cycbot | bdf77469f61ee2c6f5901cecb0890083621b12a914b2638e9de2222d32bdf32c

General

Target

df8361b0ac6c8f01dfd7f88504a0b877_JaffaCakes118.exe
Size

204KB
MD5

df8361b0ac6c8f01dfd7f88504a0b877
SHA1

5c6f27553b0effd993cb98a22f308b946e7cf67d
SHA256

bdf77469f61ee2c6f5901cecb0890083621b12a914b2638e9de2222d32bdf32c
SHA512

a9927cd2dc837223907f12253f54c533b01dbf07485f49e3858f55d64e5074033682e1a13495c038239c807367e790b8d44e5d674cb202238c669bc77ef1ff4d
SSDEEP

3072:IKqYNVsbEv2JRKoPQ66HOczGVyQyDZ1xfAgL09MggICk7YzClS2:cbbEgVPQ6SOcqyQy919ho9MG5Wyh

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/856-8-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2124-14-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2124-83-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2812-87-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2124-202-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	df8361b0ac6c8f01dfd7f88504a0b877_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2124-1-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/856-8-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2124-14-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2124-83-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2812-86-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2812-87-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2124-202-0x0000000000400000-0x000000000046A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df8361b0ac6c8f01dfd7f88504a0b877_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df8361b0ac6c8f01dfd7f88504a0b877_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df8361b0ac6c8f01dfd7f88504a0b877_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 856	2124	df8361b0ac6c8f01dfd7f88504a0b877_JaffaCakes118.exe	28
PID 2124 wrote to memory of 856	2124	df8361b0ac6c8f01dfd7f88504a0b877_JaffaCakes118.exe	28
PID 2124 wrote to memory of 856	2124	df8361b0ac6c8f01dfd7f88504a0b877_JaffaCakes118.exe	28
PID 2124 wrote to memory of 856	2124	df8361b0ac6c8f01dfd7f88504a0b877_JaffaCakes118.exe	28
PID 2124 wrote to memory of 2812	2124	df8361b0ac6c8f01dfd7f88504a0b877_JaffaCakes118.exe	30
PID 2124 wrote to memory of 2812	2124	df8361b0ac6c8f01dfd7f88504a0b877_JaffaCakes118.exe	30
PID 2124 wrote to memory of 2812	2124	df8361b0ac6c8f01dfd7f88504a0b877_JaffaCakes118.exe	30
PID 2124 wrote to memory of 2812	2124	df8361b0ac6c8f01dfd7f88504a0b877_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\df8361b0ac6c8f01dfd7f88504a0b877_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\df8361b0ac6c8f01dfd7f88504a0b877_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Temp\df8361b0ac6c8f01dfd7f88504a0b877_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\df8361b0ac6c8f01dfd7f88504a0b877_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:856
- C:\Users\Admin\AppData\Local\Temp\df8361b0ac6c8f01dfd7f88504a0b877_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\df8361b0ac6c8f01dfd7f88504a0b877_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\E45C.E96

Filesize
600B

MD5
7bdf26430fe0391942f62fcb4c1a5411

SHA1
d41311183427b4c7c551c0673185b1e01782ab61

SHA256
c3a53586153c105ae3c6195ae1acbb99a47c144fa0b9c8eb6e3f588c638b2365

SHA512
6fe7241183a86e8601b8d42842fe642c365ea3f30a34963f7317acc1f2081759ae924b93f6ad650bc022c34b584e65ae637a57db482efd9f1373d871f9038911

Download Submit
C:\Users\Admin\AppData\Roaming\E45C.E96

Filesize
1KB

MD5
e2c56911d9afe8cb324b610df34e5cb8

SHA1
64d80b34fb10f18670ec18a1ec4e99d7e53e116c

SHA256
a2c3f13c63520e622e19bf4eae9b4e8f1f59e8092e45c5e565c984de4f705270

SHA512
3325c914691bf7eb3c9cb0db1eb824d94b04d14b89f8d047ee62735e1b7ef5187d1b243e4a3da807530f26e58af09c843202e2448c0911aa0c4adaa799c4f103

Download Submit
C:\Users\Admin\AppData\Roaming\E45C.E96

Filesize
996B

MD5
9e25e3f4a4fe866d99ce40ed360dc79f

SHA1
111116ea52525441dd97685c68797b2985fb8db6

SHA256
1be0e794e399a1a0c80578eb80776528ce2d28f2eb08647ccb0d8080c3ed274e

SHA512
2404cef96684f0fb7d8984422d9a84ebf2862cde627e5de90a0a1c7b67e331d06fbe794a9ea2d8dcd092c5a79bb62eb5683520b5f57fccaef4ad7f927d79e88d

Download Submit
memory/856-9-0x00000000005AB000-0x00000000005C8000-memory.dmp

Filesize
116KB

Download
memory/856-8-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2124-1-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2124-14-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2124-83-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2124-202-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2812-86-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2812-85-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2812-87-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads