cycbot | 2e812a315d54636b1f790c3bd72aed265b43ba0b3796c59b57b24332e6486fdb

General

Target

JaffaCakes118_a9a56b70ca7e66353ff97d34ff47b5e2.exe
Size

183KB
MD5

a9a56b70ca7e66353ff97d34ff47b5e2
SHA1

1dbea21c0a281fe892055081b21d792bdf5b1294
SHA256

2e812a315d54636b1f790c3bd72aed265b43ba0b3796c59b57b24332e6486fdb
SHA512

c21e18b82c9bb5a8c6123d17d551e14097a92ac5d999726283a8ba05845593f9bcdd074d1387d40431be78e4a179bc17370a814721d29864f94b17f2e264ea7b
SSDEEP

3072:UEyaHHM3PGN9wsPJEm9NxH2MA6BMlbLyrNunAAdPWlAhfQ6oaKBxNFlhWC7RnFjY:U2HAPGN9wTM5RNrNunAAdzWvBLFlhWCE

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/3108-13-0x0000000000400000-0x0000000000470000-memory.dmp	family_cycbot
behavioral2/memory/2764-15-0x0000000000400000-0x0000000000470000-memory.dmp	family_cycbot
behavioral2/memory/2764-80-0x0000000000400000-0x0000000000470000-memory.dmp	family_cycbot
behavioral2/memory/3660-83-0x0000000000400000-0x0000000000470000-memory.dmp	family_cycbot
behavioral2/memory/2764-190-0x0000000000400000-0x0000000000470000-memory.dmp	family_cycbot
behavioral2/memory/2764-192-0x0000000000400000-0x0000000000470000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_a9a56b70ca7e66353ff97d34ff47b5e2.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2764-2-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/3108-12-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/3108-13-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/2764-15-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/2764-80-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/3660-83-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/2764-190-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/2764-192-0x0000000000400000-0x0000000000470000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a9a56b70ca7e66353ff97d34ff47b5e2.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 3108	2764	JaffaCakes118_a9a56b70ca7e66353ff97d34ff47b5e2.exe	83
PID 2764 wrote to memory of 3108	2764	JaffaCakes118_a9a56b70ca7e66353ff97d34ff47b5e2.exe	83
PID 2764 wrote to memory of 3108	2764	JaffaCakes118_a9a56b70ca7e66353ff97d34ff47b5e2.exe	83
PID 2764 wrote to memory of 3660	2764	JaffaCakes118_a9a56b70ca7e66353ff97d34ff47b5e2.exe	85
PID 2764 wrote to memory of 3660	2764	JaffaCakes118_a9a56b70ca7e66353ff97d34ff47b5e2.exe	85
PID 2764 wrote to memory of 3660	2764	JaffaCakes118_a9a56b70ca7e66353ff97d34ff47b5e2.exe	85

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a9a56b70ca7e66353ff97d34ff47b5e2.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a9a56b70ca7e66353ff97d34ff47b5e2.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a9a56b70ca7e66353ff97d34ff47b5e2.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a9a56b70ca7e66353ff97d34ff47b5e2.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:3108
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a9a56b70ca7e66353ff97d34ff47b5e2.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a9a56b70ca7e66353ff97d34ff47b5e2.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:3660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\D787.685

Filesize
1KB

MD5
e15106348c3a2a8be18f2aec79532a2d

SHA1
5209debbe0de3fd80ca9448deff19e01e4f23166

SHA256
219423e411a41129a29f9c863909b9138a5c924b13ebb2f54b4de24607b49fe2

SHA512
e351e22dff58a92a9bc64811e748a9123747d3b1b7592218f28c8ece79035d396c34ed5d0c3a63b118b0baf9e0d99753e83da4b30a87b1f54181993631c3d749

Download Submit
C:\Users\Admin\AppData\Roaming\D787.685

Filesize
600B

MD5
53bd091c10a3fe262228dfa1aff39621

SHA1
b937a40b1a450c9e0e6502a7acc7d4fc1e69fb89

SHA256
3d4888a4ba45f879e06b87bc7af27c42f3fbca376a63a469804af6a1327b2ed5

SHA512
896bb2e71c21da7b56ebf995a5ec3ee54087aee590cf91033db7f80ada4548ddf421bac236c05e4494bd632e115012b91327d6a55a35a9d4493f2fea209dab2b

Download Submit
C:\Users\Admin\AppData\Roaming\D787.685

Filesize
996B

MD5
49b052f1ee1199bc472838098a5c3771

SHA1
5ad3d82463cd0981da5822be01c2d84fcb7931bc

SHA256
b7536effef0ed6856616d75588ec8dcbde07e922bf06cdb3de8e879696c85bdf

SHA512
bb0a4172bd23c8096f02b6b47d6cc9cb8496c652dfbd9e86be1bc5a1ab764f29156e32eca727aad776aedb3e33ba7598d35f704a9633e8ffef7886f068bec299

Download Submit
memory/2764-1-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2764-2-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2764-15-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2764-80-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2764-190-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2764-192-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3108-12-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3108-13-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3660-83-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads