cycbot | ba160b763aa4bc21b25bfe37e54bdc53d4171bafa066938577f927d6d1184563

General

Target

95db19e4507d87826db7c17b9083ded3_JaffaCakes118.exe
Size

188KB
MD5

95db19e4507d87826db7c17b9083ded3
SHA1

b218e1ab8731986e4bace6b4bd60f5ad72147225
SHA256

ba160b763aa4bc21b25bfe37e54bdc53d4171bafa066938577f927d6d1184563
SHA512

2e988001d92159b6c5c29cc63e0dca828cdb451f8c116d7319964b7ffdd018f71b5e7e7f0f2199db89d5385950289706331f1a6151ef1976ea0579add57c2087
SSDEEP

3072:iCe3iDPxx4arrupqMg+DIrE6lS0BxTstrdXQR6f4azdJhmzvC7tXp:M3iDPf4aXupqM2s0OhXKHaz4CxX

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 7 IoCs

Cycbot is a backdoor and trojan written in C++.

Processes:

resource	yara_rule
behavioral1/memory/2648-7-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/3016-14-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2600-70-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2600-72-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/3016-73-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/3016-152-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/3016-185-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

95db19e4507d87826db7c17b9083ded3_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	95db19e4507d87826db7c17b9083ded3_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3016-3-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2648-6-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2648-5-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2648-7-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/3016-14-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2600-70-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2600-72-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/3016-73-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/3016-152-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/3016-185-0x0000000000400000-0x000000000048A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

95db19e4507d87826db7c17b9083ded3_JaffaCakes118.exe95db19e4507d87826db7c17b9083ded3_JaffaCakes118.exe95db19e4507d87826db7c17b9083ded3_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95db19e4507d87826db7c17b9083ded3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95db19e4507d87826db7c17b9083ded3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95db19e4507d87826db7c17b9083ded3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

95db19e4507d87826db7c17b9083ded3_JaffaCakes118.exe

description	pid	Process	procid_target
PID 3016 wrote to memory of 2648	3016	95db19e4507d87826db7c17b9083ded3_JaffaCakes118.exe	31
PID 3016 wrote to memory of 2648	3016	95db19e4507d87826db7c17b9083ded3_JaffaCakes118.exe	31
PID 3016 wrote to memory of 2648	3016	95db19e4507d87826db7c17b9083ded3_JaffaCakes118.exe	31
PID 3016 wrote to memory of 2648	3016	95db19e4507d87826db7c17b9083ded3_JaffaCakes118.exe	31
PID 3016 wrote to memory of 2600	3016	95db19e4507d87826db7c17b9083ded3_JaffaCakes118.exe	33
PID 3016 wrote to memory of 2600	3016	95db19e4507d87826db7c17b9083ded3_JaffaCakes118.exe	33
PID 3016 wrote to memory of 2600	3016	95db19e4507d87826db7c17b9083ded3_JaffaCakes118.exe	33
PID 3016 wrote to memory of 2600	3016	95db19e4507d87826db7c17b9083ded3_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\95db19e4507d87826db7c17b9083ded3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\95db19e4507d87826db7c17b9083ded3_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\95db19e4507d87826db7c17b9083ded3_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\95db19e4507d87826db7c17b9083ded3_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2648
- C:\Users\Admin\AppData\Local\Temp\95db19e4507d87826db7c17b9083ded3_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\95db19e4507d87826db7c17b9083ded3_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\8BA7.CB6

Filesize
1KB

MD5
4868fce0de1199d41862a3adc1d6eef0

SHA1
0bae4601ce2bd4583769c0c9eec4bb245952fd50

SHA256
8e1103f9fd03fabf16d58ea5cf100258c6b783393c07c123b54c60897153345d

SHA512
6e67db3639aa7c8be3d2d8c7049314bfdfc8d5cb1b52eec4ae2ed73892108ea46e70712e2c5604983cb174959ba66660df02aa90a525ccb0ff5a34a794c41048

Download Submit
C:\Users\Admin\AppData\Roaming\8BA7.CB6

Filesize
600B

MD5
4cb03c9ce798c0739bd01ae26be09abe

SHA1
eb3ad3e38cd13f4fca0f9d1611b1243e06250d93

SHA256
cf1fb80341a66a25ccbd9a5305347ef188c09bceb253822a901e902e44503439

SHA512
6b808973a653ec1bf5afedfba7c98bb676d78c705d3e3463dcae30fd197c40208eabcb5379f687a91e549a0272a5c1408e1adc5b42edec6da377bdc6af266906

Download Submit
C:\Users\Admin\AppData\Roaming\8BA7.CB6

Filesize
996B

MD5
1f5770f27defbd03207a94a2f51fda3e

SHA1
cc45d47146a52ccc3c343bb4b69a75e56d73f684

SHA256
37381ace09d0c26788efd95765b0a442574a009666eeeba3d4ea6ebf490dab45

SHA512
f97b973de234d81c1d35d2f656626df2533b42a34b4c3acc54eb19248dd529aef86011ea966729ab3a20a6bab41231333a8b4d6378e73ead00fd4f0e71c2992b

Download Submit
memory/2600-72-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2600-70-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2648-5-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2648-7-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2648-6-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3016-14-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3016-1-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3016-73-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3016-3-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3016-152-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3016-185-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads