cycbot | 6a0d601e55b46612b8546d30cfd80c44f0675d893cfed0354d32e2afdc7a63e7

General

Target

96bc87bc5f3807792f79c5a0fbb41b85_JaffaCakes118.exe
Size

182KB
MD5

96bc87bc5f3807792f79c5a0fbb41b85
SHA1

5c3c09510a80d21c0ef08c2b3cc84c8d528903ba
SHA256

6a0d601e55b46612b8546d30cfd80c44f0675d893cfed0354d32e2afdc7a63e7
SHA512

06dc209e50bccb1a8fe8bb5e73eb259ccae843123df0ba2ca25c47bbb21d6f252ca14efb4c8ff8654ca7204aba954069fe5f48f5b1c1b4cd6d6e7d52ca218c55
SSDEEP

3072:eUU79HJYvHmaBH4Q78W2+2Nw95diJqTzlEILce2TZ/QOheHkrAjjwtwA6:DcFJ+HnuQ7x2TNBJuEyce2aO/rajOwA

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

Processes:

resource	yara_rule
behavioral1/memory/1668-15-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/1668-13-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/2376-16-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/772-76-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/2376-77-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/2376-153-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

96bc87bc5f3807792f79c5a0fbb41b85_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	96bc87bc5f3807792f79c5a0fbb41b85_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2376-2-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1668-15-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1668-13-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1668-12-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2376-16-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/772-76-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2376-77-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2376-153-0x0000000000400000-0x000000000046C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

96bc87bc5f3807792f79c5a0fbb41b85_JaffaCakes118.exe96bc87bc5f3807792f79c5a0fbb41b85_JaffaCakes118.exe96bc87bc5f3807792f79c5a0fbb41b85_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96bc87bc5f3807792f79c5a0fbb41b85_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96bc87bc5f3807792f79c5a0fbb41b85_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96bc87bc5f3807792f79c5a0fbb41b85_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

96bc87bc5f3807792f79c5a0fbb41b85_JaffaCakes118.exe

description	pid	process	target process
PID 2376 wrote to memory of 1668	2376	96bc87bc5f3807792f79c5a0fbb41b85_JaffaCakes118.exe	96bc87bc5f3807792f79c5a0fbb41b85_JaffaCakes118.exe
PID 2376 wrote to memory of 1668	2376	96bc87bc5f3807792f79c5a0fbb41b85_JaffaCakes118.exe	96bc87bc5f3807792f79c5a0fbb41b85_JaffaCakes118.exe
PID 2376 wrote to memory of 1668	2376	96bc87bc5f3807792f79c5a0fbb41b85_JaffaCakes118.exe	96bc87bc5f3807792f79c5a0fbb41b85_JaffaCakes118.exe
PID 2376 wrote to memory of 1668	2376	96bc87bc5f3807792f79c5a0fbb41b85_JaffaCakes118.exe	96bc87bc5f3807792f79c5a0fbb41b85_JaffaCakes118.exe
PID 2376 wrote to memory of 772	2376	96bc87bc5f3807792f79c5a0fbb41b85_JaffaCakes118.exe	96bc87bc5f3807792f79c5a0fbb41b85_JaffaCakes118.exe
PID 2376 wrote to memory of 772	2376	96bc87bc5f3807792f79c5a0fbb41b85_JaffaCakes118.exe	96bc87bc5f3807792f79c5a0fbb41b85_JaffaCakes118.exe
PID 2376 wrote to memory of 772	2376	96bc87bc5f3807792f79c5a0fbb41b85_JaffaCakes118.exe	96bc87bc5f3807792f79c5a0fbb41b85_JaffaCakes118.exe
PID 2376 wrote to memory of 772	2376	96bc87bc5f3807792f79c5a0fbb41b85_JaffaCakes118.exe	96bc87bc5f3807792f79c5a0fbb41b85_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\96bc87bc5f3807792f79c5a0fbb41b85_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\96bc87bc5f3807792f79c5a0fbb41b85_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\Temp\96bc87bc5f3807792f79c5a0fbb41b85_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\96bc87bc5f3807792f79c5a0fbb41b85_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1668
- C:\Users\Admin\AppData\Local\Temp\96bc87bc5f3807792f79c5a0fbb41b85_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\96bc87bc5f3807792f79c5a0fbb41b85_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\2568.048

Filesize
1KB

MD5
ea0e63840ffb53168056019341669e1c

SHA1
d616bc6deb1255a0ae5f45de61beef1d709810b6

SHA256
f1d60280751f353c97052ea7fcf11dc15464a09d1bbe91d16fd0a1d293c16142

SHA512
253d0fe7264cf4720a03731aacde4274a005e9b1ad107b0c6e53d9ffd260a72cffb024a4366b2c3846d9896fe36b47d38cec837490a29e10ebb4664f572fb870

Download Submit
C:\Users\Admin\AppData\Roaming\2568.048

Filesize
600B

MD5
d211fba19ca48efc39362e9739cc9e3c

SHA1
e8304d9b663c431690fd099df670f97e30838ecc

SHA256
838d9206fabfa3e60314794c7ddade4f2af5bd20f5359882d01192381d0b50d7

SHA512
bb7c36c975253809fe86ed576013af7cdf37a58e076c1e19f65dbfbc0a87abea597dbff5e463f9acee6c2f8bec29976588521f8828abdfe9dc0e2c40ef1ee4d8

Download Submit
C:\Users\Admin\AppData\Roaming\2568.048

Filesize
996B

MD5
2b7fab2998562c9cc8779505bb98995b

SHA1
7d04539bc1b47a9a60ea44a58b6fd23113f8e03b

SHA256
32b90ee4acc400bb8c8792ccc52832436b3095b9f75814406d8364b82b13d197

SHA512
d08965db9abbc3cd5f825f8d8fdb127bb62887c20066f7c9ab12639d9fe5c358d5d106ba5ff34d35654544d19b2b70fae6a29181f0c9445530602ffebf6e269a

Download Submit
memory/772-76-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/772-74-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1668-13-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1668-12-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1668-15-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2376-16-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2376-1-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2376-77-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2376-2-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2376-153-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads