cycbot | 93974daf245cf75829a16fd39adb7b8555ff9b319c07759c7393d4994e6a0168

General

Target

d809c8711fc3d906b79a0d80e3b10461_JaffaCakes118.exe
Size

167KB
MD5

d809c8711fc3d906b79a0d80e3b10461
SHA1

c9d5781376f572f7f0c06d6048bbeef76f853187
SHA256

93974daf245cf75829a16fd39adb7b8555ff9b319c07759c7393d4994e6a0168
SHA512

b14badbfb2fffcfc0e74ee7cd421ca01f4ddfd0e3431e544a12f63993474d803930cbbdd954f4c530be037278a424fd75f7387fac1a33f2dc9392c3f40535c61
SSDEEP

3072:lxOvJRcE0srzPNzoS0duNOx7ksl5oyAvEyIIWXIpRe6gta:IJRcsrezdu0x7km5oyAvEjxcgt

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 7 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1940-10-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/1940-8-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2424-15-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/2424-16-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2424-77-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2764-82-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2424-191-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\7921D\\F18BC.exe"	d809c8711fc3d906b79a0d80e3b10461_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2424-2-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1940-10-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1940-8-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2424-15-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2424-16-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2424-77-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2764-80-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2764-82-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2424-191-0x0000000000400000-0x0000000000490000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d809c8711fc3d906b79a0d80e3b10461_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d809c8711fc3d906b79a0d80e3b10461_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d809c8711fc3d906b79a0d80e3b10461_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 1940	2424	d809c8711fc3d906b79a0d80e3b10461_JaffaCakes118.exe	31
PID 2424 wrote to memory of 1940	2424	d809c8711fc3d906b79a0d80e3b10461_JaffaCakes118.exe	31
PID 2424 wrote to memory of 1940	2424	d809c8711fc3d906b79a0d80e3b10461_JaffaCakes118.exe	31
PID 2424 wrote to memory of 1940	2424	d809c8711fc3d906b79a0d80e3b10461_JaffaCakes118.exe	31
PID 2424 wrote to memory of 2764	2424	d809c8711fc3d906b79a0d80e3b10461_JaffaCakes118.exe	33
PID 2424 wrote to memory of 2764	2424	d809c8711fc3d906b79a0d80e3b10461_JaffaCakes118.exe	33
PID 2424 wrote to memory of 2764	2424	d809c8711fc3d906b79a0d80e3b10461_JaffaCakes118.exe	33
PID 2424 wrote to memory of 2764	2424	d809c8711fc3d906b79a0d80e3b10461_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\d809c8711fc3d906b79a0d80e3b10461_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d809c8711fc3d906b79a0d80e3b10461_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\AppData\Local\Temp\d809c8711fc3d906b79a0d80e3b10461_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d809c8711fc3d906b79a0d80e3b10461_JaffaCakes118.exe startC:\Program Files (x86)\LP\BC47\455.exe%C:\Program Files (x86)\LP\BC47
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1940
- C:\Users\Admin\AppData\Local\Temp\d809c8711fc3d906b79a0d80e3b10461_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d809c8711fc3d906b79a0d80e3b10461_JaffaCakes118.exe startC:\Program Files (x86)\1D83E\lvvm.exe%C:\Program Files (x86)\1D83E
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\7921D\D83E.921

Filesize
1KB

MD5
6062843d93ac3b97e93684c3c15fc2bc

SHA1
50a062e80326754bc1d604bcf31c7664fe7496e7

SHA256
3efa64b7887d90fbafd2bff5b8d8730a5e4841b99a489c8f942cbe9ad13223cc

SHA512
a4a3dd111231663459afde4cb9759f288aea181f55ca83594c4802ed86af777b953d163ab98a326941dbdd46e80b0ec7ec16c327fad29736047945ced53a357f

Download Submit
C:\Users\Admin\AppData\Roaming\7921D\D83E.921

Filesize
600B

MD5
a54e1ac047a4bc154580c41334091f8a

SHA1
bac8dd06208deee883c8b94971f86ef69297fe51

SHA256
1925907cffc040be922f6018f0835c6f6bc831b59545345290547a04b2b82df8

SHA512
3b402e3f515b1ea51a6a2bd588a21788a2e281c41eeca6185ef40f9d01ae5c059fdf235ce6ef1026f55447edf4cb92b14c6ec89615662d275a97c0e79135158c

Download Submit
C:\Users\Admin\AppData\Roaming\7921D\D83E.921

Filesize
996B

MD5
8ddda75ecc2af23bea5f590e3173c920

SHA1
f2ecdca99f0a761e82fc30e384703cea957d01c5

SHA256
13e2e2f0c9dcbd019f15230ccbe891c983595c96e3444bc4356940157956eb8a

SHA512
aedf3f33b7f12f83701885b43b2bffe8225875239494f13106de1518ae033017ae92a55a70815b6ef1b5753dc4d00583b5e055eabd1e87e6407e3e17bf6d0b1f

Download Submit
memory/1940-9-0x00000000002C0000-0x000000000033A000-memory.dmp

Filesize
488KB

Download
memory/1940-7-0x00000000002C0000-0x00000000003C0000-memory.dmp

Filesize
1024KB

Download
memory/1940-8-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1940-10-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2424-1-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2424-15-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2424-16-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2424-77-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2424-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2424-191-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2764-80-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2764-79-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2764-82-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads