cycbot | 1ccec4722b3e77a8cd6096d056c9729970031435165bd4b9e0dbe2bcd8b2e3ce

General

Target

JaffaCakes118_696fafa9022841b1857c58c81c946b39.exe
Size

175KB
MD5

696fafa9022841b1857c58c81c946b39
SHA1

4b28e0351e24a0f8ddb1870c2890fd66794c19e8
SHA256

1ccec4722b3e77a8cd6096d056c9729970031435165bd4b9e0dbe2bcd8b2e3ce
SHA512

f0459f40a02a09e2af63ff2844207c74e6633f4a7eef1526ece958b004c716e6d0a5911ccf99d0bbbe7e0572f97cc4f942b55b17986ec0c1c2ba9d85c254d03f
SSDEEP

3072:FpR0iRWxwF+fA5V6qXbqdqRgPKA4cQdKOQPSvWLYE55g1Xx:FpRJUf2V5bqdqRYK5sOkSDw5gR

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/1536-15-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/3452-16-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral2/memory/3452-17-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/4800-145-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/3452-146-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral2/memory/3452-324-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\715F1\\F5062.exe"	JaffaCakes118_696fafa9022841b1857c58c81c946b39.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3452-2-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/1536-13-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/1536-12-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/1536-15-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/3452-16-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/3452-17-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4800-143-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4800-145-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/3452-146-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/3452-324-0x0000000000400000-0x0000000000490000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_696fafa9022841b1857c58c81c946b39.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_696fafa9022841b1857c58c81c946b39.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_696fafa9022841b1857c58c81c946b39.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 1536	3452	JaffaCakes118_696fafa9022841b1857c58c81c946b39.exe	85
PID 3452 wrote to memory of 1536	3452	JaffaCakes118_696fafa9022841b1857c58c81c946b39.exe	85
PID 3452 wrote to memory of 1536	3452	JaffaCakes118_696fafa9022841b1857c58c81c946b39.exe	85
PID 3452 wrote to memory of 4800	3452	JaffaCakes118_696fafa9022841b1857c58c81c946b39.exe	86
PID 3452 wrote to memory of 4800	3452	JaffaCakes118_696fafa9022841b1857c58c81c946b39.exe	86
PID 3452 wrote to memory of 4800	3452	JaffaCakes118_696fafa9022841b1857c58c81c946b39.exe	86

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_696fafa9022841b1857c58c81c946b39.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_696fafa9022841b1857c58c81c946b39.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_696fafa9022841b1857c58c81c946b39.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_696fafa9022841b1857c58c81c946b39.exe startC:\Program Files (x86)\LP\62B7\9CA.exe%C:\Program Files (x86)\LP\62B7
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1536
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_696fafa9022841b1857c58c81c946b39.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_696fafa9022841b1857c58c81c946b39.exe startC:\Program Files (x86)\F1AE9\lvvm.exe%C:\Program Files (x86)\F1AE9
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\715F1\1AE9.15F

Filesize
996B

MD5
82fc9fb6e95ba3221f58fee97a426b9e

SHA1
13ccfaf9bba4a901f088451eeb6756ea7ae6f59d

SHA256
177c3256b58cd95acabdd6d1ec3f6d71df7d9f16b25d8d09236b9d3e569c04d5

SHA512
e115c4dd2698ffb9aa08f1bfd17c4b405d46337ba705b4c729c70c4a6a4e0f3e0c3502adc1d6acb1d986987e56da536101206d520772af1b73835918221332e2

Download Submit
C:\Users\Admin\AppData\Roaming\715F1\1AE9.15F

Filesize
600B

MD5
0bb3f8e138560b40211ff48236951461

SHA1
110b9d1b18d1c593bfdc110c230e39b35b98ac24

SHA256
fb1104064e7590a1fd1f8a094da022cbdd2fdc123fc6fb4c6486f8bc07bd7130

SHA512
fd048c9a8e4bdf73b04c5424d78ba113943dd2fbf451a443ac5ee6d3e4d75e735e9584c74a498a2061418759edf262c63747bc83782e855a9091c81f37f5a887

Download Submit
C:\Users\Admin\AppData\Roaming\715F1\1AE9.15F

Filesize
1KB

MD5
a6ef9810191d94196ef7b0cb4f4c216b

SHA1
fb4f00380506a8c74ad0cea10f0c12c0e98626f7

SHA256
099616df87103d3207b4484eb886b91405050dfaa8e41ca0e48a132aa9cd8f48

SHA512
447ccc4d00fedaafea5932a08a986c9195747174533a74d920cbe379c3151cca1b78565980fffe7b83e4c955f7851e385fce460744eea8899fcc7d3e384ec8d7

Download Submit
memory/1536-13-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1536-12-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1536-15-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3452-17-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3452-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3452-146-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3452-16-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3452-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3452-324-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4800-143-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4800-142-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4800-145-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads