cycbot | 2e278d2c58f5b936e7f1e374ad337a061720db6a2d588c0b4fca39da30a9780e

General

Target

JaffaCakes118_33cea2d34c90582aa2d17a507d1763b6.exe
Size

190KB
MD5

33cea2d34c90582aa2d17a507d1763b6
SHA1

11dc05f177e7b6c25d55732046d0a12a00f2049f
SHA256

2e278d2c58f5b936e7f1e374ad337a061720db6a2d588c0b4fca39da30a9780e
SHA512

154df078026139281a73750021ba925855c18f1b342e67c93d98ffb16b5b3d810ddeda216ea92b51815875e55c125e4ef695799691e5a3bfa69003a82cebd9a0
SSDEEP

3072:n2ZobCi7R0ibuFxJa5UxOFrj6oWX1ybmX4aeMAjcBVy4MCzEe9fknDzX23BiArTG:2Z4110SAJa5UxmrGoWBXV2jul+/X23Bh

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 3 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/4432-12-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/4432-84-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/4432-186-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_33cea2d34c90582aa2d17a507d1763b6.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4432-2-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4432-12-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4432-84-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4432-186-0x0000000000400000-0x0000000000490000-memory.dmp	upx

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2984	2800	WerFault.exe	83
3188	4404	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_33cea2d34c90582aa2d17a507d1763b6.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4432 wrote to memory of 2800	4432	JaffaCakes118_33cea2d34c90582aa2d17a507d1763b6.exe	83
PID 4432 wrote to memory of 2800	4432	JaffaCakes118_33cea2d34c90582aa2d17a507d1763b6.exe	83
PID 4432 wrote to memory of 2800	4432	JaffaCakes118_33cea2d34c90582aa2d17a507d1763b6.exe	83
PID 4432 wrote to memory of 4404	4432	JaffaCakes118_33cea2d34c90582aa2d17a507d1763b6.exe	88
PID 4432 wrote to memory of 4404	4432	JaffaCakes118_33cea2d34c90582aa2d17a507d1763b6.exe	88
PID 4432 wrote to memory of 4404	4432	JaffaCakes118_33cea2d34c90582aa2d17a507d1763b6.exe	88

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_33cea2d34c90582aa2d17a507d1763b6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_33cea2d34c90582aa2d17a507d1763b6.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_33cea2d34c90582aa2d17a507d1763b6.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_33cea2d34c90582aa2d17a507d1763b6.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:2800
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 364
    3⤵
    - Program crash
    PID:2984
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_33cea2d34c90582aa2d17a507d1763b6.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_33cea2d34c90582aa2d17a507d1763b6.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:4404
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 364
    3⤵
    - Program crash
    PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2800 -ip 2800
1⤵
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4404 -ip 4404
1⤵
PID:4112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DED1.BE3

Filesize
600B

MD5
83fa9a4cf0a354e66da5ed4f7140c606

SHA1
168042eeac0d3a0c0f2a26c55512807ae3204038

SHA256
1303622e2de34905146da7937a2cc9b6fb49b8653a135080e293a95411c48a28

SHA512
0ec0e6718a7141776fe025cfb6f6be16bfd641339e04cd41966318c73ebe0637ec77c3ad14b8b902e7595444815dca6b69f178dadd50f121f6af291040a6fd7e

Download Submit
C:\Users\Admin\AppData\Roaming\DED1.BE3

Filesize
1KB

MD5
9e27359c0647d71d2e277377b6aeb8d9

SHA1
30e1bbaed2677545f968dcf06bd94feaf333783c

SHA256
83f050716c10c470e5617ba7601c6c69486830d6c2361244dcb822c5b012368c

SHA512
d4bb6900216a88e3b52e5f370386c4662ab02860312fecc026330c16656c7a9cc0d6f815d97ee03c6cf08ef0a2967b6e6a085d504181a825ffba7be0a9c8fee2

Download Submit
C:\Users\Admin\AppData\Roaming\DED1.BE3

Filesize
1KB

MD5
e590b35a56b0f038bbc3d36d0430c199

SHA1
45a642e82bd3004c50982fd8659415ce238ff73f

SHA256
a39f360b19cf8b90687473ce4dd646b4f339474eef0896bf13bd1bbda05f733a

SHA512
67d963a1006a25fdc4e8d4b638d01c1de8ccf86ec6cf77a8d517e11ed1a5fb7771fccbf8758140ce42a02e31ecfcc2d6edf6ec62fa839a67e6073435c4f59371

Download Submit
C:\Users\Admin\AppData\Roaming\DED1.BE3

Filesize
996B

MD5
91970564f6f029fc36595f29721b2539

SHA1
9a3aae960b281f9aad7ec36b1a765046c84ecda8

SHA256
0f48e705528f6014f3b20ef9447cf3ba82ad2bf9d9054a9d759c49425f43f1ff

SHA512
1d629fcd0c76a75cd4eeb320921c3e7617cbfa842a33579d311dadb3b1c743386b15aed0757091abd8de155a4c8f07130fde923138aa9cfabf54f48fa83d3a05

Download Submit
memory/4432-1-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4432-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4432-12-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4432-84-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4432-186-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads