cycbot | 19afa28fa0ee6586c94f8f14b074199e42ddb2179ca50be1372ad6a5fced3663

General

Target

JaffaCakes118_ac336be0084400b8449911f3c6134816.exe
Size

165KB
MD5

ac336be0084400b8449911f3c6134816
SHA1

9cbe8899e8de4b8838bf85b59d9ac15437b3c9ae
SHA256

19afa28fa0ee6586c94f8f14b074199e42ddb2179ca50be1372ad6a5fced3663
SHA512

e4181f207d7fcae1f6996658ef451a6ff70ae9dcc984ba260254d092d4a4d206e059fa6fdbab507aa57755cc9de54f1ca75e5d3de1b7fc653acb550bc4cd0e64
SSDEEP

3072:ny0BNkzJWZFnBTb9d0o11UQEN7aKwhQG0zdwC4ScD6lToVnWWtBGoEdIKDo2RA/B:ny0jkF4n19d0o/ENdOfad8hDEQ5tkfIj

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 8 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/4756-16-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/4748-17-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/4748-18-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral2/memory/4644-116-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/4748-117-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/4748-281-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/4748-286-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/4748-287-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\BD524\\58F2D.exe"	JaffaCakes118_ac336be0084400b8449911f3c6134816.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4748-3-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4756-14-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4756-15-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4756-16-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4748-17-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4748-18-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/4644-116-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4748-117-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4748-281-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4748-286-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4748-287-0x0000000000400000-0x0000000000490000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ac336be0084400b8449911f3c6134816.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 4756	4748	JaffaCakes118_ac336be0084400b8449911f3c6134816.exe	83
PID 4748 wrote to memory of 4756	4748	JaffaCakes118_ac336be0084400b8449911f3c6134816.exe	83
PID 4748 wrote to memory of 4756	4748	JaffaCakes118_ac336be0084400b8449911f3c6134816.exe	83
PID 4748 wrote to memory of 4644	4748	JaffaCakes118_ac336be0084400b8449911f3c6134816.exe	92
PID 4748 wrote to memory of 4644	4748	JaffaCakes118_ac336be0084400b8449911f3c6134816.exe	92
PID 4748 wrote to memory of 4644	4748	JaffaCakes118_ac336be0084400b8449911f3c6134816.exe	92

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ac336be0084400b8449911f3c6134816.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ac336be0084400b8449911f3c6134816.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ac336be0084400b8449911f3c6134816.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ac336be0084400b8449911f3c6134816.exe startC:\Program Files (x86)\LP\2D9B\7CD.exe%C:\Program Files (x86)\LP\2D9B
  2⤵
  PID:4756
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ac336be0084400b8449911f3c6134816.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ac336be0084400b8449911f3c6134816.exe startC:\Program Files (x86)\24AE2\lvvm.exe%C:\Program Files (x86)\24AE2
  2⤵
  PID:4644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\BD524\4AE2.D52

Filesize
996B

MD5
394fbd4d2c525541b97c3ec62c26d244

SHA1
b9f27fdd6ed54a7675640408336fd99f9b6ee996

SHA256
960149414d4af64883528db5607e3aed7c54e32f54b713d8598444db3da0897a

SHA512
8a5f76c806f20478b82601dd66eda1b785dfc96a3dd5c30e8d9d0a070f4ff9146782220f5134eeda0afb1a5432ce00c2302825c34b5019791466be9e183be74d

Download Submit
C:\Users\Admin\AppData\Roaming\BD524\4AE2.D52

Filesize
600B

MD5
67b08b0fc891a19518d970a1c4862950

SHA1
9a7cd199b80f67c8f791f6ae86f2e927d22940db

SHA256
e201c37a0e6a7c722320b3ff29a7133fbb134fde00cf66f5a31614e0b34c0d9e

SHA512
18c2d9793ab5af9e38ef75eb4464ab8959f5be4ea66dce701fdb89d5b2ecef399d9bb60f579e69791afaa488b0a0ce49c2536fab0e214479825eb107122ad6e3

Download Submit
C:\Users\Admin\AppData\Roaming\BD524\4AE2.D52

Filesize
1KB

MD5
66710775481a78332bef310c767d8cbb

SHA1
0250c74a6406167cbc357ddfc112e35b65fae6d3

SHA256
d368359b485f2decafa1c139a714cb650cb0b9d962a15209d7d897425c119696

SHA512
3e4481d9ece4f88ec8c0d3eda133f8657855c38152a76e39602522ea6aa166ca612760d65231bd5d0453798615f771ec91d6715b42377f66da7d5e157931a00a

Download Submit
memory/4644-116-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4748-17-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4748-18-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4748-3-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4748-117-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4748-2-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4748-0-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4748-281-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4748-286-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4748-287-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4756-16-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4756-14-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4756-15-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads