cycbot | 951d63a2a8f8a6a308b9710030458b897fa3d8ba50f5c4a5c9c52fcf332bec3b

General

Target

d6ce4e036572bfee17db9e184b64f445_JaffaCakes118.exe
Size

179KB
MD5

d6ce4e036572bfee17db9e184b64f445
SHA1

b6626827485b119fde72e6919f0e9f32418a9b10
SHA256

951d63a2a8f8a6a308b9710030458b897fa3d8ba50f5c4a5c9c52fcf332bec3b
SHA512

33a33b3fcfbbd0e885828b90b60ff88a126d3610fc1336a6035ee30d4bae1615e09be92d2a534e0528e6954e7c2ce2ac96c80dc64adf572b66f54d8c3c1ec3f8
SSDEEP

3072:vpBnzXiSQvj5Ib4NhhMjgVoyIe1lSTcNmfwbtDSogsFRShZAQ1ZyyNme+qnm/H:3yR9LNMAee1lLB2VgSAkZ+vUmf

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 7 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1848-8-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/1848-9-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/1920-14-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/1848-15-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/2148-87-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/1920-88-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/1920-162-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	d6ce4e036572bfee17db9e184b64f445_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1920-1-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/1848-8-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/1848-9-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/1920-14-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/1848-15-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2148-86-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2148-87-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/1920-88-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/1920-162-0x0000000000400000-0x000000000048D000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6ce4e036572bfee17db9e184b64f445_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6ce4e036572bfee17db9e184b64f445_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6ce4e036572bfee17db9e184b64f445_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 1848	1920	d6ce4e036572bfee17db9e184b64f445_JaffaCakes118.exe	30
PID 1920 wrote to memory of 1848	1920	d6ce4e036572bfee17db9e184b64f445_JaffaCakes118.exe	30
PID 1920 wrote to memory of 1848	1920	d6ce4e036572bfee17db9e184b64f445_JaffaCakes118.exe	30
PID 1920 wrote to memory of 1848	1920	d6ce4e036572bfee17db9e184b64f445_JaffaCakes118.exe	30
PID 1920 wrote to memory of 2148	1920	d6ce4e036572bfee17db9e184b64f445_JaffaCakes118.exe	32
PID 1920 wrote to memory of 2148	1920	d6ce4e036572bfee17db9e184b64f445_JaffaCakes118.exe	32
PID 1920 wrote to memory of 2148	1920	d6ce4e036572bfee17db9e184b64f445_JaffaCakes118.exe	32
PID 1920 wrote to memory of 2148	1920	d6ce4e036572bfee17db9e184b64f445_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\d6ce4e036572bfee17db9e184b64f445_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d6ce4e036572bfee17db9e184b64f445_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Users\Admin\AppData\Local\Temp\d6ce4e036572bfee17db9e184b64f445_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d6ce4e036572bfee17db9e184b64f445_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1848
- C:\Users\Admin\AppData\Local\Temp\d6ce4e036572bfee17db9e184b64f445_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d6ce4e036572bfee17db9e184b64f445_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\BF88.E00

Filesize
1KB

MD5
d219e5fbe0326b43bf163b17a36b3811

SHA1
fc63f821d53465933ec20a334cbc993ff5251388

SHA256
fdc680bf96fbdf8e316ef57506b058875f438e923ba0ae5c1a85059151f149a4

SHA512
d42528da37f4350978e89b97c9b87a17d98317e507c6620c9c9308fc235f67b1f11443b8da71e81971ca0a77117b495a1d829ed06cb90d1687a58d45c597ae3a

Download Submit
C:\Users\Admin\AppData\Roaming\BF88.E00

Filesize
600B

MD5
cce7cfc312cf3c4531437cd205415d47

SHA1
e9458f07f3921fb56d16f4b34d89c4a07b270920

SHA256
479666f087f17ffd8bf524ec4d67dd3a272c6617f20bc16d2d06325c11ed9bd7

SHA512
274d7369936840d7ffe10f572746dce9f17db732a70f93c18369cfffbea3e2c48b0a4ca4636a3edb5d17c8b7887c02478c35e455f77d06845672a9abff06cce4

Download Submit
C:\Users\Admin\AppData\Roaming\BF88.E00

Filesize
996B

MD5
f3c39352c88589bd6e4558c43b073537

SHA1
845986dc35fa98a7a2820f965579f428150578f6

SHA256
419c802d0f5353f0333167e8306cc054a13802be220ae1dd3bef05789bafcd3e

SHA512
abab7ea228b17d02c81bb42697c2eea47b1e4f80c0f93678393abf0d325f24c501ff6aea435f2c8a3a7d4ffbfd4ef650390c0af48e053583ab40ab629ad85756

Download Submit
memory/1848-8-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1848-9-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1848-15-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1920-88-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1920-1-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1920-162-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1920-14-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2148-86-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2148-87-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2148-84-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads