cycbot | 546ee55cffe8d0fb0c0e606fe8de9cb49a894b692a50e7daf6858318f5141db3

General

Target

JaffaCakes118_781b3f6a751cf14c00a2a4b5a9e6ff0b.exe
Size

170KB
MD5

781b3f6a751cf14c00a2a4b5a9e6ff0b
SHA1

24cf86d2faf39fa15abc8eb936b3b8ac85bc6816
SHA256

546ee55cffe8d0fb0c0e606fe8de9cb49a894b692a50e7daf6858318f5141db3
SHA512

4c7b3b9d2cdeec7cce61b42d66aa5463d565c547915bc5be907da63c6f4a5087ef02991f0ecc29a661a582e1208597e1a170c8c98dcec6fe7ad23220addad461
SSDEEP

3072:thYT1w9DMflW7lf3Hqtf6XO4Ya3f1uhlFIEaDetyHkFNHrhU4uB:thw1SDMNW5f3zLv1UIE9y0VTu

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 7 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/5040-15-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/5040-14-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/3796-16-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/3796-17-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral2/memory/4268-83-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/3796-84-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/3796-186-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\C67D0\\8AAB6.exe"	JaffaCakes118_781b3f6a751cf14c00a2a4b5a9e6ff0b.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3796-2-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/5040-15-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/5040-14-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3796-16-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3796-17-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/4268-82-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4268-83-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3796-84-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3796-186-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_781b3f6a751cf14c00a2a4b5a9e6ff0b.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3796 wrote to memory of 5040	3796	JaffaCakes118_781b3f6a751cf14c00a2a4b5a9e6ff0b.exe	86
PID 3796 wrote to memory of 5040	3796	JaffaCakes118_781b3f6a751cf14c00a2a4b5a9e6ff0b.exe	86
PID 3796 wrote to memory of 5040	3796	JaffaCakes118_781b3f6a751cf14c00a2a4b5a9e6ff0b.exe	86
PID 3796 wrote to memory of 4268	3796	JaffaCakes118_781b3f6a751cf14c00a2a4b5a9e6ff0b.exe	87
PID 3796 wrote to memory of 4268	3796	JaffaCakes118_781b3f6a751cf14c00a2a4b5a9e6ff0b.exe	87
PID 3796 wrote to memory of 4268	3796	JaffaCakes118_781b3f6a751cf14c00a2a4b5a9e6ff0b.exe	87

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_781b3f6a751cf14c00a2a4b5a9e6ff0b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_781b3f6a751cf14c00a2a4b5a9e6ff0b.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3796
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_781b3f6a751cf14c00a2a4b5a9e6ff0b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_781b3f6a751cf14c00a2a4b5a9e6ff0b.exe startC:\Program Files (x86)\LP\B69C\9C3.exe%C:\Program Files (x86)\LP\B69C
  2⤵
  PID:5040
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_781b3f6a751cf14c00a2a4b5a9e6ff0b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_781b3f6a751cf14c00a2a4b5a9e6ff0b.exe startC:\Program Files (x86)\D065A\lvvm.exe%C:\Program Files (x86)\D065A
  2⤵
  PID:4268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\C67D0\065A.67D

Filesize
1KB

MD5
0017fa853047d5c139b5192b674ceb23

SHA1
7d23fd51de43739ebe11910d38ee60d49526cb77

SHA256
106e21d11120aa64c3fbf899086b5f39072bb074b5ab1135137013684dd60c54

SHA512
e8f10f6d1721f19e5e3e42e56d560cfaa9800ed9bf204b58b6ed4e45f0ee1f0d95fa589a33e85d62d91eb559fbea43d921ac035b4086d0d3d329a0cf052810d4

Download Submit
C:\Users\Admin\AppData\Roaming\C67D0\065A.67D

Filesize
600B

MD5
a3e214a55614ac3c90615c84b321c9d0

SHA1
27d7086d8ef6ab28169522c32e4c99c23288bed8

SHA256
4dd38aafcac33eca16bd6683e50a485a9eea8b33fca9649019ac9aef38e8b8c9

SHA512
7ca1784525de84c27ee1a689399ee5f7f905254adc98e06b8811e6100b63e3eb048eda24f55ec450f6f82c46d305184b241572a3701dd6bfc032d3d27ac5f22f

Download Submit
C:\Users\Admin\AppData\Roaming\C67D0\065A.67D

Filesize
996B

MD5
1c3eb08a2bbf81740ea86083e8204f48

SHA1
8d7bf0ce0a4edf5ca2d916798ab1617d44013287

SHA256
dacdbad72ac564b2b5f7ae001483f1c76e8a9cfffe20e4ece88f98a57bcc9c09

SHA512
d899f6d7e9e7738263609b59785fd4c15fe0662a8997cc17804fbf9d5a9899dfa64d12032aca6c74a0c832f4fd52a9dd67233d455b23428d5581403e3f03136c

Download Submit
memory/3796-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3796-2-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3796-186-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3796-16-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3796-17-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3796-84-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4268-83-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4268-82-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5040-14-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5040-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5040-12-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads