cycbot | 961f2cec351ae2807a45354309ec54ceeb74c44e8615ec5f01f4c7e30d85d055

General

Target

JaffaCakes118_63102bad40a538e1c160ee2ce30b446b.exe
Size

164KB
MD5

63102bad40a538e1c160ee2ce30b446b
SHA1

79b77b361b73cd16a7fe5dc3c57d708e3af4d370
SHA256

961f2cec351ae2807a45354309ec54ceeb74c44e8615ec5f01f4c7e30d85d055
SHA512

4f68e4c44f66200366e7522b4df6190347d98b73bced99ceb8d37dcd98153986e2faedcf0692b356fab0ee8daed7667a4029e997554af742288d7c6d8bc7bc3a
SSDEEP

3072:NMSGyet1WiKIRNrGVRM7QOak3Xf0ICZ5Js06VuX4+Bg+hUpZt3PNGy4Ql3+:NIP1Wi5R2RM/an5KItBqXF8/V

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/4464-14-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/4992-15-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral2/memory/4992-16-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/2532-118-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/4992-119-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/4992-277-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\4524C\\DBEBB.exe"	JaffaCakes118_63102bad40a538e1c160ee2ce30b446b.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4992-3-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4464-14-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4992-15-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/4992-16-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/2532-118-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4992-119-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4992-277-0x0000000000400000-0x0000000000490000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_63102bad40a538e1c160ee2ce30b446b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_63102bad40a538e1c160ee2ce30b446b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_63102bad40a538e1c160ee2ce30b446b.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 4464	4992	JaffaCakes118_63102bad40a538e1c160ee2ce30b446b.exe	85
PID 4992 wrote to memory of 4464	4992	JaffaCakes118_63102bad40a538e1c160ee2ce30b446b.exe	85
PID 4992 wrote to memory of 4464	4992	JaffaCakes118_63102bad40a538e1c160ee2ce30b446b.exe	85
PID 4992 wrote to memory of 2532	4992	JaffaCakes118_63102bad40a538e1c160ee2ce30b446b.exe	88
PID 4992 wrote to memory of 2532	4992	JaffaCakes118_63102bad40a538e1c160ee2ce30b446b.exe	88
PID 4992 wrote to memory of 2532	4992	JaffaCakes118_63102bad40a538e1c160ee2ce30b446b.exe	88

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63102bad40a538e1c160ee2ce30b446b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63102bad40a538e1c160ee2ce30b446b.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63102bad40a538e1c160ee2ce30b446b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63102bad40a538e1c160ee2ce30b446b.exe startC:\Program Files (x86)\LP\BB04\A04.exe%C:\Program Files (x86)\LP\BB04
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4464
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63102bad40a538e1c160ee2ce30b446b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63102bad40a538e1c160ee2ce30b446b.exe startC:\Program Files (x86)\4CD95\lvvm.exe%C:\Program Files (x86)\4CD95
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\4524C\CD95.524

Filesize
996B

MD5
f9b3498afbd2908fc3d672a059b7e0f8

SHA1
f471916f7f1964695ed356067d9b000d0d8856eb

SHA256
44f35d46f0bf87646ae38e15a035d823ef5de0c1f898a6d8aed57bc928bd14b5

SHA512
b949d519d66a9ff266abcd333bb5ee4840b45f4688b708728092d3bb224dd5ac695bce4846cc25dc9292640493fbbcfe195fae0bcf3198a994929906e4ac7b8e

Download Submit
C:\Users\Admin\AppData\Roaming\4524C\CD95.524

Filesize
600B

MD5
a6112e37c6cd09e9e6321fc9ba459e9f

SHA1
2deb006aac09a274bb0f5bf6abb3e211cb5c7fe1

SHA256
0f6cc7361fd686f4863491c7dba30d01f88648b0b73c9775481a01ae81758d58

SHA512
dff6bf6ff674745f1e751c7751d64a566a382de89f549498c8ac728dd1c36488604c2810f2f5f9d4061ce5bea2794ada92886105abcae48c7c04da5f464c7e3b

Download Submit
C:\Users\Admin\AppData\Roaming\4524C\CD95.524

Filesize
1KB

MD5
75103b6bcdf3841e627e4b9dcae968d0

SHA1
ea53682925ca9ed39b3fbe1c3e6e8e18d2a62b8d

SHA256
b322a15bb7146f414c7c219c97820b06f9cd76e130db1c2241e3323e1c04e5bd

SHA512
6a2362f42ea9782f2520a61e9de8a39acfad02480bed7a8858af4757ceebda0d555a7c2e3b5e0a705612cfb6b13232e36dc616bbcd4386142643b7d6545ef307

Download Submit
memory/2532-118-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4464-14-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4992-0-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4992-2-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4992-3-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4992-15-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4992-16-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4992-119-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4992-277-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads