cycbot | 58402f0af858873033f1edfcfc1e7ad727ef9b6f8ad3e8903508c410be5a77ba

General

Target

JaffaCakes118_6ee89bf51d49c0f521aac20517ce6821.exe
Size

160KB
MD5

6ee89bf51d49c0f521aac20517ce6821
SHA1

c26cca3f537478437b824278c95e1174aadb8e8e
SHA256

58402f0af858873033f1edfcfc1e7ad727ef9b6f8ad3e8903508c410be5a77ba
SHA512

1a557b70b1ed99527e696cb7967ef999c0d0366d00793c91e92f76e0a91f42ff702820c72da39327160af72ff642dbd59981848ee05b69e9d9ff21479660733d
SSDEEP

3072:2bzOJ9VacUKG42tEplNc4rLqpssNX5SkG/zrfTG9WqvUEJmUwMKM2:2saR4EAnc4rLq6c5ZG/3fovvJmUYM2

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/3008-15-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/2288-16-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/2288-17-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral2/memory/2916-135-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/2288-136-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/2288-314-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\E2F43\\E6810.exe"	JaffaCakes118_6ee89bf51d49c0f521aac20517ce6821.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2288-3-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3008-14-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3008-15-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2288-16-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2288-17-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/2916-135-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2288-136-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2288-314-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6ee89bf51d49c0f521aac20517ce6821.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6ee89bf51d49c0f521aac20517ce6821.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6ee89bf51d49c0f521aac20517ce6821.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 3008	2288	JaffaCakes118_6ee89bf51d49c0f521aac20517ce6821.exe	88
PID 2288 wrote to memory of 3008	2288	JaffaCakes118_6ee89bf51d49c0f521aac20517ce6821.exe	88
PID 2288 wrote to memory of 3008	2288	JaffaCakes118_6ee89bf51d49c0f521aac20517ce6821.exe	88
PID 2288 wrote to memory of 2916	2288	JaffaCakes118_6ee89bf51d49c0f521aac20517ce6821.exe	89
PID 2288 wrote to memory of 2916	2288	JaffaCakes118_6ee89bf51d49c0f521aac20517ce6821.exe	89
PID 2288 wrote to memory of 2916	2288	JaffaCakes118_6ee89bf51d49c0f521aac20517ce6821.exe	89

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ee89bf51d49c0f521aac20517ce6821.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ee89bf51d49c0f521aac20517ce6821.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ee89bf51d49c0f521aac20517ce6821.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ee89bf51d49c0f521aac20517ce6821.exe startC:\Program Files (x86)\LP\108E\733.exe%C:\Program Files (x86)\LP\108E
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3008
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ee89bf51d49c0f521aac20517ce6821.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ee89bf51d49c0f521aac20517ce6821.exe startC:\Program Files (x86)\43F8C\lvvm.exe%C:\Program Files (x86)\43F8C
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\E2F43\3F8C.2F4

Filesize
600B

MD5
6acc6c9c7305d33faf2dd607b01f1468

SHA1
7a4b72a49814a0cd70b670d31a41ecaab55344f9

SHA256
e6da252e90c8c002a73ec7b28cf87251aaf63cc6b971fd4603d7d43b11b7b80a

SHA512
f228322cdcd6be5b0ac7bf3123434905b06cdeeac7d13e1abca8a187e3ad6ea94a37b3f26f5a1c70cee307f60d8fd870d0d61b74af11808235764e124f86a6f5

Download Submit
C:\Users\Admin\AppData\Roaming\E2F43\3F8C.2F4

Filesize
996B

MD5
5f52f1e7b34accb389e23582a1ed9b51

SHA1
66503cf28b07dfc4ce473e6cc7dbf67c37f694ab

SHA256
994bd9aed6774b8015b8e4d251a5c84d9f2005fc8c6fafe3f682cb50e0daa497

SHA512
a3179fa693282f5b464ce6e426b45762d1011c463954fc9182d2d0442b526a22604fab0d7a84f41ede887189ddc7e1966b45de72ee1042447c45cb0415a762a6

Download Submit
C:\Users\Admin\AppData\Roaming\E2F43\3F8C.2F4

Filesize
1KB

MD5
8f5393a80b4f846a6d70ba24b5a0e4d7

SHA1
727342fae4c97c863fe11d0924d36816daec2d15

SHA256
ecdbefbb3dfcda6eec934b46c907be8bcdf16715229e55fc95769cafc3620420

SHA512
07abb34004862394f0c48d6cc084e5f51db86640a33b017f13ea78f2742a3808ddf2f35899f822d8aff9b0c76f63ad26f97f7727ca3be36bbaeac9bca1ad4043

Download Submit
memory/2288-16-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2288-0-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2288-17-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2288-136-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2288-3-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2288-2-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2288-314-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2916-135-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3008-14-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3008-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads