cycbot | 1a591be854fb461c5eeaf424bf50c370dd547a35e0e63f6b70ce1e49021f2d00

General

Target

JaffaCakes118_7dae07bd36ee342c0cb8eb165721fcbc.exe
Size

173KB
MD5

7dae07bd36ee342c0cb8eb165721fcbc
SHA1

3dce070abde87455b42cbf7b30461da42f99d2ea
SHA256

1a591be854fb461c5eeaf424bf50c370dd547a35e0e63f6b70ce1e49021f2d00
SHA512

ebfeaf939edf39d6bcbf2f1911d91508351670a825e4c849c11e4c0ed1e20ecb9f44f42071e986c8234280d3bb30161536d0096901cf0334ffa7223b44ca0000
SSDEEP

3072:mlzKHalGCntghiP+q2xmQQQ75RvDabe20LtO+Pfwl/e/+dHXTkbqHV+yLLmO0jEJ:AKHphiC1zGbWzXwl/vVjkOHVNX0jEk

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/1668-14-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/560-15-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/560-16-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral2/memory/4708-126-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/560-127-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/560-297-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\41AFF\\6D852.exe"	JaffaCakes118_7dae07bd36ee342c0cb8eb165721fcbc.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/560-2-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/1668-13-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/1668-14-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/560-15-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/560-16-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/4708-125-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4708-126-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/560-127-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/560-297-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7dae07bd36ee342c0cb8eb165721fcbc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 1668	560	JaffaCakes118_7dae07bd36ee342c0cb8eb165721fcbc.exe	86
PID 560 wrote to memory of 1668	560	JaffaCakes118_7dae07bd36ee342c0cb8eb165721fcbc.exe	86
PID 560 wrote to memory of 1668	560	JaffaCakes118_7dae07bd36ee342c0cb8eb165721fcbc.exe	86
PID 560 wrote to memory of 4708	560	JaffaCakes118_7dae07bd36ee342c0cb8eb165721fcbc.exe	92
PID 560 wrote to memory of 4708	560	JaffaCakes118_7dae07bd36ee342c0cb8eb165721fcbc.exe	92
PID 560 wrote to memory of 4708	560	JaffaCakes118_7dae07bd36ee342c0cb8eb165721fcbc.exe	92

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7dae07bd36ee342c0cb8eb165721fcbc.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7dae07bd36ee342c0cb8eb165721fcbc.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:560
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7dae07bd36ee342c0cb8eb165721fcbc.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7dae07bd36ee342c0cb8eb165721fcbc.exe startC:\Program Files (x86)\LP\5284\9D9.exe%C:\Program Files (x86)\LP\5284
  2⤵
  PID:1668
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7dae07bd36ee342c0cb8eb165721fcbc.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7dae07bd36ee342c0cb8eb165721fcbc.exe startC:\Program Files (x86)\FFD26\lvvm.exe%C:\Program Files (x86)\FFD26
  2⤵
  PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\41AFF\FD26.1AF

Filesize
996B

MD5
57e4b3248fb4107b0418631791034ee7

SHA1
c210c9a3b1b4df4a092ce6128686d984ce3ce1d0

SHA256
1bcb5168bd8caa4257ce915f19d226e6470cd33f10d21cc3c410de18b4b1259d

SHA512
6bb320f3d80c84b56d263cabcdce1da593937315a19fa3d8b5676cb6234405a540641f23406018c4d72719c2f0ff6d34b8f43084d429fc5b8a4a2fa42889f34b

Download Submit
C:\Users\Admin\AppData\Roaming\41AFF\FD26.1AF

Filesize
600B

MD5
de942b748264938b7e16174568b14585

SHA1
97536b26cd9e83f1e2a60324cb8bfc86b10294eb

SHA256
421c97f86756c3578b92379414237b8868cea1ab6cc50e709077d6cda46b07be

SHA512
3510b5993060a2e3bbd698cfe909b7e4a60dfccc2e1ff3fc59bbea0344b13a396d4d88b78644d6b85d09a8f8bd1d27295f92314dbd6ec2570efe9d4dcce5c154

Download Submit
C:\Users\Admin\AppData\Roaming\41AFF\FD26.1AF

Filesize
1KB

MD5
1e5e28b7aa2b6bd1891e9b2a8b6d9e10

SHA1
869248c86a84257524e88e2786c8249b07fd4412

SHA256
0a463a8623a93f08dda734c8c7c61c805aaaa4ed8963fc8c6cef7caf0cf6a0d8

SHA512
57f363047ab793b5a005099cfc9910dfdccf03f24126a661356fea5820a00885f831739ecadd7b5556fe812d8c6ddb2a6c7a18d0cd78d086aadc3cfc1e1b4ae4

Download Submit
C:\Users\Admin\AppData\Roaming\41AFF\FD26.1AF

Filesize
300B

MD5
7c56ad40cd454dcbf1eb4c2405790a38

SHA1
e834dc1b149f3b5ad27e6d79fd7d0c29649b71f0

SHA256
312223e6d450fa11f3ee9d1b62564c2642e5ed914b1fe9cc5e2bb7a4e324c255

SHA512
d77bf9512f29a68ad4d8571e3522313f56badca455607de55cf271e158f2c1b15c6f560e4a68adeca3fc16d4a49630af9fd44d6492122692ce4cc1fca63baaa1

Download Submit
memory/560-127-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/560-2-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/560-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/560-297-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/560-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/560-16-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1668-13-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1668-14-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1668-12-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4708-126-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4708-125-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads