cycbot | b8a7c9201986ee0c05e2aad5990fd9e67ad13ad5fff5f98c2da56a58f7a3da9c

General

Target

a14911add72f95c53d4814ac443f3b38_JaffaCakes118.exe
Size

200KB
MD5

a14911add72f95c53d4814ac443f3b38
SHA1

501eecafa76aa9a7c7fc4ea604e4ad430ee2ee47
SHA256

b8a7c9201986ee0c05e2aad5990fd9e67ad13ad5fff5f98c2da56a58f7a3da9c
SHA512

36fa22674721f7aea1eb36c60d6c6a7bef6834a995ea633d2c37d5b8ee66fc4e00eec577598de69a750836b3b8e0d143ce605f1e3b6a95cda75d001abd45d1b4
SSDEEP

3072:OZwK9XqMLkioXUCFGBeXFenWZF7h0oIluj397rkmsOnzLQIOT106eK2:OZ3qA/oCegiFuoIlujZkmsiHQIIuPt

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1912-9-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/1924-21-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/3068-94-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/1924-95-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/1924-199-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	a14911add72f95c53d4814ac443f3b38_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1924-2-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1912-9-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1912-8-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1924-21-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/3068-92-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/3068-94-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1924-95-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1924-199-0x0000000000400000-0x000000000046C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a14911add72f95c53d4814ac443f3b38_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a14911add72f95c53d4814ac443f3b38_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a14911add72f95c53d4814ac443f3b38_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 1912	1924	a14911add72f95c53d4814ac443f3b38_JaffaCakes118.exe	30
PID 1924 wrote to memory of 1912	1924	a14911add72f95c53d4814ac443f3b38_JaffaCakes118.exe	30
PID 1924 wrote to memory of 1912	1924	a14911add72f95c53d4814ac443f3b38_JaffaCakes118.exe	30
PID 1924 wrote to memory of 1912	1924	a14911add72f95c53d4814ac443f3b38_JaffaCakes118.exe	30
PID 1924 wrote to memory of 3068	1924	a14911add72f95c53d4814ac443f3b38_JaffaCakes118.exe	33
PID 1924 wrote to memory of 3068	1924	a14911add72f95c53d4814ac443f3b38_JaffaCakes118.exe	33
PID 1924 wrote to memory of 3068	1924	a14911add72f95c53d4814ac443f3b38_JaffaCakes118.exe	33
PID 1924 wrote to memory of 3068	1924	a14911add72f95c53d4814ac443f3b38_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\a14911add72f95c53d4814ac443f3b38_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a14911add72f95c53d4814ac443f3b38_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Local\Temp\a14911add72f95c53d4814ac443f3b38_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\a14911add72f95c53d4814ac443f3b38_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1912
- C:\Users\Admin\AppData\Local\Temp\a14911add72f95c53d4814ac443f3b38_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\a14911add72f95c53d4814ac443f3b38_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\087A.F06

Filesize
597B

MD5
6b1f2534d2ac826ba6f9008eadeb2ce6

SHA1
76e53dc94b1ce57244cc7a00697afef18af2777e

SHA256
34d768be26d5fa4b8e3c90b8b26c38e5e51d0305c01a683a01efe8b3e54fa434

SHA512
d7eb483d8bdf136f79f431263757b58e1e3a5e6bda2bb32ced82a3958ae8f5800c4289ec646d3a323365896e67fc513e1bf18964f79d1f4b14758a08447a4c08

Download Submit
C:\Users\Admin\AppData\Roaming\087A.F06

Filesize
2KB

MD5
cb7c6066cac08562fd744757591d094c

SHA1
99b7687ef36c9bb6e7ab97730144938b82f868c7

SHA256
eb1ce93f312af17cdda9ff6d29d21811e49a906e87995cd3a69d0dba95b141e4

SHA512
54ab474fd8859a3f19951316bac96fe8bb829fc2176d57a5054d3ca3876d00acf1a8bd0e5c0897540987bb18331844126b930a0418bf4f7a747ab5a904cb07ac

Download Submit
C:\Users\Admin\AppData\Roaming\087A.F06

Filesize
897B

MD5
5f229ca13985e05ffefa22c521c4a7ac

SHA1
bec072f0e9bbc2ccd36db8f7eb49297776dc8673

SHA256
bfcc9d36c357301302761a9e64791768113f4050a5fca3655e7b8bcc3130856f

SHA512
46fb694fca312c23c8111e22cb5c3e56c48e99f21ec7d6ce29078117450658624a4d97fa200aec993a4e198ed9b1ae09cf9fe5cd22fbe58609b303bcff12a802

Download Submit
C:\Users\Admin\AppData\Roaming\087A.F06

Filesize
1KB

MD5
2bd64f99b8f39d2683fbb0d29e5974c6

SHA1
1cc999b3220717541fabcc4df28245e293ef6edc

SHA256
52682d492aa0cad49290ea4148bdd247dc13ca4ecd22c3d6bd4c43abf67d312e

SHA512
de3947229ebbc93ba0f0ed8dd2612473902cf7a2922a479c678872bbfd8ba7584a35debee5dfff5a466cb4d89025773a3d5fce6a207c70c071d90014f5976112

Download Submit
C:\Users\Admin\AppData\Roaming\087A.F06

Filesize
1KB

MD5
5cf613f98111de1cba4954e3b0accc89

SHA1
d1961bbc9c1eeafe0d37bccac433093637be3d89

SHA256
b54af03f876fd0fbc6dcf25597dd08d2d0c73ce4b17f811dc710e59880cb91cc

SHA512
e53c477c911a173393d59dd9386f5bd4e54fb98ccf360fcf436a20b54042a0014122fe82597cf6fd06daabbf106e2318681dcf6540e61e329a52f609ae9398c8

Download Submit
memory/1912-8-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1912-9-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1924-21-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1924-1-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1924-95-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1924-2-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1924-199-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3068-92-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3068-94-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads