cycbot | 239a9ba253899e7b2850d8a85580ad1702f74ab9c63e21cb8bce9cfa487c9ad1

General

Target

JaffaCakes118_402a247a67d38ddff6e5807b5156e541.exe
Size

183KB
MD5

402a247a67d38ddff6e5807b5156e541
SHA1

64d0df4d0da57678e65e7c6ce32c5900f68052ac
SHA256

239a9ba253899e7b2850d8a85580ad1702f74ab9c63e21cb8bce9cfa487c9ad1
SHA512

fbfc4c9b6a81a4cf440c8fb797e7ae8ceb0659ba1e6db10a5bdc377931aa42057314b6458e80e5f1b1fd4f864a4b3abf07818ab100250b1325353ccc949b2031
SSDEEP

3072:VJ0PLdHSf2yB7H5KpVHTF1aMNOTavgzxXzS/nCR7dG7KkO6+9GcUuTcVltIi9:VJ0PlSf2C47zF1HgcvCrGmku9PU/ntI

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/3204-14-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/4656-15-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/4656-82-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/1360-86-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/4656-198-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_402a247a67d38ddff6e5807b5156e541.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4656-2-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/3204-12-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/3204-13-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/3204-14-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4656-15-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4656-82-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/1360-85-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/1360-86-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4656-198-0x0000000000400000-0x0000000000490000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_402a247a67d38ddff6e5807b5156e541.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 3204	4656	JaffaCakes118_402a247a67d38ddff6e5807b5156e541.exe	83
PID 4656 wrote to memory of 3204	4656	JaffaCakes118_402a247a67d38ddff6e5807b5156e541.exe	83
PID 4656 wrote to memory of 3204	4656	JaffaCakes118_402a247a67d38ddff6e5807b5156e541.exe	83
PID 4656 wrote to memory of 1360	4656	JaffaCakes118_402a247a67d38ddff6e5807b5156e541.exe	92
PID 4656 wrote to memory of 1360	4656	JaffaCakes118_402a247a67d38ddff6e5807b5156e541.exe	92
PID 4656 wrote to memory of 1360	4656	JaffaCakes118_402a247a67d38ddff6e5807b5156e541.exe	92

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_402a247a67d38ddff6e5807b5156e541.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_402a247a67d38ddff6e5807b5156e541.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_402a247a67d38ddff6e5807b5156e541.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_402a247a67d38ddff6e5807b5156e541.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:3204
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_402a247a67d38ddff6e5807b5156e541.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_402a247a67d38ddff6e5807b5156e541.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\2701.937

Filesize
1KB

MD5
10f743844a7c06e1195a3c275d91824b

SHA1
81e4863af55f1747088e6b215928dca029bff9e4

SHA256
f106e02a2b88f6d7f5b82817a1846f9fb9a91bd4a0a247172f9d0d1a752199e4

SHA512
63dfd4d751888d48e4030b4bd9018faa7b799499000a8020d1092f3de9082e11afef2eba3d50526b110e000c4b14e17b799968d04b6836c142d47bcf93bca02b

Download Submit
C:\Users\Admin\AppData\Roaming\2701.937

Filesize
600B

MD5
3d82a49ccb10f9d92e4bab9ba427d101

SHA1
b06836acada133c54b293f2a9159ffe55c55845a

SHA256
17bac82b963d5cecb35650d968074d03ca87cc06a17fc8b910ee85d932efd567

SHA512
0152eb84c026eeea87cee92e2dd0689c7e708210c9f6e1172e244cacadf74bc4a305e9b3904a5b50afa5d74980c664a0d7a4c7e225d9a66d655ad374f3d3e8ad

Download Submit
C:\Users\Admin\AppData\Roaming\2701.937

Filesize
996B

MD5
1a673a8b7ef52980e1e9074ea4964d65

SHA1
987dc2a8489e9a381f13d99f37aa3d3727c9eb2c

SHA256
b88dea3b6aa09045d14a9088034e849add54a55859af5786bc9db1a0b461e44d

SHA512
21f34346b87ff63b540ec798c84dcf15874c24be0730d721d5cc9e4bac68c4df263741571ee4cda81ddd89c8e28c17b06486d9a55abb91c910226beef73eb916

Download Submit
memory/1360-84-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1360-85-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1360-86-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3204-14-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3204-13-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3204-12-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4656-15-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4656-82-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4656-1-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4656-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4656-198-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads