cycbot | c993d4020006ebb34e761d0c95a8a8ae1e344b4f6c390b2303c4ae08dd5b84fe

General

Target

dbdf13270adabecd0b98d63112bb426b_JaffaCakes118.exe
Size

183KB
MD5

dbdf13270adabecd0b98d63112bb426b
SHA1

32b3f12d92e330fa581877a841f7b5a93a9ea127
SHA256

c993d4020006ebb34e761d0c95a8a8ae1e344b4f6c390b2303c4ae08dd5b84fe
SHA512

78d701b3d95ef92e04b1a468c427a3ea76d552c3be8091396820688d0eecad60e1296c39d6edb15ef829ad6aec4d9f83616e3f2e995ac7842a380623313d4505
SSDEEP

3072:Mf3ZM5wD0eDxS7txhF7BiOk+5cOWAuEA7LNr3lsT6O8vaUO/NwbX850pMIWqojEW:SpM5MSJxhdBiOk+5cOvA7LR46O8v5Zit

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1536-9-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral1/memory/576-15-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral1/memory/576-84-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral1/memory/2952-88-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral1/memory/576-186-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	dbdf13270adabecd0b98d63112bb426b_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/576-2-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1536-9-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/576-15-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/576-84-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2952-86-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2952-88-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/576-186-0x0000000000400000-0x000000000046E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbdf13270adabecd0b98d63112bb426b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbdf13270adabecd0b98d63112bb426b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbdf13270adabecd0b98d63112bb426b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 576 wrote to memory of 1536	576	dbdf13270adabecd0b98d63112bb426b_JaffaCakes118.exe	31
PID 576 wrote to memory of 1536	576	dbdf13270adabecd0b98d63112bb426b_JaffaCakes118.exe	31
PID 576 wrote to memory of 1536	576	dbdf13270adabecd0b98d63112bb426b_JaffaCakes118.exe	31
PID 576 wrote to memory of 1536	576	dbdf13270adabecd0b98d63112bb426b_JaffaCakes118.exe	31
PID 576 wrote to memory of 2952	576	dbdf13270adabecd0b98d63112bb426b_JaffaCakes118.exe	33
PID 576 wrote to memory of 2952	576	dbdf13270adabecd0b98d63112bb426b_JaffaCakes118.exe	33
PID 576 wrote to memory of 2952	576	dbdf13270adabecd0b98d63112bb426b_JaffaCakes118.exe	33
PID 576 wrote to memory of 2952	576	dbdf13270adabecd0b98d63112bb426b_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\dbdf13270adabecd0b98d63112bb426b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dbdf13270adabecd0b98d63112bb426b_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:576
- C:\Users\Admin\AppData\Local\Temp\dbdf13270adabecd0b98d63112bb426b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\dbdf13270adabecd0b98d63112bb426b_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1536
- C:\Users\Admin\AppData\Local\Temp\dbdf13270adabecd0b98d63112bb426b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\dbdf13270adabecd0b98d63112bb426b_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\0C3A.9D5

Filesize
1KB

MD5
056cb69dcd97b7ed3466d46817874f4e

SHA1
6fae1a40b1f2fff44c226842fdbd411629ed410f

SHA256
fff6cb7218bfee6c217e0191985405efdc432a9b44c4baa1603d8afe0fe47731

SHA512
b9e978b55ed8d094d46a7ffddaf73cde8d276314ab740f05c3476fca3b69a29612a34a8e0f13a265d8e3ae1b369f98e211c6172c5c1ee9af05daf45f1129dcf6

Download Submit
C:\Users\Admin\AppData\Roaming\0C3A.9D5

Filesize
600B

MD5
94e0f90c569a5683b3e95c755c0eee56

SHA1
6243a8667759d7fa8243b2fad8f5b922a4b36301

SHA256
5c975a3b433ecfdca41fe164981a81eb22cab0237546cce67fdcca5303a96ab9

SHA512
2ee40085604a2b519c55d066d19738de422df57b5bff99c5a9f68407bef9c719c3ef9de3d3ea9eb8ab2ec3afcb23c1d802a8cbf8f60824f3ea49bfa44249b372

Download Submit
C:\Users\Admin\AppData\Roaming\0C3A.9D5

Filesize
996B

MD5
ba565ab226f7acb31429a5e5a66779f9

SHA1
1c1f1abf26289924d62374d788ec7e6cfc856423

SHA256
982cf20cb0229170f6aac7ac9fe0c93f3c5d668578838d9b9cceee105ea53720

SHA512
edca00ac9050c61374967de163527f73d97e3562916efcdfc7390c1195d27e1c0edaff2b9caf29c240b42c0c12c422d5e264e0a97b4e421e505ed1902c44451f

Download Submit
memory/576-1-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/576-2-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/576-15-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/576-84-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/576-186-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1536-10-0x0000000000642000-0x000000000065E000-memory.dmp

Filesize
112KB

Download
memory/1536-9-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2952-86-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2952-88-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads