cycbot | 86b19254910eb5311f174ced2371f215230ef5b85f2b4947d7b9144c5677ba61

General

Target

JaffaCakes118_9b35b8947738fe040b2d4ae33d8023f3.exe
Size

173KB
MD5

9b35b8947738fe040b2d4ae33d8023f3
SHA1

eb464f2c442ce2eae47527d197d4ce7e38cc2a78
SHA256

86b19254910eb5311f174ced2371f215230ef5b85f2b4947d7b9144c5677ba61
SHA512

3fbcaa82f365a7d666f28be1ff0d7c964fc24755fc1e6eded8d49cac0f2b25b0e2a123b6df577b8a3c41de83b9ad903405b05a2a213290fa63f223845d43ab7f
SSDEEP

3072:Z+Mwo0WwWMc7N378pMDnWIeKteaXrbvbXckns/xscwL7fQugx+xbMql+z/edrJLk:Z+RgwW77N3Qp8nQgZ/vbgxscwL7+x+N0

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/768-14-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/4032-15-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/4032-16-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral1/memory/1192-121-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/4032-122-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/4032-272-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\24C7E\\3D8C3.exe"	JaffaCakes118_9b35b8947738fe040b2d4ae33d8023f3.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4032-2-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/768-14-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/4032-15-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/4032-16-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/1192-121-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/4032-122-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/4032-272-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9b35b8947738fe040b2d4ae33d8023f3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9b35b8947738fe040b2d4ae33d8023f3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9b35b8947738fe040b2d4ae33d8023f3.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4032 wrote to memory of 768	4032	JaffaCakes118_9b35b8947738fe040b2d4ae33d8023f3.exe	97
PID 4032 wrote to memory of 768	4032	JaffaCakes118_9b35b8947738fe040b2d4ae33d8023f3.exe	97
PID 4032 wrote to memory of 768	4032	JaffaCakes118_9b35b8947738fe040b2d4ae33d8023f3.exe	97
PID 4032 wrote to memory of 1192	4032	JaffaCakes118_9b35b8947738fe040b2d4ae33d8023f3.exe	101
PID 4032 wrote to memory of 1192	4032	JaffaCakes118_9b35b8947738fe040b2d4ae33d8023f3.exe	101
PID 4032 wrote to memory of 1192	4032	JaffaCakes118_9b35b8947738fe040b2d4ae33d8023f3.exe	101

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9b35b8947738fe040b2d4ae33d8023f3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9b35b8947738fe040b2d4ae33d8023f3.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4032
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9b35b8947738fe040b2d4ae33d8023f3.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9b35b8947738fe040b2d4ae33d8023f3.exe startC:\Program Files (x86)\LP\C372\72D.exe%C:\Program Files (x86)\LP\C372
  2⤵
  - System Location Discovery: System Language Discovery
  PID:768
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9b35b8947738fe040b2d4ae33d8023f3.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9b35b8947738fe040b2d4ae33d8023f3.exe startC:\Program Files (x86)\7E706\lvvm.exe%C:\Program Files (x86)\7E706
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\24C7E\E706.4C7

Filesize
996B

MD5
9391a47bec6da5cde60aa6793ef0ef39

SHA1
9088c464a7e57e2da111543dece03a9041f99315

SHA256
e1c44457316423995a863f76fb4fe6a35896df07d2647e2d8bf7f6de7f99f871

SHA512
a0c688e3ebb437af6771e4ea4350cb384ca16f4afd07e246ce0fd8c475bb1e5eb0233ea8d6e17bfe3f69379aa9819c16eb9c77f6f17cd4b3f0bf5a6571a32d09

Download Submit
C:\Users\Admin\AppData\Roaming\24C7E\E706.4C7

Filesize
600B

MD5
d1783a42685bd58a40237ff39edc45e9

SHA1
f462fea82f3c3d6279bfdc3855c9a55e1d82afc6

SHA256
24442156e3fbf584f4b215c6ff5f54aa9ade4f2e4e422ccc0b9220cc7e0e10e2

SHA512
f7deff7b90ce9007655e9037420382de03463b5049ef9270ccffc82fe2e6f6d1f3d7cd3b6a510e6424d95e0969ba339d79d3b3ea5933ec92ae908a4ca03a4afe

Download Submit
C:\Users\Admin\AppData\Roaming\24C7E\E706.4C7

Filesize
1KB

MD5
632a01886490f623b6ea592e067231b9

SHA1
76944f97d587a10b395de585a2b4216364ae711f

SHA256
585a4b30ab781e7e1cce35eddedf938e1b01449b63a72cf3bdfe478a7b6027a4

SHA512
8e4edf723e42eb986f59697e96f0fc79d0dd8d01814a6537a90c529b25ccba3f117e363b39bd7c4621bd055bd88902d2bef782449ba02aabf101ff456cb4238c

Download Submit
memory/768-12-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/768-14-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1192-121-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4032-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4032-2-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4032-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4032-16-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4032-122-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4032-272-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads