cycbot | 1c8f9ed7db79b6cd8971c6b0802004f51fd5ae340e89b5c910d4cd1e6aae7472

General

Target

JaffaCakes118_88ee9778e060188b86fec24ea0c39474.exe
Size

171KB
MD5

88ee9778e060188b86fec24ea0c39474
SHA1

2e179139c5fff0460a5e1a5187c5aa63a0c992da
SHA256

1c8f9ed7db79b6cd8971c6b0802004f51fd5ae340e89b5c910d4cd1e6aae7472
SHA512

dc63b4f91dd4aeb3d16f6c962029ba350020b96d3d7d1d6039f167085937148e83cada382f148e3434feabbbfcb713529b9f345aac143f109f3ab49c6cd4fcc7
SSDEEP

3072:wyZQxQOXIjIbOW+e7jnsz1syIhJA8932zhXICb4L2/KyBItsFP0UpKdD68yZPc:fWQ7Ve7jnsz1syIhGII5Z02/DFr26xZ0

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/3600-15-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/2324-16-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/2324-17-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral2/memory/3492-118-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/2324-119-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/2324-281-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\9C748\\9E42C.exe"	JaffaCakes118_88ee9778e060188b86fec24ea0c39474.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2324-2-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3600-13-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3600-15-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2324-16-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2324-17-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/3492-118-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2324-119-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2324-281-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_88ee9778e060188b86fec24ea0c39474.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_88ee9778e060188b86fec24ea0c39474.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_88ee9778e060188b86fec24ea0c39474.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 3600	2324	JaffaCakes118_88ee9778e060188b86fec24ea0c39474.exe	88
PID 2324 wrote to memory of 3600	2324	JaffaCakes118_88ee9778e060188b86fec24ea0c39474.exe	88
PID 2324 wrote to memory of 3600	2324	JaffaCakes118_88ee9778e060188b86fec24ea0c39474.exe	88
PID 2324 wrote to memory of 3492	2324	JaffaCakes118_88ee9778e060188b86fec24ea0c39474.exe	101
PID 2324 wrote to memory of 3492	2324	JaffaCakes118_88ee9778e060188b86fec24ea0c39474.exe	101
PID 2324 wrote to memory of 3492	2324	JaffaCakes118_88ee9778e060188b86fec24ea0c39474.exe	101

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_88ee9778e060188b86fec24ea0c39474.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_88ee9778e060188b86fec24ea0c39474.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_88ee9778e060188b86fec24ea0c39474.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_88ee9778e060188b86fec24ea0c39474.exe startC:\Program Files (x86)\LP\2CC9\F46.exe%C:\Program Files (x86)\LP\2CC9
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3600
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_88ee9778e060188b86fec24ea0c39474.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_88ee9778e060188b86fec24ea0c39474.exe startC:\Program Files (x86)\48B3D\lvvm.exe%C:\Program Files (x86)\48B3D
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\9C748\8B3D.C74

Filesize
996B

MD5
84b90ac38de5029bd805a765c79e29e2

SHA1
f2a3dd88757692a31435d666c5255c0d8026c570

SHA256
d61affc4f2230fec20bd7b4aa6bc3d079ebb4bb1d25d767e44cdbc3ec3cf903e

SHA512
a37364db7d0f8f1aca7199f1bd097b7d5a4a55fc50be4760e46e2efb5ad91acb491320bf6e4f84693286a0592b7cd44054dcefb98dc4dc2e52ee0f56a51d46b5

Download Submit
C:\Users\Admin\AppData\Roaming\9C748\8B3D.C74

Filesize
600B

MD5
dc0fc951c5020a8d3d8c421e421cc186

SHA1
157ce84fbe4531ecdc8ca563721cc6582f534f77

SHA256
f8a538ea8aace9edfdc560b24287d79f22a91c6d8ebb9b0d58d6b1e8ac6382e3

SHA512
974fec4865af8904fa5bb818664d48f4cd1271a9f987268e64cd550921dc08cce8355f0488239703334d8df0431d509c58378c438c5dc749d83ba29ea5422f17

Download Submit
C:\Users\Admin\AppData\Roaming\9C748\8B3D.C74

Filesize
1KB

MD5
a45214396577096572bde4e189a60cbb

SHA1
2106392efd6ac16d6a869e06a020c91dd04955a2

SHA256
5ac37c616da4ba1ec34ef20c0205c94926af3d708719a7549e70b552d4245606

SHA512
9adeca13612f8a76457947cc2fcb6adb44b0acaa15d2f2f299233a3b1d976d02c7715fb5276dad4f9f176a66dcd7e866258ab27ea09c4c6f2d92596bf56bc43b

Download Submit
memory/2324-119-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2324-16-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2324-17-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2324-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2324-2-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2324-281-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3492-118-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3600-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3600-13-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3600-12-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads