cycbot | 4c3ab62582c73b13152d9165653ab4e308276824ee03d484436d0c3de5295d0e

General

Target

JaffaCakes118_41e9f1f3410db5e4226b9e465582fddc.exe
Size

170KB
MD5

41e9f1f3410db5e4226b9e465582fddc
SHA1

9e445a5220f6a19d300f55a416c2f55ace50a5a5
SHA256

4c3ab62582c73b13152d9165653ab4e308276824ee03d484436d0c3de5295d0e
SHA512

423d741f9d9e415247146cde9cf372671c02db7a6d5a8fd96a5545e4b6aa2410579c6a397e6b47c6c747efe55b4f8823cec7186ec6405fe390413737702991e9
SSDEEP

3072:dPrNKNOnU+1V0jf4QtQq9Pphxq1/+JtmqD5sn4sNCVW3k:dPrNKNmx1V0j3NPdq1mTFYtNr

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/1792-15-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/2708-16-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral2/memory/2708-17-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/2708-82-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/1196-84-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/2708-201-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\4E358\\0B43D.exe"	JaffaCakes118_41e9f1f3410db5e4226b9e465582fddc.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2708-1-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/2708-2-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/1792-15-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2708-16-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/2708-17-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2708-82-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/1196-84-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2708-201-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_41e9f1f3410db5e4226b9e465582fddc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 1792	2708	JaffaCakes118_41e9f1f3410db5e4226b9e465582fddc.exe	82
PID 2708 wrote to memory of 1792	2708	JaffaCakes118_41e9f1f3410db5e4226b9e465582fddc.exe	82
PID 2708 wrote to memory of 1792	2708	JaffaCakes118_41e9f1f3410db5e4226b9e465582fddc.exe	82
PID 2708 wrote to memory of 1196	2708	JaffaCakes118_41e9f1f3410db5e4226b9e465582fddc.exe	90
PID 2708 wrote to memory of 1196	2708	JaffaCakes118_41e9f1f3410db5e4226b9e465582fddc.exe	90
PID 2708 wrote to memory of 1196	2708	JaffaCakes118_41e9f1f3410db5e4226b9e465582fddc.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_41e9f1f3410db5e4226b9e465582fddc.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_41e9f1f3410db5e4226b9e465582fddc.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_41e9f1f3410db5e4226b9e465582fddc.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_41e9f1f3410db5e4226b9e465582fddc.exe startC:\Program Files (x86)\LP\DF64\859.exe%C:\Program Files (x86)\LP\DF64
  2⤵
  PID:1792
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_41e9f1f3410db5e4226b9e465582fddc.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_41e9f1f3410db5e4226b9e465582fddc.exe startC:\Program Files (x86)\58482\lvvm.exe%C:\Program Files (x86)\58482
  2⤵
  PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\4E358\8482.E35

Filesize
1KB

MD5
304553da4d7fd439c19864e09a030279

SHA1
b0dd0e9befb4c90a88cb4825bb81bbc57d6906e3

SHA256
ed4c34cb85badb81f8fb38bd25c6d792e097ad2dd127c70e22d64328fdae4cfa

SHA512
ae77de8c13d70773fb58cbd0c565e5434e62453b16ec57bfb8b4600d994e19b1e37ea6710207fb3db6ff6c5f9b4ec8f61dfbe0a39308ee44a5d52c39480a54e0

Download Submit
C:\Users\Admin\AppData\Roaming\4E358\8482.E35

Filesize
600B

MD5
c1496b2fce2584c71144b110f75577ed

SHA1
081bc9851605534d1efbaa04d8883ba7d1bdb431

SHA256
91ef9d7f525bd8dd30a64cfbc9ba50b779b0943c07ccce133c6dd029e41143bc

SHA512
ea43cf19ab55b4308377b0bb8a992ddac48ebc5e5f895dd07aa690842fbb4dcc066808c0fda638b7d03107b10a446724edd7ab5b2a9dd6c23e44dcdf11a16eb8

Download Submit
C:\Users\Admin\AppData\Roaming\4E358\8482.E35

Filesize
996B

MD5
b48ea489483346afd05a317fd75e26dc

SHA1
30baedaa8e54ae531b69d89fff1a693d8eb991b0

SHA256
bda2f760768d6f43df1a74a4bf5eaf01d89ad95a9c4df6f0d73c984e126219ad

SHA512
57cf2ec73631183e8f4a91b2b71016a2838e0933579ffb685787876bfa7d78dee8c8146a70b75d259726a49cc76e6ec44340e9134a9842c25f4b3d6a61ad51e3

Download Submit
memory/1196-84-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1792-13-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1792-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2708-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2708-2-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2708-16-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2708-17-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2708-82-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2708-201-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads