cycbot | c9e8a9c1d15153168c3e22f04cae35cb2f57bc3a1c7b28416f68f146a6997c46

General

Target

c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe
Size

193KB
MD5

c8509dbdf5cc70ffdc451efbe6f1328c
SHA1

8da22f9403e5fa6c1db34d60785b6850259f1958
SHA256

c9e8a9c1d15153168c3e22f04cae35cb2f57bc3a1c7b28416f68f146a6997c46
SHA512

4c11358d749a1289d59dc13b401e0310fc1d724309ce20fcf26b68648a851fe3a4d8010da16e9173297ab8e5e0c2bb4457e16a7c10db3c1310dfb3b50ceb6d16
SSDEEP

6144:kQGlhY0BAc0AIO24Dg2z22jJRK1PWJZ8GQ:9EhYU0ANDg2z22jJRuSmGQ

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2808-8-0x0000000000400000-0x000000000048B000-memory.dmp	family_cycbot
behavioral1/memory/2680-16-0x0000000000400000-0x000000000048B000-memory.dmp	family_cycbot
behavioral1/memory/568-85-0x0000000000400000-0x000000000048B000-memory.dmp	family_cycbot
behavioral1/memory/2680-86-0x0000000000400000-0x000000000048B000-memory.dmp	family_cycbot
behavioral1/memory/2680-188-0x0000000000400000-0x000000000048B000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2680-2-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2808-5-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2808-8-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2808-7-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2680-16-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/568-83-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/568-85-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2680-86-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2680-188-0x0000000000400000-0x000000000048B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2808	2680	c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe	30
PID 2680 wrote to memory of 2808	2680	c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe	30
PID 2680 wrote to memory of 2808	2680	c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe	30
PID 2680 wrote to memory of 2808	2680	c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe	30
PID 2680 wrote to memory of 568	2680	c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe	32
PID 2680 wrote to memory of 568	2680	c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe	32
PID 2680 wrote to memory of 568	2680	c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe	32
PID 2680 wrote to memory of 568	2680	c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Local\Temp\c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2808
- C:\Users\Admin\AppData\Local\Temp\c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\c8509dbdf5cc70ffdc451efbe6f1328c_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\86D5.022

Filesize
600B

MD5
f5f1444b82c3b9f3d133cb5571132b29

SHA1
bd0a1fa8cafe5086cbaecd547f18aab6d53d5426

SHA256
afbc700a1347775f671ddf962d420cc6ccdfb53f9aee5a03ba26d840d8dcb425

SHA512
46ea91b48835812f0febfa907c4d7ba60209a2609745a4d2f0c338db396a4dfad831c92b89f04241988b5ae68cea62cc611cc1abbd2096a6f010c4fb81ac6784

Download Submit
C:\Users\Admin\AppData\Roaming\86D5.022

Filesize
1KB

MD5
b93bf8d52543956ca79a674163815537

SHA1
ae721090ba60240b002291fe7db5ccea92ad67ff

SHA256
29c3cb081a6bdbdb4195dee1f89a6b077032ce630261bcfb49fc210e72655433

SHA512
be35f9567aa1723927ce38b13a2332ec7f67fd497f6edb0c45993c8d5262cbfa31246a7e244a154b7927f48aac8c4f0ebd810ef55a8302698ff195c657e75127

Download Submit
C:\Users\Admin\AppData\Roaming\86D5.022

Filesize
996B

MD5
d530dcc899be4329f1c1cd15d082de5e

SHA1
902a087446b034a1ad86169504cab6e81033165c

SHA256
47eb577739d3eb61bf95858a74a511312cf8a8e2c4e38c4475aaf85c6162ad33

SHA512
059323848e26f03bf852b3891fce471431f809a9378c33e43f66cc22b07d78bb11bca6c0fc474b6215984c06a82f89f2a85d0a77e2d581e6309c59a66d9f3f6e

Download Submit
memory/568-85-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/568-83-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2680-16-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2680-1-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2680-86-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2680-2-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2680-188-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2808-7-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2808-8-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2808-5-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads