cycbot | cdbc3dbe90cc1723a4ed36a1ea6e1721cfbcb782b08bf2b9ac3c5e58244da66d

General

Target

JaffaCakes118_14c5c223f563c28c44974b440daab1d3.exe
Size

182KB
MD5

14c5c223f563c28c44974b440daab1d3
SHA1

226e4cc01b6d5bf8e9fa68d2248cdd19e4552fa4
SHA256

cdbc3dbe90cc1723a4ed36a1ea6e1721cfbcb782b08bf2b9ac3c5e58244da66d
SHA512

a141fcf364e8d42acf40875e01ef8faf7f6df6ba418eb6316fe0ba752f5cd32dc442aef0715421aa5d12aee151bfb7db80e0553dea0c88e7df834be1a2b4c7e6
SSDEEP

3072:CzSMe5SubW2NYWV9xfbwwy1b4hcUXgyjFRdM1478jFW2/Y:uSMraWTyMbYlLjFjM7F

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/4948-15-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/4992-16-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/4992-17-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral2/memory/3980-125-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/4992-126-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/4992-264-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\B4698\\97B0B.exe"	JaffaCakes118_14c5c223f563c28c44974b440daab1d3.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4992-3-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4948-14-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4948-15-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4992-16-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4992-17-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/3980-123-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/3980-125-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4992-126-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4992-264-0x0000000000400000-0x0000000000490000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_14c5c223f563c28c44974b440daab1d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_14c5c223f563c28c44974b440daab1d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_14c5c223f563c28c44974b440daab1d3.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 4948	4992	JaffaCakes118_14c5c223f563c28c44974b440daab1d3.exe	83
PID 4992 wrote to memory of 4948	4992	JaffaCakes118_14c5c223f563c28c44974b440daab1d3.exe	83
PID 4992 wrote to memory of 4948	4992	JaffaCakes118_14c5c223f563c28c44974b440daab1d3.exe	83
PID 4992 wrote to memory of 3980	4992	JaffaCakes118_14c5c223f563c28c44974b440daab1d3.exe	98
PID 4992 wrote to memory of 3980	4992	JaffaCakes118_14c5c223f563c28c44974b440daab1d3.exe	98
PID 4992 wrote to memory of 3980	4992	JaffaCakes118_14c5c223f563c28c44974b440daab1d3.exe	98

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_14c5c223f563c28c44974b440daab1d3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_14c5c223f563c28c44974b440daab1d3.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_14c5c223f563c28c44974b440daab1d3.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_14c5c223f563c28c44974b440daab1d3.exe startC:\Program Files (x86)\LP\0B0B\619.exe%C:\Program Files (x86)\LP\0B0B
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4948
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_14c5c223f563c28c44974b440daab1d3.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_14c5c223f563c28c44974b440daab1d3.exe startC:\Program Files (x86)\98929\lvvm.exe%C:\Program Files (x86)\98929
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\B4698\8929.469

Filesize
996B

MD5
d45969f71c6629aad39092bdf66b9cef

SHA1
f0aa5dae6395bf59e3a0b4846b737aac33577b10

SHA256
750ed5f6dbb8f22634455f66ec2494bfaea5cbf0e7feb9e8834a71fd1eec3e74

SHA512
1c463c5165218c5bb76b60ce5cb8e18c73aa7ec3269012d44bf47d4531e05a3822a5373b5c53a90193dd5d14e1d85640f61265facdcacc37ec5ebdc6fe5e0271

Download Submit
C:\Users\Admin\AppData\Roaming\B4698\8929.469

Filesize
600B

MD5
47210c83dd00ce4bcc6409c8727fdfaf

SHA1
631f9e37268af12ff4a309d57cf674c3fb4d5f69

SHA256
e1850081d5f944bc734d7b6fdc73e59464aceab768d2508ed9586926cf359571

SHA512
2b75d67810eefb8c5d73b7cc44c0599ad4ee4218c9fe14c99e69a1b11e0033afc3a7e4692a6f018e742947c997ecbd3e6d7b70db96ce083653de7932b6394008

Download Submit
C:\Users\Admin\AppData\Roaming\B4698\8929.469

Filesize
1KB

MD5
9271d38061d7daf5217a2fa3e027cc5d

SHA1
e1802d4f583352c7f8e6c29fca27a3222409f800

SHA256
67cb2db7bbe99f2fde1579f97830ae54bd0366bc8a35b2db10d07185bd186359

SHA512
9e5c2bd4f5ee8f8bfcb0c8a389f138eb0f12f37fe0f71fcd432a0fa154965b85f7cefff196f604ff5c3d82ab23cfa623c1e55441cd544ca6fcd9a60c2db72549

Download Submit
memory/3980-125-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3980-123-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4948-14-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4948-15-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4992-17-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4992-16-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4992-0-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4992-126-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4992-3-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4992-2-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4992-264-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads