cycbot | 4f45a703cc132aebccd38f58a387631ffb428a8d00cac8cdc723070eca7eee1d

General

Target

d4220164d214feea2230fb9362fd5c51_JaffaCakes118.exe
Size

276KB
MD5

d4220164d214feea2230fb9362fd5c51
SHA1

bdb83d442738c53ea041aea0cf88000a57d7da64
SHA256

4f45a703cc132aebccd38f58a387631ffb428a8d00cac8cdc723070eca7eee1d
SHA512

ed26ae44b1e79d707bc58a1cb2a2dff827f50811278bc3da3c17264719f7af01abe5e67e870b8286f78c7f76729d67b74c05fa334f9e71618982d76dc1dca559
SSDEEP

6144:B5tQHc9Q+Qi3P2G7NnkafkjPLICn8jwaRDump2DEndL5enw/Pf/G:BrG+Qi3P2ykzjIr2EnBcUnG

Score

10^/10

cycbot pony backdoor credential_access discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 7 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2092-14-0x0000000000400000-0x00000000004A9000-memory.dmp	family_cycbot
behavioral1/memory/1520-15-0x0000000000400000-0x00000000004A9000-memory.dmp	family_cycbot
behavioral1/memory/1520-70-0x0000000000400000-0x00000000004A9000-memory.dmp	family_cycbot
behavioral1/memory/2092-71-0x0000000000400000-0x00000000004A9000-memory.dmp	family_cycbot
behavioral1/memory/2588-75-0x0000000000400000-0x00000000004A9000-memory.dmp	family_cycbot
behavioral1/memory/1520-172-0x0000000000400000-0x00000000004A9000-memory.dmp	family_cycbot
behavioral1/memory/1520-174-0x0000000000400000-0x00000000004A9000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\7BB8E\\3EED3.exe"	d4220164d214feea2230fb9362fd5c51_JaffaCakes118.exe

Pony family
pony
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Executes dropped EXE 1 IoCs

pid	Process
2888	2B35.tmp

Loads dropped DLL 2 IoCs

pid	Process
1520	d4220164d214feea2230fb9362fd5c51_JaffaCakes118.exe
1520	d4220164d214feea2230fb9362fd5c51_JaffaCakes118.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1520-2-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral1/memory/2092-12-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral1/memory/2092-14-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral1/memory/1520-15-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral1/memory/1520-70-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral1/memory/2092-71-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral1/memory/2588-73-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral1/memory/2588-75-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral1/memory/1520-172-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral1/memory/1520-174-0x0000000000400000-0x00000000004A9000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\D3A7\2B35.tmp	d4220164d214feea2230fb9362fd5c51_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2B35.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4220164d214feea2230fb9362fd5c51_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4220164d214feea2230fb9362fd5c51_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4220164d214feea2230fb9362fd5c51_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 2092	1520	d4220164d214feea2230fb9362fd5c51_JaffaCakes118.exe	30
PID 1520 wrote to memory of 2092	1520	d4220164d214feea2230fb9362fd5c51_JaffaCakes118.exe	30
PID 1520 wrote to memory of 2092	1520	d4220164d214feea2230fb9362fd5c51_JaffaCakes118.exe	30
PID 1520 wrote to memory of 2092	1520	d4220164d214feea2230fb9362fd5c51_JaffaCakes118.exe	30
PID 1520 wrote to memory of 2588	1520	d4220164d214feea2230fb9362fd5c51_JaffaCakes118.exe	33
PID 1520 wrote to memory of 2588	1520	d4220164d214feea2230fb9362fd5c51_JaffaCakes118.exe	33
PID 1520 wrote to memory of 2588	1520	d4220164d214feea2230fb9362fd5c51_JaffaCakes118.exe	33
PID 1520 wrote to memory of 2588	1520	d4220164d214feea2230fb9362fd5c51_JaffaCakes118.exe	33
PID 1520 wrote to memory of 2888	1520	d4220164d214feea2230fb9362fd5c51_JaffaCakes118.exe	34
PID 1520 wrote to memory of 2888	1520	d4220164d214feea2230fb9362fd5c51_JaffaCakes118.exe	34
PID 1520 wrote to memory of 2888	1520	d4220164d214feea2230fb9362fd5c51_JaffaCakes118.exe	34
PID 1520 wrote to memory of 2888	1520	d4220164d214feea2230fb9362fd5c51_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\d4220164d214feea2230fb9362fd5c51_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d4220164d214feea2230fb9362fd5c51_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Local\Temp\d4220164d214feea2230fb9362fd5c51_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d4220164d214feea2230fb9362fd5c51_JaffaCakes118.exe startC:\Program Files (x86)\Common Files\D3A7\4D4.exe%C:\Program Files (x86)\Common Files\D3A7
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2092
- C:\Users\Admin\AppData\Local\Temp\d4220164d214feea2230fb9362fd5c51_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d4220164d214feea2230fb9362fd5c51_JaffaCakes118.exe startC:\Program Files (x86)\8E8FC\lvvm.exe%C:\Program Files (x86)\8E8FC
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2588
- C:\Program Files (x86)\Common Files\D3A7\2B35.tmp
  "C:\Program Files (x86)\Common Files\D3A7\2B35.tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\7BB8E\E8FC.BB8

Filesize
1KB

MD5
afbe8597d93eb74a6d50816eb46166aa

SHA1
3eea168ab809f10939cbac61c59eaa7e96a7458a

SHA256
43d68bcf391cf8cdc569825a6d8a781c2f7e15c411ba48c4b3af80445c795159

SHA512
4130412dc103b1fc536abef9160392e557fb6179a66f282cfd0591adc341468a54b150af05416f1969a366b3cd3953de5128892d9bed5a44df0bd894e3a4c16c

Download Submit
C:\Users\Admin\AppData\Roaming\7BB8E\E8FC.BB8

Filesize
600B

MD5
8345c6d2085a56533f8279f8033ab107

SHA1
49a8df4f52451505405a35da5648e71f013a83cc

SHA256
2b5b11d8df34ebf6984c82c8dd03290a6ba19e49bbe4dc4efa1ff3d7f3b41eb4

SHA512
6be20223a8d121339ad32deb222efcdbaa97fa321198e411264556a771cd086a806304119cb3bb99c98962f2f4d1ecd8e1ba11483d7520941e85f10d140aeeb3

Download Submit
C:\Users\Admin\AppData\Roaming\7BB8E\E8FC.BB8

Filesize
1KB

MD5
a2f432b1d4fdaa0de6b584c9a5f1ebff

SHA1
8edf5ca53ee73b45c7c8b3be88723cfae7f68ff0

SHA256
6cef20d15a4efe733551eac703d7ec4b5fcc5daf8a6126dda28d0f77f2ff909f

SHA512
ac7a911e0dc380ef1aece98c42f9df18ad5153e5879b5efe508d747aa6772011eadfc40a6304bdd5648716c0eabc63802649aa0588e31bc8834306390becb8e6

Download Submit
C:\Users\Admin\AppData\Roaming\7BB8E\E8FC.BB8

Filesize
996B

MD5
b456a525c2cdf16719a9a05a55227d20

SHA1
eddfec61adc5a984eefecafcc6eddef4ad20fc9e

SHA256
c308b878b17d52b346dbd887f139cfd112f33006062aadeacb973dde83a31b10

SHA512
9083b5da0cc98266876b2b20bf83824c838998bda55231d86495bbe95dae3f786ae73b3f58c6f9278a116f9e176ca21ef9a276c8c179d860cc8a7f28c876c660

Download Submit
\Program Files (x86)\Common Files\D3A7\2B35.tmp

Filesize
102KB

MD5
6a354b185ff0c14734556feb038cc9d2

SHA1
f9c6418da513a813cf7632005b5da2f42cd45348

SHA256
fc3bfa44732073344d71f91849214618ac2b9c6e6530a7fde69a8648d8d266b8

SHA512
dc195008495a5169f46316c0b774c4848543f3b4704149e93f384d95e4b85eb494aafde08a3cdc09c0fee3f8b4f7a0fd7bb786534128cc727329872eff00474b

Download Submit
memory/1520-15-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1520-172-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1520-2-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1520-70-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1520-1-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1520-174-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2092-71-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2092-14-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2092-12-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2588-75-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2588-73-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2888-171-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2888-169-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2888-170-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads