cycbot | 894c891dc44384c687238b7142c0a6934261be7151cc4ee41c9462d86d1f9f63

General

Target

dbb6858d9e9275405404c40bf5c39cb4_JaffaCakes118.exe
Size

179KB
MD5

dbb6858d9e9275405404c40bf5c39cb4
SHA1

18ce267bb4529b297bad971f758b310ac7b27124
SHA256

894c891dc44384c687238b7142c0a6934261be7151cc4ee41c9462d86d1f9f63
SHA512

28d4fc9736165fd7afea55e0311d00a74014442e8283a362b4b1297977362f2d351e39aba1a64b27204f592699eb5e6e436d86a09be3a721c4d5b1600a987121
SSDEEP

3072:O8Dd7ZvPeBjWR9zvOon0AGtG2JHOV9FZ5OwqAc9z4qUiwGtlZNxRCfn:O8D5ZO1WRFJ0Az2scAwlFNxwfn

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2572-14-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/2820-15-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/2572-81-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/2820-80-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/1604-84-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/2820-151-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	dbb6858d9e9275405404c40bf5c39cb4_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2820-2-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2572-13-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2572-14-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2820-15-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2572-81-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2820-80-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/1604-84-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2820-151-0x0000000000400000-0x000000000048D000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbb6858d9e9275405404c40bf5c39cb4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbb6858d9e9275405404c40bf5c39cb4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbb6858d9e9275405404c40bf5c39cb4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2572	2820	dbb6858d9e9275405404c40bf5c39cb4_JaffaCakes118.exe	30
PID 2820 wrote to memory of 2572	2820	dbb6858d9e9275405404c40bf5c39cb4_JaffaCakes118.exe	30
PID 2820 wrote to memory of 2572	2820	dbb6858d9e9275405404c40bf5c39cb4_JaffaCakes118.exe	30
PID 2820 wrote to memory of 2572	2820	dbb6858d9e9275405404c40bf5c39cb4_JaffaCakes118.exe	30
PID 2820 wrote to memory of 1604	2820	dbb6858d9e9275405404c40bf5c39cb4_JaffaCakes118.exe	32
PID 2820 wrote to memory of 1604	2820	dbb6858d9e9275405404c40bf5c39cb4_JaffaCakes118.exe	32
PID 2820 wrote to memory of 1604	2820	dbb6858d9e9275405404c40bf5c39cb4_JaffaCakes118.exe	32
PID 2820 wrote to memory of 1604	2820	dbb6858d9e9275405404c40bf5c39cb4_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\dbb6858d9e9275405404c40bf5c39cb4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dbb6858d9e9275405404c40bf5c39cb4_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Users\Admin\AppData\Local\Temp\dbb6858d9e9275405404c40bf5c39cb4_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\dbb6858d9e9275405404c40bf5c39cb4_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2572
- C:\Users\Admin\AppData\Local\Temp\dbb6858d9e9275405404c40bf5c39cb4_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\dbb6858d9e9275405404c40bf5c39cb4_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\F795.3D3

Filesize
1KB

MD5
dfd4404bcc37eadf3f2ccc14abd17bef

SHA1
7665097a4d8ac46f1223bb382dced75c1e4911c1

SHA256
cadc550ca2fa537e770b1cf3f7ee4fbfc538e8560d5755c74d8e0c18712c918f

SHA512
19314405ed420539d77a3df34e90ee92de171495354cce0f6fec9279215e8acc11e37b3a120c239b8073f92f7f80e3f53657ac96a08abd141076b58f4e634256

Download Submit
C:\Users\Admin\AppData\Roaming\F795.3D3

Filesize
600B

MD5
917b96bb80c53f1fb8e73e9576153573

SHA1
b82a2c0313956367add37ed1b66b17f07b68aba5

SHA256
699dca6147892a2a599bea09f9c7b8b536ff3c0ed422e3532754c88b7cd8ebcb

SHA512
0720020fde7615fd60b7c707941219fbdd4c503e1c1929845f01cdc9561da4173296d2ef2059624f95a5e8ba4ccb808749348d5ba4c2e632b50e8e28ed043b0e

Download Submit
C:\Users\Admin\AppData\Roaming\F795.3D3

Filesize
996B

MD5
e861156ea8d1ebe67dd5fd36a58a1220

SHA1
1d563ef52c71ddaf96ffba460cd06f7812a2cfde

SHA256
521dc47836e748c82a76a3c5df00956c59124cded72ebe933edfe63ae53070a2

SHA512
32c516a07b26b8b345794ac9a13c79ff107533efb9c33391aeaba2bd7dd8ea150485138c09562a08e2e94669cf3680017c606ef4a4d0e64170396ebe77007a5e

Download Submit
memory/1604-84-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2572-13-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2572-14-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2572-81-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2820-1-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2820-2-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2820-15-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2820-80-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2820-151-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads