cycbot | f7e85d7dc28aa9eb1aa24ae4a8d2b9a024b1b1e8d1d76c82cdab0df2b330fca6

General

Target

d22ca23ee2393ca5525f25a5ada12d3e_JaffaCakes118.exe
Size

180KB
MD5

d22ca23ee2393ca5525f25a5ada12d3e
SHA1

c2c994365ce4fe277575cfb0456d4c30d6425fc2
SHA256

f7e85d7dc28aa9eb1aa24ae4a8d2b9a024b1b1e8d1d76c82cdab0df2b330fca6
SHA512

976cc085c3b19ced7d62793421af09a83e1c7a5560790834284d2cd58e9c112dc6e824adca628b53de15d7f9b455c27d5fb4bff86d25ff40b180e4c729b13db9
SSDEEP

3072:btzuG5iiIaY7qQ1tBe5lo5/ozTCrHwKm4nVLAnrkglD7aRHJ+3:BCG5ZIaZAtGo5/g4nVLAnrHF3

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2624-18-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/2140-19-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/2140-80-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/2556-85-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/2140-198-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	d22ca23ee2393ca5525f25a5ada12d3e_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2140-1-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2624-18-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2624-16-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2140-19-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2140-80-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2556-85-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2556-83-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2140-198-0x0000000000400000-0x000000000046C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d22ca23ee2393ca5525f25a5ada12d3e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d22ca23ee2393ca5525f25a5ada12d3e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d22ca23ee2393ca5525f25a5ada12d3e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2624	2140	d22ca23ee2393ca5525f25a5ada12d3e_JaffaCakes118.exe	30
PID 2140 wrote to memory of 2624	2140	d22ca23ee2393ca5525f25a5ada12d3e_JaffaCakes118.exe	30
PID 2140 wrote to memory of 2624	2140	d22ca23ee2393ca5525f25a5ada12d3e_JaffaCakes118.exe	30
PID 2140 wrote to memory of 2624	2140	d22ca23ee2393ca5525f25a5ada12d3e_JaffaCakes118.exe	30
PID 2140 wrote to memory of 2556	2140	d22ca23ee2393ca5525f25a5ada12d3e_JaffaCakes118.exe	33
PID 2140 wrote to memory of 2556	2140	d22ca23ee2393ca5525f25a5ada12d3e_JaffaCakes118.exe	33
PID 2140 wrote to memory of 2556	2140	d22ca23ee2393ca5525f25a5ada12d3e_JaffaCakes118.exe	33
PID 2140 wrote to memory of 2556	2140	d22ca23ee2393ca5525f25a5ada12d3e_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\d22ca23ee2393ca5525f25a5ada12d3e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d22ca23ee2393ca5525f25a5ada12d3e_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Local\Temp\d22ca23ee2393ca5525f25a5ada12d3e_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d22ca23ee2393ca5525f25a5ada12d3e_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2624
- C:\Users\Admin\AppData\Local\Temp\d22ca23ee2393ca5525f25a5ada12d3e_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d22ca23ee2393ca5525f25a5ada12d3e_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\C01F.ADA

Filesize
1KB

MD5
73c32b562007fb013a883f54fac34acb

SHA1
15e2dbb0599634a527f4a830b45a3727f885939d

SHA256
408bf6178701daf68edec2bf7057bdda043cb1e761658042d9b7c5e0abba86f6

SHA512
a2982033b4653dd46bb93bc7900cd11a830e7e309caf967a78d7e65d546ed7ad332eb47b7b5571c894f6e9f568ac1029cca639418397dc3c0c8f2f41e0e8be12

Download Submit
C:\Users\Admin\AppData\Roaming\C01F.ADA

Filesize
1KB

MD5
e30e415d6da5a9c15be9308f2e68ebcb

SHA1
078836beb50484528fad6a4aedc602f0071d8606

SHA256
9902155155d1e33e9b7e5954c813a190bc1bffd09b1c1ff0c9c15d2fcac6a07f

SHA512
632c3049ed3ac419f538a3120156bc9e4f615d56982b9daf3f0ae58ec5db04f515c50e0bcfc734313893dbd171949e34c589d12ecca1621b95f2407448a6f25e

Download Submit
C:\Users\Admin\AppData\Roaming\C01F.ADA

Filesize
897B

MD5
d394de6e825bd311251203fb8277eac2

SHA1
d64939d797e4371478951ca5fe3a3d175cf6cb29

SHA256
2d766a53fcf79ecf3d8a8e6dd4c31d404b03a92b84cf6fa119e336b77e6892fd

SHA512
572ff9e2438ae570daeb3cb31ec99922993ab430485840024eace303179f485e5a713f9143506800ba787b4613aa9345d5e1b24e37491d4f70d6199ade0f0e58

Download Submit
C:\Users\Admin\AppData\Roaming\C01F.ADA

Filesize
1KB

MD5
f89eea81415a58a7d03ee0db856f5181

SHA1
e191cca9497ee2b967602ae9d424a6c1d67d27db

SHA256
53c2a542f618561faf8b5859324814f08bb37da09538ca116c588760101c5fbd

SHA512
bb0a5e3598145b4dfcbec1afb9d45662383b8b37f2683c99319b2ecef81eb29c4e46e38276f540e13fbdbe03f25df09920cf7bcca3ba031f865f773bb9958b96

Download Submit
C:\Users\Admin\AppData\Roaming\C01F.ADA

Filesize
597B

MD5
f2411d3afcf54763e7bf2ebf2fab04de

SHA1
07ccdefdd1b5e7aca3191df185416dbd4adcc2bd

SHA256
a9b475a4f4ab3060964e37b769151279b1242b98e065881066953dc40dd61918

SHA512
c55f8ee91014bd39690633ff6b84e87c81de212511f3146abc8bd03e5c6405c15ecb544d0edc58b80a205007adc85ab1311e0d0b7cb9302ad0ab53f9456786b2

Download Submit
memory/2140-1-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2140-198-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2140-19-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2140-80-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2556-82-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2556-83-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2556-85-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2624-16-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2624-18-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads