cycbot | b5196f1a6850fcb8e9cd53c781a5833aa6b8b6b94f63af4bd93404a83eb46f8a

General

Target

d3bc0aced11fcf63e0b6fe19a2aeaa2a_JaffaCakes118.exe
Size

180KB
MD5

d3bc0aced11fcf63e0b6fe19a2aeaa2a
SHA1

cd10a0bc51c3b511c8c2d60eb62e4a7e76f0a333
SHA256

b5196f1a6850fcb8e9cd53c781a5833aa6b8b6b94f63af4bd93404a83eb46f8a
SHA512

c1f012142785464ffe32545487a3c8f19e694229fe3578091a9b3ae9058913df7748031f756b09d750dc8cedaa290da3b6b62b033213acc871fab1ec89143e82
SSDEEP

3072:FqDztifjcS0sagmzaYvCtvd0u7a/VJo6EuzOfXJovuqt5T3l:F9jl0ZgOaYqtvKeAw6DOfJi7

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2724-10-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/2724-8-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/2076-15-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/2184-85-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/2076-156-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/2076-197-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	d3bc0aced11fcf63e0b6fe19a2aeaa2a_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2076-2-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2076-1-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2724-10-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2724-8-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2076-15-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2184-83-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2184-85-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2076-156-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2076-197-0x0000000000400000-0x000000000048D000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3bc0aced11fcf63e0b6fe19a2aeaa2a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3bc0aced11fcf63e0b6fe19a2aeaa2a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3bc0aced11fcf63e0b6fe19a2aeaa2a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2724	2076	d3bc0aced11fcf63e0b6fe19a2aeaa2a_JaffaCakes118.exe	30
PID 2076 wrote to memory of 2724	2076	d3bc0aced11fcf63e0b6fe19a2aeaa2a_JaffaCakes118.exe	30
PID 2076 wrote to memory of 2724	2076	d3bc0aced11fcf63e0b6fe19a2aeaa2a_JaffaCakes118.exe	30
PID 2076 wrote to memory of 2724	2076	d3bc0aced11fcf63e0b6fe19a2aeaa2a_JaffaCakes118.exe	30
PID 2076 wrote to memory of 2184	2076	d3bc0aced11fcf63e0b6fe19a2aeaa2a_JaffaCakes118.exe	32
PID 2076 wrote to memory of 2184	2076	d3bc0aced11fcf63e0b6fe19a2aeaa2a_JaffaCakes118.exe	32
PID 2076 wrote to memory of 2184	2076	d3bc0aced11fcf63e0b6fe19a2aeaa2a_JaffaCakes118.exe	32
PID 2076 wrote to memory of 2184	2076	d3bc0aced11fcf63e0b6fe19a2aeaa2a_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\d3bc0aced11fcf63e0b6fe19a2aeaa2a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d3bc0aced11fcf63e0b6fe19a2aeaa2a_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\d3bc0aced11fcf63e0b6fe19a2aeaa2a_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d3bc0aced11fcf63e0b6fe19a2aeaa2a_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2724
- C:\Users\Admin\AppData\Local\Temp\d3bc0aced11fcf63e0b6fe19a2aeaa2a_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d3bc0aced11fcf63e0b6fe19a2aeaa2a_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\8612.838

Filesize
1KB

MD5
9582652ed1395b002758793d624fe3fc

SHA1
075d7c72dd6d17d2fa5f9f80501dd45395568664

SHA256
981072d9ced590524f13d0c5e32238d8dfd1c4172ab9ce96390bdd64770c4048

SHA512
272731bc920397772e0e774dfdb09ebf4ab90661ef6075e5aa97d4ca5e0b40cad1f7b37cc27e1f16b5576c0e8b0fb48323f31465593baeb95a0b85cb48892b74

Download Submit
C:\Users\Admin\AppData\Roaming\8612.838

Filesize
600B

MD5
20f7913e392b1cbd2de552dd8fa51f80

SHA1
c109f9b06b37173ab9a003a3470741c39305deca

SHA256
859cbb0c322e9003f0f3898ab69ce13d5d53839c8d503032ec2e59842cd970fd

SHA512
4a73069ea2ab9becd20d26242504b941f95c09c435e75dabf6f81055899caaebdfd12b84bc37355ea8360af78b337d9c3826900a3fce40086a7d730d8f1cd088

Download Submit
C:\Users\Admin\AppData\Roaming\8612.838

Filesize
996B

MD5
d82c9910af99b107dbfd201510fd3ce3

SHA1
0da39b42e9fc1b7b506301d40b2375a9477264a1

SHA256
61a4ec84a742393ab802e811e89671aa43d3a9b09d8b894af051fe0a26daa7a1

SHA512
c1d7dd1d1d3c2a5a7759d6ab3ce3e566dfffa2ea25ca6990f1478c88fbd993d1e07c9cef45183d0f010d2a22d3959e8adad617bfdd78ce224f8bdcb69363e6af

Download Submit
memory/2076-1-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2076-197-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2076-156-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2076-15-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2076-2-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2184-83-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2184-82-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2184-85-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2724-8-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2724-10-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads