6

SHA512
bb07ed94a211cb8f3d8ac8ef8f629561ffd8408b676161d42ceaf3f942ce43c76e1a098a91c2b803aefc091e58cd1b7e2a071555b5825ebde1fbe76fbb129ed9

Download Submit
C:\Users\Admin\AppData\Roaming\64BFB\B26A.4BF

Filesize
600B

MD5
efa50defaa843f3770b954b737977d24

SHA1
bc0b833709775fa95530721afedca48c26249642

SHA256
8f5e478fc18baef1934fa1099e8c5701eff73f3f6ac70a1b2524c8bea5fbefcd

SHA512
a68ad0a425a26477fe831c2730c6977aa4cc318164daf0b561c0d9459d97f23a6b435f0095fd6ba72c3d20b7e418cf508430fe7d409545213e56e2ee11a6c29a

Download Submit
C:\Users\Admin\AppData\Roaming\64BFB\B26A.4BF

Filesize
1KB

MD5
8253fb6eccd20b3e0b3664501c44c5de

SHA1
d7d0127ec9013f494d3daa94ac1794fbdb34b6d3

SHA256
85a40ac2946a71295d25ab4fbcb1cc54e13f0e4279edad8672856cad30cf7126

SHA512
6c63ab6f37460eac26ab1d9ce83a38cdd71017c6454d7a5721c18083187e7f7c945adf1b9fc39660dd11c0aa2d66ce67301ccb9f2d9a14ff83ad6fe05ef4bebf

Download Submit
memory/1856-128-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3176-17-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3176-0-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3176-18-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3176-129-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3176-3-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3176-2-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3176-287-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4808-16-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4808-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4808-14-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads