cycbot | 05c80405e3db755a4e5ae985f7c32bc7d1039e36278dd1f845e1e07a34e2bf41

General

Target

d76d39c59aa86990c4b93df62a066774_JaffaCakes118.exe
Size

162KB
MD5

d76d39c59aa86990c4b93df62a066774
SHA1

00c538a5e1a6bad55768998b44f99c6ae56633cf
SHA256

05c80405e3db755a4e5ae985f7c32bc7d1039e36278dd1f845e1e07a34e2bf41
SHA512

4aa7f240b55d310fa41839ed29ac9048ff1e1326f556df921b7585eeecc8db6e72986e6a3be1eb8fe0adfaca1b687826e20e78b4e3cfabdebc4d18c445340eb4
SSDEEP

3072:gWtPChgcBSEWv1Jvo7MhpJvdQyj4mhDCVP5i0H0/xq0mKgDqSm5Z8pQEeq:JPzn1RVzvdz4LU/x4mvEZ

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 7 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2536-11-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2428-16-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral1/memory/2428-17-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2428-83-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/748-88-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/748-86-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2428-189-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\9CF38\\35A1B.exe"	d76d39c59aa86990c4b93df62a066774_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2428-2-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2536-10-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2536-11-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2536-8-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2428-16-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2428-17-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2428-83-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/748-88-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/748-86-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2428-189-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d76d39c59aa86990c4b93df62a066774_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d76d39c59aa86990c4b93df62a066774_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d76d39c59aa86990c4b93df62a066774_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2536	2428	d76d39c59aa86990c4b93df62a066774_JaffaCakes118.exe	30
PID 2428 wrote to memory of 2536	2428	d76d39c59aa86990c4b93df62a066774_JaffaCakes118.exe	30
PID 2428 wrote to memory of 2536	2428	d76d39c59aa86990c4b93df62a066774_JaffaCakes118.exe	30
PID 2428 wrote to memory of 2536	2428	d76d39c59aa86990c4b93df62a066774_JaffaCakes118.exe	30
PID 2428 wrote to memory of 748	2428	d76d39c59aa86990c4b93df62a066774_JaffaCakes118.exe	33
PID 2428 wrote to memory of 748	2428	d76d39c59aa86990c4b93df62a066774_JaffaCakes118.exe	33
PID 2428 wrote to memory of 748	2428	d76d39c59aa86990c4b93df62a066774_JaffaCakes118.exe	33
PID 2428 wrote to memory of 748	2428	d76d39c59aa86990c4b93df62a066774_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\d76d39c59aa86990c4b93df62a066774_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d76d39c59aa86990c4b93df62a066774_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Local\Temp\d76d39c59aa86990c4b93df62a066774_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d76d39c59aa86990c4b93df62a066774_JaffaCakes118.exe startC:\Program Files (x86)\LP\1B89\C29.exe%C:\Program Files (x86)\LP\1B89
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2536
- C:\Users\Admin\AppData\Local\Temp\d76d39c59aa86990c4b93df62a066774_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d76d39c59aa86990c4b93df62a066774_JaffaCakes118.exe startC:\Program Files (x86)\38589\lvvm.exe%C:\Program Files (x86)\38589
  2⤵
  - System Location Discovery: System Language Discovery
  PID:748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\9CF38\8589.CF3

Filesize
1KB

MD5
5bb2b1bd6a9efb25991bfa3045ef33d8

SHA1
be2917634f74f78804e416147a3409c0d484b8d7

SHA256
24304122183dc2a0951432e5796214d6360890302527470b5222624357137051

SHA512
ee706b5dc08f5ac4f4797506392b3c1baad8e9109a0d1f3949e16d752b4653eb515656e82169665b1e321ca6cc70948e43551b335847269160db1f4293627b59

Download Submit
C:\Users\Admin\AppData\Roaming\9CF38\8589.CF3

Filesize
600B

MD5
757f711f7efbf66de0ed4767659f4837

SHA1
0965fb58a45bc858385bd8291cc11df0908b2d65

SHA256
d97590cb1bdaa1261b73d306959f07dbda486b8ee320cb82d481d4bedcef1d57

SHA512
4d32c53ae9d44ec5fa08bec66a4befab7bd6f33dc4ced71c09ac0b155344faffa9d285bcf790ae09a1a84b85e74890e0d21ca3e2a31798e0a9b433ed56cd2b93

Download Submit
C:\Users\Admin\AppData\Roaming\9CF38\8589.CF3

Filesize
996B

MD5
7dcc250bebb135832bc8326714bd9c5b

SHA1
c5b3225b43d753ffaa07dd1cfbafc656ec71e4d5

SHA256
a9d019001cdc01fae076f1c8f32405f34e4f70b20104706642240ffb40ffcea7

SHA512
f11880bdc3ce74a5d79995a9e33a2d14596a7b275fd2654855049a79269a959f9fcce5ee07a4019e649274b7f1f715c7988c2688dddbf112f6bb3b7a109d2139

Download Submit
memory/748-86-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/748-88-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/748-85-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2428-17-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2428-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2428-83-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2428-16-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2428-2-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2428-189-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2536-8-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2536-11-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2536-10-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads