cycbot | bd401ead48f51850e609c016fe7d5b6a30da3fe0912233aacb4de564aeff3c55

General

Target

cef48e5641250c596ce7d6e11d26b8f7_JaffaCakes118.exe
Size

185KB
MD5

cef48e5641250c596ce7d6e11d26b8f7
SHA1

7e0b96f17fd0cf008fb8e1b7e3ecc8ddaff4d499
SHA256

bd401ead48f51850e609c016fe7d5b6a30da3fe0912233aacb4de564aeff3c55
SHA512

7e2435cdd81bf63800b8772e55194e35eff2819242d0d6d1195c3ab8e5a76c3bf7876dfbe0968c329ab6734c799cf056f6f4f9b944a1db41e6d563abe8cc8445
SSDEEP

3072:60eAvneRSCsLuHuhwBou1RcBeBoulQHwtdsEY0ecXQNVtNvUEk/AG0LU7Zs9:ZHeRS/LuHHFRKstoW6BcXQNVPUD/GU

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2328-8-0x0000000000400000-0x0000000000466000-memory.dmp	family_cycbot
behavioral1/memory/2508-15-0x0000000000400000-0x0000000000466000-memory.dmp	family_cycbot
behavioral1/memory/2228-83-0x0000000000400000-0x0000000000466000-memory.dmp	family_cycbot
behavioral1/memory/2508-84-0x0000000000400000-0x0000000000466000-memory.dmp	family_cycbot
behavioral1/memory/2508-173-0x0000000000400000-0x0000000000466000-memory.dmp	family_cycbot
behavioral1/memory/2508-206-0x0000000000400000-0x0000000000466000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	cef48e5641250c596ce7d6e11d26b8f7_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2508-2-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2328-8-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2508-15-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2228-82-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2228-83-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2508-84-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2508-173-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2508-206-0x0000000000400000-0x0000000000466000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cef48e5641250c596ce7d6e11d26b8f7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cef48e5641250c596ce7d6e11d26b8f7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cef48e5641250c596ce7d6e11d26b8f7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2328	2508	cef48e5641250c596ce7d6e11d26b8f7_JaffaCakes118.exe	30
PID 2508 wrote to memory of 2328	2508	cef48e5641250c596ce7d6e11d26b8f7_JaffaCakes118.exe	30
PID 2508 wrote to memory of 2328	2508	cef48e5641250c596ce7d6e11d26b8f7_JaffaCakes118.exe	30
PID 2508 wrote to memory of 2328	2508	cef48e5641250c596ce7d6e11d26b8f7_JaffaCakes118.exe	30
PID 2508 wrote to memory of 2228	2508	cef48e5641250c596ce7d6e11d26b8f7_JaffaCakes118.exe	33
PID 2508 wrote to memory of 2228	2508	cef48e5641250c596ce7d6e11d26b8f7_JaffaCakes118.exe	33
PID 2508 wrote to memory of 2228	2508	cef48e5641250c596ce7d6e11d26b8f7_JaffaCakes118.exe	33
PID 2508 wrote to memory of 2228	2508	cef48e5641250c596ce7d6e11d26b8f7_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\cef48e5641250c596ce7d6e11d26b8f7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cef48e5641250c596ce7d6e11d26b8f7_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Users\Admin\AppData\Local\Temp\cef48e5641250c596ce7d6e11d26b8f7_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\cef48e5641250c596ce7d6e11d26b8f7_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2328
- C:\Users\Admin\AppData\Local\Temp\cef48e5641250c596ce7d6e11d26b8f7_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\cef48e5641250c596ce7d6e11d26b8f7_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\3841.842

Filesize
1KB

MD5
47dd2c3f37f0e66a1f46f992a604084d

SHA1
f2b090fb672902c8de3af171330fb701135107f3

SHA256
de2c6fdd3dc7336f060100170762751fb5dfb64ef3394f37eef3a84164ab507f

SHA512
9553a4f9ff3e97640bf6f3518db273f2c82d24baa22361e322af8d87db8272ce15a5f621092fc2d4d94bb17a0e32e4673c7f12802299a4e7ab98eb8c82159185

Download Submit
C:\Users\Admin\AppData\Roaming\3841.842

Filesize
600B

MD5
12d2e6572bd99cb34398f3f8f917f000

SHA1
78b2cb27283485ed763d112540ffcd3775b8653f

SHA256
62be3c31cceac20549c309e701fcba2ad3bc5b09c8531c16b40453e097fb6a7f

SHA512
869d409af26a2b5c62deb43af9e5ccfc3e5ab1bc44abcfb8dc87408f6cb41fe3124e1851dd8930700e79ca9597aaa5d0b4343b3a6fe86cfcf51e438b1d4b9c1c

Download Submit
C:\Users\Admin\AppData\Roaming\3841.842

Filesize
996B

MD5
67d331b0c1ca99857a854c2fe3b05590

SHA1
f110656866a466d990a7165c9a8eb3f82b5c107c

SHA256
7fbe974fd08a12997ccbc5e3f85abb8377d88471eddaf5f666c6c785262f0946

SHA512
aa884ffacdac6a5a14fa0afb079fea3df78361c03a38756fb9a75e24e8d3f49f97db6c41d8893e2dab186c8391008fefcf6df5dc307a91663e75de949c1708ee

Download Submit
memory/2228-83-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2228-82-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2328-8-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2328-7-0x00000000005E6000-0x0000000000610000-memory.dmp

Filesize
168KB

Download
memory/2328-5-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2508-15-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2508-1-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2508-84-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2508-2-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2508-173-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2508-206-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads