cycbot | bcb2a6293c2aa639c50e58ba28f1c6662beda06a1396f945b4202619307bf274

General

Target

94a62ff0c9785ef35693683cc34779d5_JaffaCakes118.exe
Size

163KB
MD5

94a62ff0c9785ef35693683cc34779d5
SHA1

aaefeb295337a86d1190bdb7eaa12d769bcb3020
SHA256

bcb2a6293c2aa639c50e58ba28f1c6662beda06a1396f945b4202619307bf274
SHA512

34cddab1255c3341a487d9910ed2fe5c70964a9c97da0da8eb57857f3409e8eef6567cad6c03ed6249dd0cc531432dec4902c2b24c5ddda2f94e21a842e432c2
SSDEEP

3072:CgR9Vjfy6pdySxR9gbHhtGNlz0y5qj3wakjlLQBr8nhnH22KaYO4FHxqNmb9:Cg1yt2700OBAnhnH2xaYO43Qmb

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

Processes:

resource	yara_rule
behavioral1/memory/2680-8-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2796-16-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2796-75-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/664-77-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2796-187-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

94a62ff0c9785ef35693683cc34779d5_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	94a62ff0c9785ef35693683cc34779d5_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2796-2-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2680-5-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2680-6-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2680-8-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2796-16-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2796-75-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/664-77-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2796-187-0x0000000000400000-0x000000000048A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

94a62ff0c9785ef35693683cc34779d5_JaffaCakes118.exe94a62ff0c9785ef35693683cc34779d5_JaffaCakes118.exe94a62ff0c9785ef35693683cc34779d5_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94a62ff0c9785ef35693683cc34779d5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94a62ff0c9785ef35693683cc34779d5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94a62ff0c9785ef35693683cc34779d5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

94a62ff0c9785ef35693683cc34779d5_JaffaCakes118.exe

description	pid	Process	procid_target
PID 2796 wrote to memory of 2680	2796	94a62ff0c9785ef35693683cc34779d5_JaffaCakes118.exe	31
PID 2796 wrote to memory of 2680	2796	94a62ff0c9785ef35693683cc34779d5_JaffaCakes118.exe	31
PID 2796 wrote to memory of 2680	2796	94a62ff0c9785ef35693683cc34779d5_JaffaCakes118.exe	31
PID 2796 wrote to memory of 2680	2796	94a62ff0c9785ef35693683cc34779d5_JaffaCakes118.exe	31
PID 2796 wrote to memory of 664	2796	94a62ff0c9785ef35693683cc34779d5_JaffaCakes118.exe	33
PID 2796 wrote to memory of 664	2796	94a62ff0c9785ef35693683cc34779d5_JaffaCakes118.exe	33
PID 2796 wrote to memory of 664	2796	94a62ff0c9785ef35693683cc34779d5_JaffaCakes118.exe	33
PID 2796 wrote to memory of 664	2796	94a62ff0c9785ef35693683cc34779d5_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\94a62ff0c9785ef35693683cc34779d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\94a62ff0c9785ef35693683cc34779d5_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Users\Admin\AppData\Local\Temp\94a62ff0c9785ef35693683cc34779d5_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\94a62ff0c9785ef35693683cc34779d5_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2680
- C:\Users\Admin\AppData\Local\Temp\94a62ff0c9785ef35693683cc34779d5_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\94a62ff0c9785ef35693683cc34779d5_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\636E.FC6

Filesize
1KB

MD5
293bcdc1e67f3739619a32f6bc4ca21f

SHA1
1d0f562cbca8793436750e23edcfafdb6646ac0c

SHA256
3eb474ef34bf3ba053e79b50dac4b9d1cf704f721f0146a832e2f0f51b9c8885

SHA512
ac393f06de98bd02a80bafe8ead0792b9e185f36bc554559be9b45d8cbd34033590886fa7bea525462b223aa3809ca7b00bbbc409d1da077b2c75311918b4f14

Download Submit
C:\Users\Admin\AppData\Roaming\636E.FC6

Filesize
600B

MD5
effa22fa2488df797ddab7b86669af08

SHA1
983154a57488d68096a7f49520a729d0f999ad40

SHA256
fdcb3b86de88270d67c18bbcf6775119a773a9bf2adf2d83ce24e1978e2487f7

SHA512
af51b7ef441a714f5bde4cb70f83e3c9ce2fe149cc57b1296f55f8ebfc4072dbb7a643bf9cdc6d9e149572f84da1c413656ad7b523c709b4ed802f7f695351a4

Download Submit
C:\Users\Admin\AppData\Roaming\636E.FC6

Filesize
996B

MD5
d6c23c81a05a984b2791a00d0329f3f0

SHA1
52d65a1c6fdd293c6090e77825df61456bf6698f

SHA256
4b08d9dc0d26dd1df15c213955b7f805ae911639f5c1a4fdec908118f75a4304

SHA512
df69b58ffe3a6be3618578ae3d1db9c57c66217472694ff1d9c0eca842faf72b6afc1e90f49ffb33d03fef3e9cf8243a988714b458c09a3fc505ffea36344228

Download Submit
memory/664-77-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2680-5-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2680-6-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2680-8-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2796-1-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2796-2-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2796-16-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2796-75-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2796-187-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads