cycbot | 61be73b5ff4f4a54903e0eb0ea33257e298016e70cb5f9f3af8c6a13b06138ae

General

Target

JaffaCakes118_0d281c0d428f3c566002a64f732b803d.exe
Size

169KB
MD5

0d281c0d428f3c566002a64f732b803d
SHA1

0747b2c27cda8486422b39ad042f1ef6b77ff56c
SHA256

61be73b5ff4f4a54903e0eb0ea33257e298016e70cb5f9f3af8c6a13b06138ae
SHA512

6fbf615bc63d0faa5f31561498096c4456be90f00b1d9a3a20ea103e177dd8e2a765e859e76947abc855662fb39b2e4b61885b017d3630d7e7c946331aa289e6
SSDEEP

3072:iJoHXRFl1b2eEV32c6l4b+4QM5liEa72gq/GOvuY1+PwkM9LYJiv8JpkrBnqL:bHBke232cS42MB+S9mY1+PPM9YPDkrBM

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/3988-11-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/5008-12-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/5008-13-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral2/memory/2924-74-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/5008-75-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/5008-167-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\A1748\\FAC6D.exe"	JaffaCakes118_0d281c0d428f3c566002a64f732b803d.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5008-2-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3988-9-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3988-11-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/5008-12-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/5008-13-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/2924-74-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/5008-75-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/5008-167-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0d281c0d428f3c566002a64f732b803d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0d281c0d428f3c566002a64f732b803d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0d281c0d428f3c566002a64f732b803d.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 3988	5008	JaffaCakes118_0d281c0d428f3c566002a64f732b803d.exe	84
PID 5008 wrote to memory of 3988	5008	JaffaCakes118_0d281c0d428f3c566002a64f732b803d.exe	84
PID 5008 wrote to memory of 3988	5008	JaffaCakes118_0d281c0d428f3c566002a64f732b803d.exe	84
PID 5008 wrote to memory of 2924	5008	JaffaCakes118_0d281c0d428f3c566002a64f732b803d.exe	98
PID 5008 wrote to memory of 2924	5008	JaffaCakes118_0d281c0d428f3c566002a64f732b803d.exe	98
PID 5008 wrote to memory of 2924	5008	JaffaCakes118_0d281c0d428f3c566002a64f732b803d.exe	98

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d281c0d428f3c566002a64f732b803d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d281c0d428f3c566002a64f732b803d.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d281c0d428f3c566002a64f732b803d.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d281c0d428f3c566002a64f732b803d.exe startC:\Program Files (x86)\LP\6D3A\35B.exe%C:\Program Files (x86)\LP\6D3A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3988
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d281c0d428f3c566002a64f732b803d.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d281c0d428f3c566002a64f732b803d.exe startC:\Program Files (x86)\48558\lvvm.exe%C:\Program Files (x86)\48558
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\A1748\8558.174

Filesize
1KB

MD5
81386fa4ffb1f333702f6a15892646b1

SHA1
7649129501eed802d01e81c99a7924edd5aed262

SHA256
277322d591d842c14df16b15c96fca9009448b150d377c34b3871f3a98dc5aab

SHA512
f685f71e89e2405e0a1d1f6072cdf4e59ccddd418172c5895409d81d684b982b1b4666326dc750f110dbd36a75b20519c9d36ff46845a5e28e7ed01bc715ac99

Download Submit
C:\Users\Admin\AppData\Roaming\A1748\8558.174

Filesize
300B

MD5
8a6dc3e3ddd801739937e90f487584a6

SHA1
dce40d35a7dccc4ab9d97a4c456854e2610e959c

SHA256
65d969772674f231224721586489ddbbe2c634a00da645a2e8c80314a1b29e38

SHA512
b2943a3b2042d99fddde99bd2064a1988541e8717e044315cbbe14938e592fdea4b9f75aeb0c3e78c93ce746d2cbc7c6aabf8d76799871c47f3854e3b45b576e

Download Submit
C:\Users\Admin\AppData\Roaming\A1748\8558.174

Filesize
696B

MD5
eff699605995714143f4e4923a9fbdc4

SHA1
0486b92b7af436bc52ad94e8f45fe0e9cdd0dd49

SHA256
40212f13d0303ae35c9a192285fa145b2aa13c9ddbfcb0948876555555991aa3

SHA512
fb9258c284c1c660a18b0b70db6c6ba570375f1fc1b7070de39d50fe63fbdca3bb0f78ff911e6f5ea8185249807aeed565a8d2bc0619b433301e63d33635d494

Download Submit
memory/2924-74-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3988-8-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3988-9-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3988-11-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5008-13-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/5008-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/5008-75-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5008-12-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5008-2-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5008-167-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads