cycbot | a2dad09c0ac6cc2e6cc570b25666b102db4f29013895aed5855b34cc12dd1375

General

Target

c37258219d57d97b495db272a7c303ad_JaffaCakes118.exe
Size

183KB
MD5

c37258219d57d97b495db272a7c303ad
SHA1

32a6b1f687a55a127a02dbab0966fcc833adff33
SHA256

a2dad09c0ac6cc2e6cc570b25666b102db4f29013895aed5855b34cc12dd1375
SHA512

ec59e9c2426484da73274c640466ed0356c12885d22a0968142790c97238a1651b9a40c829d045d27c0db8ed4bd0831540fa66347a9778b2568fabd743e8a80f
SSDEEP

3072:zYyuXQyRVQSmbvwM/3nQ5cQbB+urBu3gz0i6oKtN7Ks2Hok59HRmIfhtBv/XRRvq:ZESSOwEXQ+QXuwzB6ogJKPrJfhvPRxzG

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2848-16-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/3068-17-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/3068-18-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral1/memory/2908-138-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/3068-139-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/3068-293-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\92728\\4FA46.exe"	c37258219d57d97b495db272a7c303ad_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3068-3-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2848-14-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2848-16-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/3068-17-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/3068-18-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2908-136-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2908-138-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/3068-139-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/3068-293-0x0000000000400000-0x0000000000490000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c37258219d57d97b495db272a7c303ad_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c37258219d57d97b495db272a7c303ad_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c37258219d57d97b495db272a7c303ad_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2848	3068	c37258219d57d97b495db272a7c303ad_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2848	3068	c37258219d57d97b495db272a7c303ad_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2848	3068	c37258219d57d97b495db272a7c303ad_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2848	3068	c37258219d57d97b495db272a7c303ad_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2908	3068	c37258219d57d97b495db272a7c303ad_JaffaCakes118.exe	32
PID 3068 wrote to memory of 2908	3068	c37258219d57d97b495db272a7c303ad_JaffaCakes118.exe	32
PID 3068 wrote to memory of 2908	3068	c37258219d57d97b495db272a7c303ad_JaffaCakes118.exe	32
PID 3068 wrote to memory of 2908	3068	c37258219d57d97b495db272a7c303ad_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\c37258219d57d97b495db272a7c303ad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c37258219d57d97b495db272a7c303ad_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\c37258219d57d97b495db272a7c303ad_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\c37258219d57d97b495db272a7c303ad_JaffaCakes118.exe startC:\Program Files (x86)\LP\4679\9FB.exe%C:\Program Files (x86)\LP\4679
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2848
- C:\Users\Admin\AppData\Local\Temp\c37258219d57d97b495db272a7c303ad_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\c37258219d57d97b495db272a7c303ad_JaffaCakes118.exe startC:\Program Files (x86)\28DAD\lvvm.exe%C:\Program Files (x86)\28DAD
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\92728\8DAD.272

Filesize
600B

MD5
976566111b0bbd0a178430bee2f451df

SHA1
3ea0bc6e9ca95b65eee7875f4e7b06d23d75d52b

SHA256
884a61321cec0a2cd7aaf1e8b4a61c762c3b4c226c0e4cd08592f8044cc09a2a

SHA512
5463883cfb7d89c3730b77353727dd76dbdf4bdeb00b70626a8380adb4b474c1fe3955b0fc615add9dddcb27d0abb92c98029c4cb117832ec5afe38a71f00684

Download Submit
C:\Users\Admin\AppData\Roaming\92728\8DAD.272

Filesize
996B

MD5
4689710b7c75d543927d8ee5103bb861

SHA1
fbc3353555d914cd46c84b1434e951e7a0c7de18

SHA256
69ae19e086d9357799cda641ce485f0af4e7ec729ba4aa74ad62eeb593ec5fa5

SHA512
6b30a2973e6c64462905cfc5e0f9229c9cc1870491481a80a78da24763214a0d302b732ae1ce3ea62ad86f500987a9bd488e8ed1be49ffc5618f61c7816c9398

Download Submit
C:\Users\Admin\AppData\Roaming\92728\8DAD.272

Filesize
1KB

MD5
2b84bf971115dedcbc0fb1c7a34dcfe9

SHA1
276275460ec4b7e0fbe9da57fd2452e4646337f2

SHA256
f5cf3021596472d3d695860cf9c147227370c70f9e94220a22d540f4f05a7444

SHA512
d86058a7ca48e0dc212455f10b70dacc678d2be7c469555275fb03da5852efd92d58502ba5ba4fb62324e02d96a590aca32b98785f4beb4f68f716ffe6db04fc

Download Submit
memory/2848-16-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2848-14-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2908-138-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2908-136-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3068-17-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3068-18-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3068-0-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3068-139-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3068-3-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3068-2-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3068-293-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads