cycbot | 40e43adbec40d3311569a6aa40cdae131e35506f20b88632cd98f46d301ce3a5

General

Target

JaffaCakes118_1460bbf9dcf3cb75926f9b69823e8821.exe
Size

170KB
MD5

1460bbf9dcf3cb75926f9b69823e8821
SHA1

ce8f8195bbc5d33d425d6cf01a4968d94694a7ed
SHA256

40e43adbec40d3311569a6aa40cdae131e35506f20b88632cd98f46d301ce3a5
SHA512

62cf073d338fe14219cac8a59406055b7d78013bd2f96dca3ba1c1678902cf02de0adbad613021ca4ab26c10117a9563b3be83a8835de68005a24c74e9a11009
SSDEEP

3072:CHDbu3fQ2wIWWE+fOXBND6V35WpfrQv6VguI17MZLcAVULEK7fuofT4x69UVg:CHDbuPrWYf6r6V35kVvHKfTz74xG

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/3576-15-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/4656-16-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/4656-17-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral2/memory/3376-82-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/4656-83-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/4656-187-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\9799E\\FAC6D.exe"	JaffaCakes118_1460bbf9dcf3cb75926f9b69823e8821.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4656-2-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3576-13-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3576-15-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4656-16-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4656-17-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/3376-80-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3376-82-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4656-83-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4656-187-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1460bbf9dcf3cb75926f9b69823e8821.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1460bbf9dcf3cb75926f9b69823e8821.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1460bbf9dcf3cb75926f9b69823e8821.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 3576	4656	JaffaCakes118_1460bbf9dcf3cb75926f9b69823e8821.exe	82
PID 4656 wrote to memory of 3576	4656	JaffaCakes118_1460bbf9dcf3cb75926f9b69823e8821.exe	82
PID 4656 wrote to memory of 3576	4656	JaffaCakes118_1460bbf9dcf3cb75926f9b69823e8821.exe	82
PID 4656 wrote to memory of 3376	4656	JaffaCakes118_1460bbf9dcf3cb75926f9b69823e8821.exe	83
PID 4656 wrote to memory of 3376	4656	JaffaCakes118_1460bbf9dcf3cb75926f9b69823e8821.exe	83
PID 4656 wrote to memory of 3376	4656	JaffaCakes118_1460bbf9dcf3cb75926f9b69823e8821.exe	83

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1460bbf9dcf3cb75926f9b69823e8821.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1460bbf9dcf3cb75926f9b69823e8821.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1460bbf9dcf3cb75926f9b69823e8821.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1460bbf9dcf3cb75926f9b69823e8821.exe startC:\Program Files (x86)\LP\6D39\35B.exe%C:\Program Files (x86)\LP\6D39
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3576
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1460bbf9dcf3cb75926f9b69823e8821.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1460bbf9dcf3cb75926f9b69823e8821.exe startC:\Program Files (x86)\9EC2E\lvvm.exe%C:\Program Files (x86)\9EC2E
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\9799E\EC2E.799

Filesize
1KB

MD5
25c741980c2640f0428af8e97101daa8

SHA1
a58cb1e816a5f0d2df55cf3b4c1db685ffc2eed5

SHA256
14df9f68060afe2e162a5f36f957dd342f81d38dec7b34efa4019f7951d39d83

SHA512
58c2bd98eaa8835f6ebada35ebeeb00a90a88af55229f2915c3f30b57cf66d29d21b1b7f2926a90ad60875e1beb6d23aede1877c47ce4f1c4489b1e81b7bbbe7

Download Submit
C:\Users\Admin\AppData\Roaming\9799E\EC2E.799

Filesize
996B

MD5
43806c5260fd73ed67ca0c003246f84c

SHA1
3fb4f2bda3bb7151f2f98e71118b06e404f4aa73

SHA256
be5c06cfabccc84f1b1faebce7d49f031cc8a1ad6b1ca59f085311f1a859629b

SHA512
18ff97596145f22384a82a203fdbad417c478af80e0632c76f64f76b28b9dede1899fef8a697d9f5b8a125647fe743d2e5972e2b1e8ad427d25ff5f2c876c2dd

Download Submit
C:\Users\Admin\AppData\Roaming\9799E\EC2E.799

Filesize
600B

MD5
64faf6bf6b32d76ee23c8b0785beb20a

SHA1
fa9a46dbf3c3418b265fb1412e2d4b66ad312a15

SHA256
5104b0b0b505573c566493b7c207842e43816dc21a89645f1ed2f4746a3fdff5

SHA512
a552fe5e479fd488bbe51e2534bee715d4c01b3c5d0282ae8cd88fbb5c62eebf31c608a14cb47c4368168a5df5d6b2ceb53f1f279f1ca69826a3006e40017de2

Download Submit
memory/3376-80-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3376-82-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3576-12-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3576-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3576-13-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4656-16-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4656-17-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4656-83-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4656-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4656-2-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4656-187-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads