cycbot | b6532ec8c314859c9b4b7b2ebf4cd9574276ab79f6f9b70635f229964727beae

General

Target

9e2b82bfb34506f2be27dc72e60d1ada_JaffaCakes118.exe
Size

205KB
MD5

9e2b82bfb34506f2be27dc72e60d1ada
SHA1

2055f19fb876fa65f9afefa1c01a98dde3e6854f
SHA256

b6532ec8c314859c9b4b7b2ebf4cd9574276ab79f6f9b70635f229964727beae
SHA512

ccd51b6a483bc71cd92a5dc31d5c47e0e93e0ba3ed096840da72f34490dc75163992e123bc03e9da54acce4af5d4f47d51434388b3dac5630614a2350ab2abf1
SSDEEP

3072:o+LFiZXOV52w1Q6I+SplvsS+FN4w7x9x9lJ8viHRjzXyY6yhE1xOqjKz9Pj9gEyo:o+LAk72P+SPrU9DXqWxE+qgb

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2556-14-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/3012-15-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/1144-78-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/3012-74-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/3012-191-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/3012-194-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	9e2b82bfb34506f2be27dc72e60d1ada_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3012-2-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2556-14-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/3012-15-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/1144-76-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/1144-78-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/3012-74-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/3012-191-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/3012-194-0x0000000000400000-0x000000000048A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e2b82bfb34506f2be27dc72e60d1ada_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e2b82bfb34506f2be27dc72e60d1ada_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e2b82bfb34506f2be27dc72e60d1ada_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2556	3012	9e2b82bfb34506f2be27dc72e60d1ada_JaffaCakes118.exe	30
PID 3012 wrote to memory of 2556	3012	9e2b82bfb34506f2be27dc72e60d1ada_JaffaCakes118.exe	30
PID 3012 wrote to memory of 2556	3012	9e2b82bfb34506f2be27dc72e60d1ada_JaffaCakes118.exe	30
PID 3012 wrote to memory of 2556	3012	9e2b82bfb34506f2be27dc72e60d1ada_JaffaCakes118.exe	30
PID 3012 wrote to memory of 1144	3012	9e2b82bfb34506f2be27dc72e60d1ada_JaffaCakes118.exe	33
PID 3012 wrote to memory of 1144	3012	9e2b82bfb34506f2be27dc72e60d1ada_JaffaCakes118.exe	33
PID 3012 wrote to memory of 1144	3012	9e2b82bfb34506f2be27dc72e60d1ada_JaffaCakes118.exe	33
PID 3012 wrote to memory of 1144	3012	9e2b82bfb34506f2be27dc72e60d1ada_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\9e2b82bfb34506f2be27dc72e60d1ada_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9e2b82bfb34506f2be27dc72e60d1ada_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\9e2b82bfb34506f2be27dc72e60d1ada_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\9e2b82bfb34506f2be27dc72e60d1ada_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2556
- C:\Users\Admin\AppData\Local\Temp\9e2b82bfb34506f2be27dc72e60d1ada_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\9e2b82bfb34506f2be27dc72e60d1ada_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\E654.72D

Filesize
1KB

MD5
b06afe07ee074588b8c38a724f600796

SHA1
039265122f0878898c20b4a00e36c01773fb417e

SHA256
7ee8cfe6e65e6a210c64ed7acec7a9c741e5ac748d7d98ae1dfc115dd5afe50d

SHA512
16448288e8ecfd61b0aedd5922754b6ca1297f9a05e8eb35cd0516eb2dd77f23a648238c5ab27136289d8e6832779a6adb3dc17a1c54a9e4170bb31383ac9b45

Download Submit
C:\Users\Admin\AppData\Roaming\E654.72D

Filesize
600B

MD5
916d2308c2f540a8cff7dc8be35ec67c

SHA1
505e99ba1166cda783ab682b35137c754aae160a

SHA256
2877ac74e065e62e9411b2ddb85b19c47c8460f2804484dd037e22092662c336

SHA512
93540667a1cb885a7a1641fb2d64f0504774eb2c2d1022c965071ef19566014ab862343cfa5fce3dbe0a51f865203246c7b90156d33d60764118c363af3dc20d

Download Submit
C:\Users\Admin\AppData\Roaming\E654.72D

Filesize
996B

MD5
301d84ba99a85f43a51bc8c50d4ebbe9

SHA1
fdae4dc9727ebb7c8a4bbfe954e30094fb281d8d

SHA256
944c73bd9b2141a2262d97e66b184d7151f7c90cd7733ed233c63b0b1485bba8

SHA512
afc84b9be61e1f15105e2f36bc513c47bd1d4b1fa84d8f8d172027f3e0a522bba2e2de5edb581ff22e86e4f4788bdf4fd430ec0b06b1c7bf740c885cce495001

Download Submit
memory/1144-76-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1144-78-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2556-9-0x00000000005E9000-0x0000000000607000-memory.dmp

Filesize
120KB

Download
memory/2556-14-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3012-15-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3012-1-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3012-74-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3012-2-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3012-191-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3012-194-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads