cycbot | 7e2f51519b393215f2e573e1e2fa9dadf37967a2193b2490012dbdc37bf5f52e

General

Target

9353e6c6dc1502faf3666f695e703198_JaffaCakes118.exe
Size

169KB
MD5

9353e6c6dc1502faf3666f695e703198
SHA1

edb3f50c1a8039a5c2424b42cdf1dc5197c18e32
SHA256

7e2f51519b393215f2e573e1e2fa9dadf37967a2193b2490012dbdc37bf5f52e
SHA512

895aee099139ddc5c9133129ba3e067839062ca5537508038e923b6aa54fd534b92ae6c1eea7a14724a7ae99dc03d5b484e919c127d096d0349e337e72aee539
SSDEEP

3072:CvV4TXwc73E+0Y8gal6HFbZPVbu9gU3HCc6gmT2NQQa+uSX+vG3kWP:CvyTXwcLEXYoyNm3ia1U87P

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

Processes:

resource	yara_rule
behavioral1/memory/2660-13-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2352-14-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral1/memory/2352-15-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2352-80-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2904-84-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2352-186-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

9353e6c6dc1502faf3666f695e703198_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\C694B\\AC432.exe"	9353e6c6dc1502faf3666f695e703198_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2352-2-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2660-13-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2352-14-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2352-15-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2352-80-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2904-84-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2352-186-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9353e6c6dc1502faf3666f695e703198_JaffaCakes118.exe9353e6c6dc1502faf3666f695e703198_JaffaCakes118.exe9353e6c6dc1502faf3666f695e703198_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9353e6c6dc1502faf3666f695e703198_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9353e6c6dc1502faf3666f695e703198_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9353e6c6dc1502faf3666f695e703198_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9353e6c6dc1502faf3666f695e703198_JaffaCakes118.exe

description	pid	process	target process
PID 2352 wrote to memory of 2660	2352	9353e6c6dc1502faf3666f695e703198_JaffaCakes118.exe	9353e6c6dc1502faf3666f695e703198_JaffaCakes118.exe
PID 2352 wrote to memory of 2660	2352	9353e6c6dc1502faf3666f695e703198_JaffaCakes118.exe	9353e6c6dc1502faf3666f695e703198_JaffaCakes118.exe
PID 2352 wrote to memory of 2660	2352	9353e6c6dc1502faf3666f695e703198_JaffaCakes118.exe	9353e6c6dc1502faf3666f695e703198_JaffaCakes118.exe
PID 2352 wrote to memory of 2660	2352	9353e6c6dc1502faf3666f695e703198_JaffaCakes118.exe	9353e6c6dc1502faf3666f695e703198_JaffaCakes118.exe
PID 2352 wrote to memory of 2904	2352	9353e6c6dc1502faf3666f695e703198_JaffaCakes118.exe	9353e6c6dc1502faf3666f695e703198_JaffaCakes118.exe
PID 2352 wrote to memory of 2904	2352	9353e6c6dc1502faf3666f695e703198_JaffaCakes118.exe	9353e6c6dc1502faf3666f695e703198_JaffaCakes118.exe
PID 2352 wrote to memory of 2904	2352	9353e6c6dc1502faf3666f695e703198_JaffaCakes118.exe	9353e6c6dc1502faf3666f695e703198_JaffaCakes118.exe
PID 2352 wrote to memory of 2904	2352	9353e6c6dc1502faf3666f695e703198_JaffaCakes118.exe	9353e6c6dc1502faf3666f695e703198_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\9353e6c6dc1502faf3666f695e703198_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9353e6c6dc1502faf3666f695e703198_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\9353e6c6dc1502faf3666f695e703198_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\9353e6c6dc1502faf3666f695e703198_JaffaCakes118.exe startC:\Program Files (x86)\LP\32FC\5C6.exe%C:\Program Files (x86)\LP\32FC
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2660
- C:\Users\Admin\AppData\Local\Temp\9353e6c6dc1502faf3666f695e703198_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\9353e6c6dc1502faf3666f695e703198_JaffaCakes118.exe startC:\Program Files (x86)\4BE4A\lvvm.exe%C:\Program Files (x86)\4BE4A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\C694B\BE4A.694

Filesize
1KB

MD5
76e91a61a4c6c6a07c38f3bbe705c870

SHA1
f7d67a5b919ff8c6d3c5932bf06690357cca9864

SHA256
6822b98cc6b18eea7b54aa71abce9524069601f0c262783f4c777772471a68d9

SHA512
a25bcbe795bfcb47474b7e9fa6bb73386ce64830ff00258a175c8ac634bc7469af13710e71999e1e5fab81a0ce813c40b9079a6b34780fc33f7dc70becfdd01b

Download Submit
C:\Users\Admin\AppData\Roaming\C694B\BE4A.694

Filesize
600B

MD5
c30f4fb8ec82cde1fe274ff812c91293

SHA1
bc650e7b7e2d6365148870156602c6ac8aea4891

SHA256
63a29d78dfec1bbc5248e22b89ce00c4742106c33f414475f65cbe27f2613abc

SHA512
e349f9af3336de8b83bb39fbebd26eba8dd22ac685566841a30ff4cf67d36693d3c59009594ebb7b70d5e35e10f6eb0d47121e1471f2906143bba76fab18d1ae

Download Submit
C:\Users\Admin\AppData\Roaming\C694B\BE4A.694

Filesize
996B

MD5
fbee11d4d8459158bfb984869819e00e

SHA1
e3f57d10bc16a7dd57a5bb4f23f5400ff401b938

SHA256
6a71949f5035bfc2f3b8cb0fef2110f153f75030e14e748b36740db3358f033f

SHA512
42f67e64e86c2f03e75c686b3da98e3a719c90f4424e4bf486cb064ba6083a6e91014c900e9e3507e71c2b322735380812ff600e2b9db8ecce3279d6360f06fc

Download Submit
memory/2352-14-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2352-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2352-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2352-80-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2352-2-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2352-186-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2660-13-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2904-82-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2904-84-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2904-152-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads