cycbot | 60227bac02c0154bf1d0bc6d37d2b2a3459c169d6ae4b14446287d5a08cdd5c1

General

Target

JaffaCakes118_3cffc6cb43e8127d3ece522d5b110948.exe
Size

165KB
MD5

3cffc6cb43e8127d3ece522d5b110948
SHA1

bbdea1a19fccdee2164eb043ffccce64ec02d9d8
SHA256

60227bac02c0154bf1d0bc6d37d2b2a3459c169d6ae4b14446287d5a08cdd5c1
SHA512

863fd7592c83210e8df62004830cb83aa3dd99a50f63ab06d489f2512b65865b80dbbb426785362e9beed74e280d923ee2c605850691e9f504e76c320504b205
SSDEEP

3072:4c4t8ZZNIjdZdrkwu332MmFnRBpFa4djan8iF3740LXEhUQKa2Io0MsxF3b:45SlIdbDu33eFRBpFa4pwfU0l0M23b

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/3976-18-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/2788-17-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral2/memory/2788-20-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/904-128-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/2788-130-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/2788-276-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\0EB60\\B5429.exe"	JaffaCakes118_3cffc6cb43e8127d3ece522d5b110948.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2788-4-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3976-18-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2788-17-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/3976-16-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2788-20-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/904-128-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/904-127-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2788-130-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2788-276-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3cffc6cb43e8127d3ece522d5b110948.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3cffc6cb43e8127d3ece522d5b110948.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3cffc6cb43e8127d3ece522d5b110948.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 3976	2788	JaffaCakes118_3cffc6cb43e8127d3ece522d5b110948.exe	84
PID 2788 wrote to memory of 3976	2788	JaffaCakes118_3cffc6cb43e8127d3ece522d5b110948.exe	84
PID 2788 wrote to memory of 3976	2788	JaffaCakes118_3cffc6cb43e8127d3ece522d5b110948.exe	84
PID 2788 wrote to memory of 904	2788	JaffaCakes118_3cffc6cb43e8127d3ece522d5b110948.exe	95
PID 2788 wrote to memory of 904	2788	JaffaCakes118_3cffc6cb43e8127d3ece522d5b110948.exe	95
PID 2788 wrote to memory of 904	2788	JaffaCakes118_3cffc6cb43e8127d3ece522d5b110948.exe	95

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3cffc6cb43e8127d3ece522d5b110948.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3cffc6cb43e8127d3ece522d5b110948.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3cffc6cb43e8127d3ece522d5b110948.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3cffc6cb43e8127d3ece522d5b110948.exe startC:\Program Files (x86)\LP\2980\E92.exe%C:\Program Files (x86)\LP\2980
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3976
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3cffc6cb43e8127d3ece522d5b110948.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3cffc6cb43e8127d3ece522d5b110948.exe startC:\Program Files (x86)\607DE\lvvm.exe%C:\Program Files (x86)\607DE
  2⤵
  - System Location Discovery: System Language Discovery
  PID:904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\0EB60\07DE.EB6

Filesize
996B

MD5
1af15ad7da78d63f42cf95d983596cfc

SHA1
b5acc960d506e57e5632316cce0f50730cfade9b

SHA256
551f1bea6991445ae3b6aa24955a763de903db3649ebb52b9d0356e86adc3905

SHA512
5e5acc770c11303f226a2fc1fe16c619edb8633304d4284c114562f6dca9755e9331c500a3b27a8b58f0d8682c2c26a4f2f20c68b1868245619f90b5020ef929

Download Submit
C:\Users\Admin\AppData\Roaming\0EB60\07DE.EB6

Filesize
600B

MD5
d7f58b41e6f911a4bd7de3cffde056d5

SHA1
6659c3304c54ed7dcdb5eb2131fc4645cd3258e8

SHA256
2185b1f05259b2c7fa56067583215b8477adc8c523a7d3e1689170154adcf485

SHA512
1f510bc2bd7c15d5d15439f84657f42065a9e86759093d7f0976d6542402998610110a914952888b3e5128ae0654861b2cbe8ff04c760542b8653d92aaa0a34f

Download Submit
C:\Users\Admin\AppData\Roaming\0EB60\07DE.EB6

Filesize
1KB

MD5
2a6c0d6ca67adcdbe5f4dfb77bebf83a

SHA1
d97a64a659263a74ff27ed3a66289eb7c3603f99

SHA256
e15449b333e05b2d5a3db891dd2e3473fac0121e507a8101acace8cd04985872

SHA512
a9bd1ac726cae2ae230225beffdc466bf8cfd4d28ed16c8a15ce5ce2c6d1690a04d32080a7c2789a09d88023c07679c4000156b404e276bfc96bab51f94eab9d

Download Submit
memory/904-127-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/904-129-0x0000000074E50000-0x0000000074E89000-memory.dmp

Filesize
228KB

Download
memory/904-128-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/904-125-0x0000000074E50000-0x0000000074E89000-memory.dmp

Filesize
228KB

Download
memory/2788-130-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2788-20-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2788-17-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2788-3-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2788-0-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2788-4-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2788-1-0x0000000074E50000-0x0000000074E89000-memory.dmp

Filesize
228KB

Download
memory/2788-276-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2788-277-0x0000000074E50000-0x0000000074E89000-memory.dmp

Filesize
228KB

Download
memory/3976-16-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3976-18-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3976-19-0x0000000074E50000-0x0000000074E89000-memory.dmp

Filesize
228KB

Download
memory/3976-14-0x0000000074E50000-0x0000000074E89000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads