cycbot | 4e0c7a727fd8638851876b9904c5707b0ab9c3b9cc298dda35ff5d9ac06be9f2

General

Target

JaffaCakes118_7439e3e173de9974cf7a51bf019bf73e.exe
Size

172KB
MD5

7439e3e173de9974cf7a51bf019bf73e
SHA1

127effce854edc22b6a47844bb2304e7c69b0260
SHA256

4e0c7a727fd8638851876b9904c5707b0ab9c3b9cc298dda35ff5d9ac06be9f2
SHA512

6ed50eaf4a3548319358e4b6c67291f92cb5a1fc0ebcdd04f4a9762b3075103eefa6f4a9608aaf0a7910779cc7bef42c65d3b224ee3a6a2eebcd0060ee0f4220
SSDEEP

3072:m8NnYwO7MPXQ5WprhiF408n3MxsJA9GORhJ6cC7QppR4AgTUJ9qDlJDA9zP:TNnekvjgsfJAMorrYTUJ9qbDAd

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/2144-11-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral2/memory/2128-78-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral2/memory/848-81-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral2/memory/2128-188-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\87CDE\\C2ED3.exe"	JaffaCakes118_7439e3e173de9974cf7a51bf019bf73e.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2144-11-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral2/memory/2128-78-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral2/memory/848-81-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral2/memory/2128-188-0x0000000000400000-0x000000000048D000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7439e3e173de9974cf7a51bf019bf73e.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2144	2128	JaffaCakes118_7439e3e173de9974cf7a51bf019bf73e.exe	83
PID 2128 wrote to memory of 2144	2128	JaffaCakes118_7439e3e173de9974cf7a51bf019bf73e.exe	83
PID 2128 wrote to memory of 2144	2128	JaffaCakes118_7439e3e173de9974cf7a51bf019bf73e.exe	83
PID 2128 wrote to memory of 848	2128	JaffaCakes118_7439e3e173de9974cf7a51bf019bf73e.exe	93
PID 2128 wrote to memory of 848	2128	JaffaCakes118_7439e3e173de9974cf7a51bf019bf73e.exe	93
PID 2128 wrote to memory of 848	2128	JaffaCakes118_7439e3e173de9974cf7a51bf019bf73e.exe	93

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7439e3e173de9974cf7a51bf019bf73e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7439e3e173de9974cf7a51bf019bf73e.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7439e3e173de9974cf7a51bf019bf73e.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7439e3e173de9974cf7a51bf019bf73e.exe startC:\Program Files (x86)\Internet Explorer\D3A8\9A1.exe%C:\Program Files (x86)\Internet Explorer\D3A8
  2⤵
  PID:2144
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7439e3e173de9974cf7a51bf019bf73e.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7439e3e173de9974cf7a51bf019bf73e.exe startC:\Program Files (x86)\DE507\lvvm.exe%C:\Program Files (x86)\DE507
  2⤵
  PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\87CDE\E507.7CD

Filesize
600B

MD5
253ef77d5bcccc2d1dd8284e3afe627b

SHA1
692b17a1fbe484fd0696eecab050b35aab2acf8c

SHA256
333496bb1f23b6eedc92e78fa22baa162500b82f3bc8e424a68565895f79e64a

SHA512
138bbc57a55efe576ce139d004a2031df60a0664c053e536fb89fc2160abbef30b89c8f90d2381290454571c92625d5cbc9ea64a722c0c8667e52bcfcad17cd3

Download Submit
C:\Users\Admin\AppData\Roaming\87CDE\E507.7CD

Filesize
1KB

MD5
ffca9a1a0af7eb8500baf0c533713755

SHA1
80c70536d19abea7e4cc7661f7af1a0b8cbe68ec

SHA256
be269425857b3563aa2b36330f022cdf163531996fac117d8d18758c314771f2

SHA512
d99873e96671df4df42ddf04bc297ed9aaf45e3a742f17abc79c8b8f7f031abefe3bb2294e1dc5042b4422ad4e2c3cb7f6021b0525380bf3b732c08787bb771c

Download Submit
C:\Users\Admin\AppData\Roaming\87CDE\E507.7CD

Filesize
996B

MD5
4386a3dc7cca224d4d41d657511aa5d6

SHA1
369e7d1b8bae76a375397c30a49158bcce69bd97

SHA256
7e73024972e4378a649714c093725a195c301abacbf268ebb569162c0ce7be0a

SHA512
21282a77dee75dbf912aee4a0c69ceef1d16fea9a61ae5f37f7896792c31f398628f960b9f6d12045354c4311e993c0c029cf779c8820b91c19c2b067db60dcf

Download Submit
memory/848-80-0x00007FF9B3A70000-0x00007FF9B3C65000-memory.dmp

Filesize
2.0MB

Download
memory/848-81-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2128-1-0x00007FF9B3A70000-0x00007FF9B3C65000-memory.dmp

Filesize
2.0MB

Download
memory/2128-78-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2128-188-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2144-13-0x00007FF9B3A70000-0x00007FF9B3C65000-memory.dmp

Filesize
2.0MB

Download
memory/2144-12-0x0000000000550000-0x0000000000568000-memory.dmp

Filesize
96KB

Download
memory/2144-11-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads