cycbot | a2b0e82c6cc7f9c66f119f32b2fd402a68f0bfbdf34129709078fbae10cd14a2

General

Target

JaffaCakes118_59ef85b79a6382700ebdc1bbbf8f01c1.exe
Size

165KB
MD5

59ef85b79a6382700ebdc1bbbf8f01c1
SHA1

1eb32ce8991b1067930ed13d7d9a8ebdb4ecc357
SHA256

a2b0e82c6cc7f9c66f119f32b2fd402a68f0bfbdf34129709078fbae10cd14a2
SHA512

32fcf67d50ca1beb4eb49939dd3c623226448996e33fd02b691cd720b40593dc24ecb6d4c8195752db22c91420e0f8fa74736fe670f50aad2bb167599c413d9e
SSDEEP

3072:5FlKQvSVSSSR6m1iNm9Euf2Vw+B0sSUvsvcBqamZDOwaDJmC:xq7S2aEuiRsvcbr

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 7 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/356-17-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/2588-19-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral2/memory/2588-20-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/2564-134-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/2564-133-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/2588-135-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/2588-325-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\5DEBE\\9217E.exe"	JaffaCakes118_59ef85b79a6382700ebdc1bbbf8f01c1.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2588-4-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/356-16-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/356-17-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2588-19-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/2588-20-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2564-134-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2564-133-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2588-135-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2588-325-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_59ef85b79a6382700ebdc1bbbf8f01c1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_59ef85b79a6382700ebdc1bbbf8f01c1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_59ef85b79a6382700ebdc1bbbf8f01c1.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 356	2588	JaffaCakes118_59ef85b79a6382700ebdc1bbbf8f01c1.exe	82
PID 2588 wrote to memory of 356	2588	JaffaCakes118_59ef85b79a6382700ebdc1bbbf8f01c1.exe	82
PID 2588 wrote to memory of 356	2588	JaffaCakes118_59ef85b79a6382700ebdc1bbbf8f01c1.exe	82
PID 2588 wrote to memory of 2564	2588	JaffaCakes118_59ef85b79a6382700ebdc1bbbf8f01c1.exe	87
PID 2588 wrote to memory of 2564	2588	JaffaCakes118_59ef85b79a6382700ebdc1bbbf8f01c1.exe	87
PID 2588 wrote to memory of 2564	2588	JaffaCakes118_59ef85b79a6382700ebdc1bbbf8f01c1.exe	87

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_59ef85b79a6382700ebdc1bbbf8f01c1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_59ef85b79a6382700ebdc1bbbf8f01c1.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_59ef85b79a6382700ebdc1bbbf8f01c1.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_59ef85b79a6382700ebdc1bbbf8f01c1.exe startC:\Program Files (x86)\LP\7E05\CA3.exe%C:\Program Files (x86)\LP\7E05
  2⤵
  - System Location Discovery: System Language Discovery
  PID:356
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_59ef85b79a6382700ebdc1bbbf8f01c1.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_59ef85b79a6382700ebdc1bbbf8f01c1.exe startC:\Program Files (x86)\BE1C5\lvvm.exe%C:\Program Files (x86)\BE1C5
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5DEBE\E1C5.DEB

Filesize
600B

MD5
a04aad9614210f3af7ca448c55574d38

SHA1
f9f68e413a3b5fce31db0333f402ebc5330a269c

SHA256
5d5c4ae777a18fbdb4e174028653072e4f3e9826fba78cdcf9131cca4d174eda

SHA512
d89ebaa7a1055419c006bb8e5f91dd772cd5bb54d98d1466af01c7bf32e6b0e7f6e228ff89e84f42264b63ea7c6a5cc4b594ae21709e4c7d4ffad2399074f41e

Download Submit
C:\Users\Admin\AppData\Roaming\5DEBE\E1C5.DEB

Filesize
996B

MD5
7eeb1186d6f7b8cb17b93e51e5cbbae5

SHA1
24ce40e30941670621615779fdbff7b09cff2fc1

SHA256
f927f7fe2b9221b8eee52ca39d36a16b8898621efcce35ec479dc566404fa12f

SHA512
545b99d444c905fd1ab60ec0260303e2d4de5ed8fb5c791ac40e48e1a1b075ede68fb2161c5ef0e7af293a62a0e8b06932cf60a02febb574fd30eeabf291cabe

Download Submit
C:\Users\Admin\AppData\Roaming\5DEBE\E1C5.DEB

Filesize
1KB

MD5
bed7bad567e45b79f6cae237675466b8

SHA1
e643f8e93ad4c924f7395d16923f4cf759fb02a4

SHA256
9124e4c7503baa07710612128ed220f1eeded9bc2e59d0011688b203cd92ff6a

SHA512
fc1891c9c358990c057b925e898a7fd5d5ff880f9999acc77f44d849a6c1bffaea06191c304f012d865c707fb1c831ff6343f32b978c4fa2ad4c071713a3623f

Download Submit
memory/356-14-0x00000000754F0000-0x0000000075529000-memory.dmp

Filesize
228KB

Download
memory/356-16-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/356-17-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/356-18-0x00000000754F0000-0x0000000075529000-memory.dmp

Filesize
228KB

Download
memory/2564-129-0x00000000754F0000-0x0000000075529000-memory.dmp

Filesize
228KB

Download
memory/2564-133-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2564-134-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2564-132-0x00000000754F0000-0x0000000075529000-memory.dmp

Filesize
228KB

Download
memory/2588-20-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2588-0-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2588-19-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2588-4-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2588-135-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2588-3-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2588-1-0x00000000754F0000-0x0000000075529000-memory.dmp

Filesize
228KB

Download
memory/2588-325-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2588-326-0x00000000754F0000-0x0000000075529000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads