cycbot | 14947c5cf10a8cbcc0dedfa7e98d039f7fac473a10e15f771f5da29c33076d1a

General

Target

JaffaCakes118_67c31b83e83098964f5f43cb4aeef38c.exe
Size

164KB
MD5

67c31b83e83098964f5f43cb4aeef38c
SHA1

0c48d64fcc5b8d95f9012516f674837b5eb54e78
SHA256

14947c5cf10a8cbcc0dedfa7e98d039f7fac473a10e15f771f5da29c33076d1a
SHA512

756471651c942ceeb2e80247bbc4b1c3e3a18f00679ae528ea14466cf8a6487df84b6f61c06f9a5c8bf4018a17d048c75b0d4921f134acec2579ca9ae8435db9
SSDEEP

3072:Ay11Z4oCZpZ+2/N3jCkwwyqN/GJ2KfJ0xVdUpLughILqY4cuGUXwdJyv:zr4C2/tjCk5yi/02bdUgdzJUXy

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/976-21-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/2852-22-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/2852-23-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral2/memory/3784-147-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/2852-148-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/2852-334-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\BB08A\\9E42C.exe"	JaffaCakes118_67c31b83e83098964f5f43cb4aeef38c.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2852-3-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/976-20-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/976-19-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/976-21-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2852-22-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2852-23-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/3784-145-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3784-147-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2852-148-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2852-334-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_67c31b83e83098964f5f43cb4aeef38c.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 976	2852	JaffaCakes118_67c31b83e83098964f5f43cb4aeef38c.exe	85
PID 2852 wrote to memory of 976	2852	JaffaCakes118_67c31b83e83098964f5f43cb4aeef38c.exe	85
PID 2852 wrote to memory of 976	2852	JaffaCakes118_67c31b83e83098964f5f43cb4aeef38c.exe	85
PID 2852 wrote to memory of 3784	2852	JaffaCakes118_67c31b83e83098964f5f43cb4aeef38c.exe	100
PID 2852 wrote to memory of 3784	2852	JaffaCakes118_67c31b83e83098964f5f43cb4aeef38c.exe	100
PID 2852 wrote to memory of 3784	2852	JaffaCakes118_67c31b83e83098964f5f43cb4aeef38c.exe	100

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_67c31b83e83098964f5f43cb4aeef38c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_67c31b83e83098964f5f43cb4aeef38c.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_67c31b83e83098964f5f43cb4aeef38c.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_67c31b83e83098964f5f43cb4aeef38c.exe startC:\Program Files (x86)\LP\2CCB\F46.exe%C:\Program Files (x86)\LP\2CCB
  2⤵
  PID:976
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_67c31b83e83098964f5f43cb4aeef38c.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_67c31b83e83098964f5f43cb4aeef38c.exe startC:\Program Files (x86)\8A5BC\lvvm.exe%C:\Program Files (x86)\8A5BC
  2⤵
  PID:3784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\BB08A\A5BC.B08

Filesize
597B

MD5
785b67d105bcb3d024f6ef5e61620f01

SHA1
d4307527ebab1747964f0e3b9b8250bf1b2067dc

SHA256
059d7452821d56f58d5bfcb7cb8083d65f94d4f88617cbb504f3a54a85dfe35b

SHA512
cef35d260342274a5510774afe2fe79b514cbb8d2e4552ce6ee24f9e567a03570495443149a68e0ba0162c4023b2237a25249826bbbfa6ed8d6782c346864d65

Download Submit
C:\Users\Admin\AppData\Roaming\BB08A\A5BC.B08

Filesize
1KB

MD5
26c850a58e61c21277b24632f7767b2e

SHA1
acf91978e77afbdfc48f805baa566da32b761cee

SHA256
360a26cc0b58019fa2eca06e055bfa1c980b39ee04cb387af0506f4a73b739b6

SHA512
6cf29ac4dd557ce79cf857953a3bf3f205c294acd812001becf6e4318f973d8e2c608048ccc4e96c70db7dd1da38d741e5512dfd841b3ddb908be3eacee166f4

Download Submit
C:\Users\Admin\AppData\Roaming\BB08A\A5BC.B08

Filesize
897B

MD5
cf84175222b898ac0d9d0e3e11b48890

SHA1
f5f1f13243b7a6b007e5dcf2984e14ebe7a74264

SHA256
fb229c3c46121fd2b58fe8b1c58f0bbb7d5ce40e5f56f391b39c52af3928f68f

SHA512
ab6a3a75daa15e74ce945919edbd7374b0e420219de3bce1c1b674293aed37e1859fcf07f0109bf7c3bdd3878cc0ab38baf4f9f64b841f66389f6ed762054e42

Download Submit
C:\Users\Admin\AppData\Roaming\BB08A\A5BC.B08

Filesize
1KB

MD5
ac7c4c3c0dd5f7f2f0c5456f491b41c0

SHA1
ee299a397cc1ea609029093da1eee3c0dcc53739

SHA256
6908046c6d94e63a0a2efffce9b4fd3e4305ab0d7ec4a5f56ab30dac93213d02

SHA512
e29b05c0b2283147a5263899af4f6a0242eee0f11d9e0d7eb1fa93fff3c9b2ddabc8c431927851daf3c3f5fdc97cd538dc9dc738716dc4a0b16b5f9511f0722e

Download Submit
memory/976-20-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/976-19-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/976-21-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2852-23-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2852-0-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2852-22-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2852-148-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2852-3-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2852-2-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2852-334-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3784-145-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3784-147-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads