cycbot | c32b419d78a2d93e837db74d4c12b8e95896f0b1fc1dd431580963c618c20d29

General

Target

JaffaCakes118_013adad2d639fb3845e0409196d4a373.exe
Size

168KB
MD5

013adad2d639fb3845e0409196d4a373
SHA1

37e5ca3cd3507fdcfdcce1eff289b28f079eabf6
SHA256

c32b419d78a2d93e837db74d4c12b8e95896f0b1fc1dd431580963c618c20d29
SHA512

4b5cefcab43c1b9bbb0ab624aa7f6518309270071dabcbc8dd6602397d6e8bd5bef7c6e7cae083170d6d976fd9f16457afe33d56e4fee3ada18c9f8466554c62
SSDEEP

3072:fJLPiUc6ouhSB2x0mwbXw5xiuixOwOYF/9lVNxw0U1K2rKlmi/m5qHIR:f1KUcSyZuixaYF/Lxw0U82rweQIR

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/4004-15-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/2148-16-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral2/memory/2148-17-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/2664-135-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/2148-136-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/2148-314-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\97DA4\\48373.exe"	JaffaCakes118_013adad2d639fb3845e0409196d4a373.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2148-3-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4004-14-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4004-15-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/2148-16-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/2148-17-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/2664-135-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/2148-136-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/2148-314-0x0000000000400000-0x0000000000490000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_013adad2d639fb3845e0409196d4a373.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_013adad2d639fb3845e0409196d4a373.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_013adad2d639fb3845e0409196d4a373.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 4004	2148	JaffaCakes118_013adad2d639fb3845e0409196d4a373.exe	86
PID 2148 wrote to memory of 4004	2148	JaffaCakes118_013adad2d639fb3845e0409196d4a373.exe	86
PID 2148 wrote to memory of 4004	2148	JaffaCakes118_013adad2d639fb3845e0409196d4a373.exe	86
PID 2148 wrote to memory of 2664	2148	JaffaCakes118_013adad2d639fb3845e0409196d4a373.exe	99
PID 2148 wrote to memory of 2664	2148	JaffaCakes118_013adad2d639fb3845e0409196d4a373.exe	99
PID 2148 wrote to memory of 2664	2148	JaffaCakes118_013adad2d639fb3845e0409196d4a373.exe	99

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_013adad2d639fb3845e0409196d4a373.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_013adad2d639fb3845e0409196d4a373.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_013adad2d639fb3845e0409196d4a373.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_013adad2d639fb3845e0409196d4a373.exe startC:\Program Files (x86)\LP\73C9\34D.exe%C:\Program Files (x86)\LP\73C9
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4004
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_013adad2d639fb3845e0409196d4a373.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_013adad2d639fb3845e0409196d4a373.exe startC:\Program Files (x86)\A4980\lvvm.exe%C:\Program Files (x86)\A4980
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\97DA4\4980.7DA

Filesize
996B

MD5
182cc2c99d622ea1428ab73a8133fa06

SHA1
008f23e647adac7cc4352853c751552911bc41e7

SHA256
c8b95ac63bb6933edaf1e5db8040b635200c1e9f3111d456ed7aa3af10d4cf22

SHA512
94c8ba88faf1016b9a34bdbe77d154c00903d54480358bc716c901822d47edd2007efe7c78ce1e8cbdec553ecf6713fe64b4a71fe63fe060761e0763fa7e6e60

Download Submit
C:\Users\Admin\AppData\Roaming\97DA4\4980.7DA

Filesize
600B

MD5
cdba322a0194f03685de08128e4ed815

SHA1
a01bba636bc23c50c151cb55064273ebeba2109f

SHA256
9d9dc4821b296afd45a39fb64939e03c36704d8e08955653c81e7e7efb88fab9

SHA512
563d689fef5221b3cb7a5c1c222764aebb10769f0bef01d9572efb0ca42c98e79a1d4853f012d9f4794b8937db37ed28e31d8d0e7ab10750a3b534694a4a5df9

Download Submit
C:\Users\Admin\AppData\Roaming\97DA4\4980.7DA

Filesize
1KB

MD5
b55f93cbb32a1a88f0f1b3405b60b8a5

SHA1
0a910f82540b680eb278f227c2d436f7fea58a7e

SHA256
8a9289cb50dbae55581ac18fae3291d3e10b1cee247d68f5ab1ad4009517935f

SHA512
34a01a387f24f097d49924209c84d4098e1f1fb7627e00e9ba9a46692522e75630ade3baac39cc3db88a85433e204ec9a2694b39f55e07aa8e0299a54354d28e

Download Submit
memory/2148-136-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2148-16-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2148-17-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2148-0-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2148-3-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2148-2-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2148-314-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2664-135-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4004-15-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4004-14-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads