cycbot | 256b509ebe52bad08fe0226c48afb011b58225a32a155e787ad0d4e94c2386e4

General

Target

JaffaCakes118_df1eb987830bda517469d30806e774ad.exe
Size

164KB
MD5

df1eb987830bda517469d30806e774ad
SHA1

284bbec0b74f3916f52bbc89ddc51cdd8e4b634a
SHA256

256b509ebe52bad08fe0226c48afb011b58225a32a155e787ad0d4e94c2386e4
SHA512

9e76ea50df57fb74377dc529d52cef739a7af58fd8e067e515f10da65313ed5c94a87385eb8a42a848229b6dab58afe2ded44935c988c8e461def0e7040c8f65
SSDEEP

3072:hGU0Ivg461pW09rkkhfKEvaQYFz9ejlLbobgum1krNHDh7RFGkBUjis3RMLB:hGU0cLo00mCQh9IlvogVC5N7rfUuaMLB

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/544-22-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/1184-23-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral2/memory/1184-24-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/3460-142-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/1184-143-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/1184-297-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\4288E\\F2ED4.exe"	JaffaCakes118_df1eb987830bda517469d30806e774ad.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1184-3-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/544-20-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/544-19-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/544-22-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/1184-23-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/1184-24-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3460-142-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/1184-143-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/1184-297-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_df1eb987830bda517469d30806e774ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_df1eb987830bda517469d30806e774ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_df1eb987830bda517469d30806e774ad.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 544	1184	JaffaCakes118_df1eb987830bda517469d30806e774ad.exe	84
PID 1184 wrote to memory of 544	1184	JaffaCakes118_df1eb987830bda517469d30806e774ad.exe	84
PID 1184 wrote to memory of 544	1184	JaffaCakes118_df1eb987830bda517469d30806e774ad.exe	84
PID 1184 wrote to memory of 3460	1184	JaffaCakes118_df1eb987830bda517469d30806e774ad.exe	90
PID 1184 wrote to memory of 3460	1184	JaffaCakes118_df1eb987830bda517469d30806e774ad.exe	90
PID 1184 wrote to memory of 3460	1184	JaffaCakes118_df1eb987830bda517469d30806e774ad.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_df1eb987830bda517469d30806e774ad.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_df1eb987830bda517469d30806e774ad.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_df1eb987830bda517469d30806e774ad.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_df1eb987830bda517469d30806e774ad.exe startC:\Program Files (x86)\LP\68C6\C69.exe%C:\Program Files (x86)\LP\68C6
  2⤵
  - System Location Discovery: System Language Discovery
  PID:544
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_df1eb987830bda517469d30806e774ad.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_df1eb987830bda517469d30806e774ad.exe startC:\Program Files (x86)\2ED48\lvvm.exe%C:\Program Files (x86)\2ED48
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\4288E\ED63.288

Filesize
597B

MD5
f9a7c277317ae7a70d3192b1d6562715

SHA1
87ddb60f2a140bb601bd58b2012e14c8e0429418

SHA256
034ba862291b5f859e7e9cd5c1a7a40c39d30e07c64ffe8587b2e0fcfd47de0f

SHA512
e0faa37d8cfa36be66788e3cb62a526f0ae69ee77d1d75b500efe086a38a8ff97d3c103202f761c9634ccfb9d51f404df070656ecdea1f75c606852481ed452c

Download Submit
C:\Users\Admin\AppData\Roaming\4288E\ED63.288

Filesize
1KB

MD5
e4591c3484f66ba8c593b3ed8f8549c4

SHA1
3bbf307a8a5b59985a034fe3724517cb4c841e2b

SHA256
fe6518fd59be12e6ac0f91a7b808818a1861fa228163fc6b4a8f706388418c47

SHA512
75fa69fdd98cf07511a21b4e23473dc64b166d44a7afeac9a7b0f8e7562bf00098f5819b4dffe027fd14f1b223278c180510f88223461efa5ef6f720783853cc

Download Submit
C:\Users\Admin\AppData\Roaming\4288E\ED63.288

Filesize
1KB

MD5
a21011e24dade4fb6bf570fa3212b99f

SHA1
c5df027536cb8a05c7cf30172aaff60b49e89db5

SHA256
43fb11362b595d5fae95aabab93b4aa59cbd68a18eb0d1bbb594d6c81feb0dc0

SHA512
0011e92dac57b0aa925081773d3a5ae5c55a5ab54320196dc24f3256a12ad313615c63d5a1087e2dfd704f7f084237df0d7cc8f4b95af96fc8d7158d50a21fcc

Download Submit
C:\Users\Admin\AppData\Roaming\4288E\ED63.288

Filesize
897B

MD5
03dd1975dd972caaa0a669ab200bb7b3

SHA1
7f15d309746de4e441c899201655de05c6f7f7a3

SHA256
6d0e0b7845d1f3c5e32362a5b085ea3d6471c9a81c6c9be3d2cdf73ae18737c2

SHA512
30f6141129dbf3cfca052aa55960abb2d81a078a08847c36c3168ac1d39f89899133726ac6761c6c19ac857a93a8b7f5ebbbf4cf37d9f2e7786121b6c781ffa8

Download Submit
memory/544-20-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/544-19-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/544-22-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1184-23-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1184-24-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1184-0-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1184-143-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1184-3-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1184-2-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1184-297-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3460-142-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads