cycbot | 193ea655b405753b7a19c04ef005a0fc2d17bc8174a3db3b98f7a0e51a2f16f7

General

Target

JaffaCakes118_0e58ce1d221a0f423af5114b09a300d5.exe
Size

164KB
MD5

0e58ce1d221a0f423af5114b09a300d5
SHA1

8197a8b7c5961b8d6f26f2c479bc5970c82c68cb
SHA256

193ea655b405753b7a19c04ef005a0fc2d17bc8174a3db3b98f7a0e51a2f16f7
SHA512

72aff7c45f18da2222a5db9492f3e76f53128f26e8cd5ec5a5e319afad80c0fdf98b709e33fdc1d1b899bd37a774e10248bc3237deece8802639c9f4f339bea1
SSDEEP

3072:2X3PwYo138ADe8c+XpUYqwSH4wbfefjAjUHBjYo3ba1E0+nqT:2wTSoenwQ9gBco3ba1P+n

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/4848-15-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/4048-16-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/4048-17-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral2/memory/2808-119-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/4048-120-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/4048-294-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\B0E78\\6D852.exe"	JaffaCakes118_0e58ce1d221a0f423af5114b09a300d5.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4048-3-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4848-14-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4848-15-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4048-16-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4048-17-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/2808-119-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4048-120-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4048-294-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0e58ce1d221a0f423af5114b09a300d5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0e58ce1d221a0f423af5114b09a300d5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0e58ce1d221a0f423af5114b09a300d5.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 4848	4048	JaffaCakes118_0e58ce1d221a0f423af5114b09a300d5.exe	84
PID 4048 wrote to memory of 4848	4048	JaffaCakes118_0e58ce1d221a0f423af5114b09a300d5.exe	84
PID 4048 wrote to memory of 4848	4048	JaffaCakes118_0e58ce1d221a0f423af5114b09a300d5.exe	84
PID 4048 wrote to memory of 2808	4048	JaffaCakes118_0e58ce1d221a0f423af5114b09a300d5.exe	90
PID 4048 wrote to memory of 2808	4048	JaffaCakes118_0e58ce1d221a0f423af5114b09a300d5.exe	90
PID 4048 wrote to memory of 2808	4048	JaffaCakes118_0e58ce1d221a0f423af5114b09a300d5.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0e58ce1d221a0f423af5114b09a300d5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0e58ce1d221a0f423af5114b09a300d5.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0e58ce1d221a0f423af5114b09a300d5.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0e58ce1d221a0f423af5114b09a300d5.exe startC:\Program Files (x86)\LP\528B\9D9.exe%C:\Program Files (x86)\LP\528B
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4848
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0e58ce1d221a0f423af5114b09a300d5.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0e58ce1d221a0f423af5114b09a300d5.exe startC:\Program Files (x86)\782C6\lvvm.exe%C:\Program Files (x86)\782C6
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\B0E78\82C6.0E7

Filesize
600B

MD5
0d27bd47b5419c52a3ecb2b5cc125ec6

SHA1
15d3eb585a5b75518aecd504bba6a4805a0f90d0

SHA256
71dacc2129847d2592d822388a6da42144032478ceb2dde89955bc8c0e4671a9

SHA512
fffebd80a753542a1bbea2c7a113b5755dcaa6d22f4e206c2e2e9f3726198cec3ec4a73f64bbc7e89e1df83bbc56c18294712d212c218a532a56418429f7e346

Download Submit
C:\Users\Admin\AppData\Roaming\B0E78\82C6.0E7

Filesize
996B

MD5
ae327bc49612a325cc4afb7a384f1800

SHA1
8aad473b3065aed8504f20b27ef7980a592614e8

SHA256
cb9b347a7ef8ef9dca0df4804d9bdb3ff9a70db89ef3777abc9914312bc91a64

SHA512
ea498ac183bd8fa573e23a6ee457430c609d66910dc0c9ccd4c01ca5fb82c77e100dd357928f78337d6d52cb6738dce6fff5f17413fabca6b46738d1f5c498c3

Download Submit
C:\Users\Admin\AppData\Roaming\B0E78\82C6.0E7

Filesize
1KB

MD5
af91417d98e70b39f93e22b9fe502d92

SHA1
8a151ada277a3c26325980eb04a3ad01c00d9988

SHA256
0b05318a546ac69d4c7f0594a17056271bfcf4c05b327d7ac648081e8b963d64

SHA512
344e14adc1318a89b57643522a2d2bda8d1103a236b2b35452874c76bcd7ff3fcf6c951930eea2561cf8356af9da2187e17c72b4e702d5f1764ac6eb4f75697b

Download Submit
memory/2808-119-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4048-16-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4048-0-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4048-17-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4048-120-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4048-3-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4048-2-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4048-294-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4848-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4848-14-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads