cycbot | ae82c4ac053704655dfa7738cbf5f918de8306e58e69df6dbc8f966b35d334be

General

Target

JaffaCakes118_6639fa0885d54dc9252cf464b20123a9.exe
Size

174KB
MD5

6639fa0885d54dc9252cf464b20123a9
SHA1

86f7e226a3822d159c0f53cbbedfbe55aa782cf9
SHA256

ae82c4ac053704655dfa7738cbf5f918de8306e58e69df6dbc8f966b35d334be
SHA512

564de79a59841ef0180f2efbc25650eb848701c4783b8b92f97a5bdf0c6e0373c017b6de8d174f291b29187b3c981eb3c3c166b88ba959b817b296a3d48b2c4f
SSDEEP

3072:UaPhJ87gsFnHrgXECBgFk65vYwAIZocsX8LjEk77udf6W6tTEZ8:bhJ8XFnLgXKFxHNojgjTYf6WYO

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/3312-18-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral2/memory/3312-19-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral2/memory/2336-20-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral2/memory/2336-79-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral2/memory/2072-84-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral2/memory/2336-191-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_6639fa0885d54dc9252cf464b20123a9.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2336-2-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/3312-18-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/3312-16-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/3312-19-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/2336-20-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/2336-79-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/2072-84-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/2072-82-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/2336-191-0x0000000000400000-0x000000000048E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6639fa0885d54dc9252cf464b20123a9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6639fa0885d54dc9252cf464b20123a9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6639fa0885d54dc9252cf464b20123a9.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 3312	2336	JaffaCakes118_6639fa0885d54dc9252cf464b20123a9.exe	82
PID 2336 wrote to memory of 3312	2336	JaffaCakes118_6639fa0885d54dc9252cf464b20123a9.exe	82
PID 2336 wrote to memory of 3312	2336	JaffaCakes118_6639fa0885d54dc9252cf464b20123a9.exe	82
PID 2336 wrote to memory of 2072	2336	JaffaCakes118_6639fa0885d54dc9252cf464b20123a9.exe	85
PID 2336 wrote to memory of 2072	2336	JaffaCakes118_6639fa0885d54dc9252cf464b20123a9.exe	85
PID 2336 wrote to memory of 2072	2336	JaffaCakes118_6639fa0885d54dc9252cf464b20123a9.exe	85

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6639fa0885d54dc9252cf464b20123a9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6639fa0885d54dc9252cf464b20123a9.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6639fa0885d54dc9252cf464b20123a9.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6639fa0885d54dc9252cf464b20123a9.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3312
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6639fa0885d54dc9252cf464b20123a9.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6639fa0885d54dc9252cf464b20123a9.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\45BB.AEC

Filesize
597B

MD5
3a5bf74fe9a2f40e21b07f2b4e413fd0

SHA1
a56baea4bdf42b38aa48e4fa031b49403d038077

SHA256
353b4323d242f6f2f8cff211cbe77e17ee75c645e4cae4867f2f361873f120e5

SHA512
ba1586ac0e3dc175dec027a89fc225d212bea8783a2014763d3797d7f8cbb79a186c991336d4423726b238f4bd5eea425d8eba58a09c72465a8ea7fdd8588251

Download Submit
C:\Users\Admin\AppData\Roaming\45BB.AEC

Filesize
1KB

MD5
ef9b8cb1b823c530aff04f9c250fd89c

SHA1
f70066eecf30a467d8132e611ccc5617eb972f56

SHA256
cf272f0363f0fa2f97b1c19fa484f5be1d8a12e4ba95f6eaf32b85eda2532821

SHA512
e0381168aaa6ce206c42b2f47e0e2954c88dfcd88d236804c5b8c046e38918365e192aaf1dbd041e762b5ee7b63bcbeaa34ac31fd4684e693361d91bc046d48c

Download Submit
C:\Users\Admin\AppData\Roaming\45BB.AEC

Filesize
897B

MD5
e69cc95d7ce3ea14afdb4c6031b54c9a

SHA1
cd72757795494638525a0fa561989372b45dc990

SHA256
337af289cfc678cad2e7f4fd8fd3c516e111d5cfbb218dcfd4ee3c089b2b5f0f

SHA512
7f21c082abfdb31244d2ab7e166b832bf7f0fb1918f2bfb868c824251519a8785d203bcc13c0da9940c0c14167b2babd8e95f7f6246a90aedc2a2b8c7b067822

Download Submit
C:\Users\Admin\AppData\Roaming\45BB.AEC

Filesize
1KB

MD5
45dd58c8738ce9cc242a47d1401cc977

SHA1
5ab64423761e5c3f9e97456c0f7fc3a703a735a2

SHA256
896568e577e9ab16dc57653309b8ef32f06757acae973168826203b2cf6a4de8

SHA512
dac7a6f0c67d3525057b91d47a7ac637e3f1ff27f78b191217962defc1fb55b60b9ae98873246c6e4b6777fbd96355efe9545fa30589d0a636879ba5ad8a83e3

Download Submit
memory/2072-82-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2072-84-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2072-81-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2336-20-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2336-79-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2336-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2336-2-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2336-191-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3312-19-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3312-16-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3312-18-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads