cycbot | b17612d02590ad22f75cdc0299428a418a3a44f8070db979d34d50e0f01e4411

General

Target

d38f9da10581250033729bbf65245425_JaffaCakes118.exe
Size

194KB
MD5

d38f9da10581250033729bbf65245425
SHA1

351ecb03baca1d34c2dcf2c2fc1dd5a468cecfaf
SHA256

b17612d02590ad22f75cdc0299428a418a3a44f8070db979d34d50e0f01e4411
SHA512

3a062ff3930190d0732944f6f41f0d52b0fbfa8659c296904a4e3a91a73c74b7b03dc3109343f37700be8a486d7646bef43c1467a46e7cc7f11929b7142d6514
SSDEEP

3072:/s5eZWt2qBlbU/+7nir7MtyU1PcyImp8wXi5t20zyFHR8ua0DpgewelMv02s:05jjaxr7MtN3IuqtNzyFxafewAO8

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2608-14-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1644-15-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1644-78-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2672-81-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1644-150-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	d38f9da10581250033729bbf65245425_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1644-2-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2608-12-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2608-14-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1644-15-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1644-78-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2672-80-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2672-81-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1644-150-0x0000000000400000-0x000000000046A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d38f9da10581250033729bbf65245425_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d38f9da10581250033729bbf65245425_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d38f9da10581250033729bbf65245425_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 2608	1644	d38f9da10581250033729bbf65245425_JaffaCakes118.exe	30
PID 1644 wrote to memory of 2608	1644	d38f9da10581250033729bbf65245425_JaffaCakes118.exe	30
PID 1644 wrote to memory of 2608	1644	d38f9da10581250033729bbf65245425_JaffaCakes118.exe	30
PID 1644 wrote to memory of 2608	1644	d38f9da10581250033729bbf65245425_JaffaCakes118.exe	30
PID 1644 wrote to memory of 2672	1644	d38f9da10581250033729bbf65245425_JaffaCakes118.exe	33
PID 1644 wrote to memory of 2672	1644	d38f9da10581250033729bbf65245425_JaffaCakes118.exe	33
PID 1644 wrote to memory of 2672	1644	d38f9da10581250033729bbf65245425_JaffaCakes118.exe	33
PID 1644 wrote to memory of 2672	1644	d38f9da10581250033729bbf65245425_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\d38f9da10581250033729bbf65245425_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d38f9da10581250033729bbf65245425_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Users\Admin\AppData\Local\Temp\d38f9da10581250033729bbf65245425_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d38f9da10581250033729bbf65245425_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2608
- C:\Users\Admin\AppData\Local\Temp\d38f9da10581250033729bbf65245425_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d38f9da10581250033729bbf65245425_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\FEE7.8E0

Filesize
1KB

MD5
1a95cecbbce1b3850a5bef71cc35754c

SHA1
8f580d8ee838da9c9b5a7759e72ee69d42e97e26

SHA256
83499d9555654b2140aacdb1116e760368d1cfe05b0a7ebcc036535f5f358667

SHA512
0c9be9b1d62c87df99e97a841a50058b6837d99d2b66caa04bf58aa572654d8459945823b3d5e5fde69f22529be2b9a8f1c214584391bdbcaf9a4430774933e9

Download Submit
C:\Users\Admin\AppData\Roaming\FEE7.8E0

Filesize
600B

MD5
5b680acd71d10a86eea1ea6a8994bb66

SHA1
fda6ce8480e038a430967709a0c71309644c73ed

SHA256
9471f82758e6d9fb103aa0b060e9fd75adce347980486db57cb811251e3d73d8

SHA512
ee8177c11a13e3d7e882ab608c924e4c279919cf29ba5f492945b9be2cd1618cc825225eb3f3010cbc13b72735581edbd78c585826cd3ddaa7abb5dc8dcec910

Download Submit
C:\Users\Admin\AppData\Roaming\FEE7.8E0

Filesize
996B

MD5
6f113af6d79e392b6830bcccd9a00431

SHA1
4de6c4e33e9989bdb629c0a4a078189922fed30d

SHA256
d3c5e8953ee85bc127604bc23dc674838e838dbd9431e103fde9e818fed5f6cf

SHA512
c8a2ce6175e4c6b0669550ddd54e2cce5268cd1269494921e59e2020c7ad4350053f02eb63f1ed2acbf2c4b0ec77d648cec5043733f8473ce0f483a65ba79a23

Download Submit
memory/1644-1-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1644-2-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1644-15-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1644-78-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1644-150-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2608-12-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2608-14-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2672-80-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2672-81-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads