cycbot | c1dde5773f0c31665b1b55e67ea5e6a8e5d2572632395d57d9bb9662a1c6545a

General

Target

JaffaCakes118_596533af4ad3d9ca93f515486bf83572.exe
Size

166KB
MD5

596533af4ad3d9ca93f515486bf83572
SHA1

4d6d4d114ee7d8b2732ae420db70a37a44f67e91
SHA256

c1dde5773f0c31665b1b55e67ea5e6a8e5d2572632395d57d9bb9662a1c6545a
SHA512

2f69568dd915c0d826896e967baf23a2dd8b82d82116950cb38964f375b8f0c5f32c62bc685d76fd076d449fb4d2745814c6c461eaccd1c76b7c321eb01255ae
SSDEEP

3072:xsKK+KQsgsoEsvwu27lFWc9LF8YApcun3V88evyu2JzTY6gX2aZlg:CiGlrlFf9LF6pcMyvyNXlyi

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/2608-14-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/2564-15-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/2564-16-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral2/memory/1048-133-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/2564-134-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/2564-283-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\382E1\\B5600.exe"	JaffaCakes118_596533af4ad3d9ca93f515486bf83572.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2564-2-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/2608-13-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/2608-14-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/2564-15-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/2564-16-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/1048-133-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/2564-134-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/2564-283-0x0000000000400000-0x0000000000490000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_596533af4ad3d9ca93f515486bf83572.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 2608	2564	JaffaCakes118_596533af4ad3d9ca93f515486bf83572.exe	84
PID 2564 wrote to memory of 2608	2564	JaffaCakes118_596533af4ad3d9ca93f515486bf83572.exe	84
PID 2564 wrote to memory of 2608	2564	JaffaCakes118_596533af4ad3d9ca93f515486bf83572.exe	84
PID 2564 wrote to memory of 1048	2564	JaffaCakes118_596533af4ad3d9ca93f515486bf83572.exe	85
PID 2564 wrote to memory of 1048	2564	JaffaCakes118_596533af4ad3d9ca93f515486bf83572.exe	85
PID 2564 wrote to memory of 1048	2564	JaffaCakes118_596533af4ad3d9ca93f515486bf83572.exe	85

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_596533af4ad3d9ca93f515486bf83572.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_596533af4ad3d9ca93f515486bf83572.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_596533af4ad3d9ca93f515486bf83572.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_596533af4ad3d9ca93f515486bf83572.exe startC:\Program Files (x86)\LP\0063\6C0.exe%C:\Program Files (x86)\LP\0063
  2⤵
  PID:2608
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_596533af4ad3d9ca93f515486bf83572.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_596533af4ad3d9ca93f515486bf83572.exe startC:\Program Files (x86)\E1CF8\lvvm.exe%C:\Program Files (x86)\E1CF8
  2⤵
  PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\382E1\1CF8.82E

Filesize
996B

MD5
3554e5955f1de7e3e2ff0eeeeaf5fd9b

SHA1
f416a1a6e1cd67c9c0796de4becb8d4bc8a4110f

SHA256
ea9730e371eaa49b9a0890f95ce7d92eaa2f5aad490d94b56933dafd4b554f73

SHA512
04afbc25101526b1cd0b5f71783a37d166717890326933cca56589b2a4eaf03c81fa8c391c9a32c4e10c03c49126e2a0322e7bb692a3d4ce92912c54df96dc73

Download Submit
C:\Users\Admin\AppData\Roaming\382E1\1CF8.82E

Filesize
600B

MD5
ad30948b44248f71bf9a8785bf4b84b9

SHA1
d7faf98a040ccf055ba74704273e8ce35c4b8164

SHA256
4f43b1dd20ba72940e12aa1eb570b9550230eca8073f90e9f3c7fce8fbd7b3c5

SHA512
611fef069e4e62f32c17c945115f24c211d669e2defe5badd65903b921f891f584140469f873cfd81ca4ca7d4aee95293f7ab0affdf5b0a401d2150bb77de211

Download Submit
C:\Users\Admin\AppData\Roaming\382E1\1CF8.82E

Filesize
1KB

MD5
ad9d15cb733590a32326e771cea30114

SHA1
c0421781587fff31f61634ae6c88a9ed17ab547d

SHA256
c51e0b079deea8d7e37932ee1cd91c8a88eaefa05f14bfc3c3ebf0e1dad87d83

SHA512
072afa20a0ada2add1cbac96a50aa136a2a893f25c2e7b11bd77e57b2173a9186057a1e7c8d5f02b66c3e51ed9d42eec956e809011d73886ff9c814af622ed47

Download Submit
memory/1048-133-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2564-134-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2564-15-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2564-16-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2564-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2564-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2564-283-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2608-14-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2608-13-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2608-12-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads