cycbot | 8a251398871531f740093271c792314bb8d9faaac016bc452b0fb49ba59a9a4b

General

Target

dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe
Size

174KB
MD5

dff3fb883bd41d208d344a1534c10972
SHA1

92fd3eeb533a414a83cef63fda56bc52c5ca1f48
SHA256

8a251398871531f740093271c792314bb8d9faaac016bc452b0fb49ba59a9a4b
SHA512

5b3bbc757266bcf57bc9bdc6e5cb502e47f059cfa1a5f58429a976b8d5151e56a1521c22c013f3f7d726b206df3583fb58e31bce7df84973656d1527bb1463b0
SSDEEP

3072:c65j3F+CNfYzPvvZ88gCH+S5/946iRBbs7qe756xNcvCupCkkYbJKog6NSLkVF1H:c+2zvZ8z43wRBbsGky7zsVF1IL+tWB

Score

10^/10

cycbot backdoor discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 7 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2884-14-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/2764-15-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/2764-16-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/688-85-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/2764-86-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/2764-186-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/2764-189-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ADB.exe = "C:\\Program Files (x86)\\LP\\BBAB\\ADB.exe"	dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2764-2-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2884-13-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2884-14-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2764-15-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2764-16-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/688-85-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2764-86-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2764-186-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2764-189-0x0000000000400000-0x0000000000452000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\LP\BBAB\ADB.exe	dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe
File created	C:\Program Files (x86)\LP\BBAB\ADB.exe	dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\LP\BBAB\BA0C.tmp	dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2764	dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe
2764	dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe
2764	dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe
2764	dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe
2764	dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe
2764	dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe
2764	dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe
2764	dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe
2764	dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe
2764	dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe
2764	dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe
2764	dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe
2764	dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe
2764	dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2492	explorer.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeRestorePrivilege	2832	msiexec.exe
Token: SeTakeOwnershipPrivilege	2832	msiexec.exe
Token: SeSecurityPrivilege	2832	msiexec.exe
Token: SeShutdownPrivilege	2492	explorer.exe
Token: SeShutdownPrivilege	2492	explorer.exe
Token: SeShutdownPrivilege	2492	explorer.exe
Token: SeShutdownPrivilege	2492	explorer.exe
Token: SeShutdownPrivilege	2492	explorer.exe
Token: SeShutdownPrivilege	2492	explorer.exe
Token: SeShutdownPrivilege	2492	explorer.exe
Token: SeShutdownPrivilege	2492	explorer.exe
Token: SeShutdownPrivilege	2492	explorer.exe
Token: SeShutdownPrivilege	2492	explorer.exe
Token: SeShutdownPrivilege	2492	explorer.exe
Token: SeShutdownPrivilege	2492	explorer.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2884	2764	dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe	31
PID 2764 wrote to memory of 2884	2764	dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe	31
PID 2764 wrote to memory of 2884	2764	dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe	31
PID 2764 wrote to memory of 2884	2764	dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe	31
PID 2764 wrote to memory of 688	2764	dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe	33
PID 2764 wrote to memory of 688	2764	dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe	33
PID 2764 wrote to memory of 688	2764	dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe	33
PID 2764 wrote to memory of 688	2764	dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe	33

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe"
1⤵
- Modifies security service
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2764
- C:\Users\Admin\AppData\Local\Temp\dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\BCDE9\222BB.exe%C:\Users\Admin\AppData\Roaming\BCDE9
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2884
- C:\Users\Admin\AppData\Local\Temp\dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\dff3fb883bd41d208d344a1534c10972_JaffaCakes118.exe startC:\Program Files (x86)\E9658\lvvm.exe%C:\Program Files (x86)\E9658
  2⤵
  - System Location Discovery: System Language Discovery
  PID:688

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

4

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\BCDE9\9658.CDE

Filesize
1KB

MD5
9834ec2ce1ca9931e0f4ddaa455226e1

SHA1
ded44c89acc7489c45fa6436147e0268ad414356

SHA256
864df480619d726e99eddd4d54fb3004d75590f3ed65022a5251bb17cd5e9114

SHA512
5dae3a6356a097e12607dc8fdfcf2d224274ef4e7e21af322e5862fe8e98c55dc102604be3a6f0c830a224a8995e98acb76e2f644f3fff7e73ec346078efac2c

Download Submit
C:\Users\Admin\AppData\Roaming\BCDE9\9658.CDE

Filesize
600B

MD5
12fba7bde053ac4596d70fb2883d3a09

SHA1
52695240d80a2d1149b56885166fe7e2233e7e91

SHA256
307d44e0333420bafd1d0573223cb000727575f2f580efe66f91ff84e8748f38

SHA512
8eb0ad35a07327d45a3ae037269f8cc1eec22c0add45ce795e8970615f25d395194cf30b1cf1e52f5a2d654f5729295faf9eb8ae9ee9f051fca10f86bcadac2b

Download Submit
C:\Users\Admin\AppData\Roaming\BCDE9\9658.CDE

Filesize
996B

MD5
222b1ea02993d3c31a006b50d3ada73f

SHA1
8a574368dfb66369f0976a504ea166c099d02e9d

SHA256
e81b125305def90884860362e3717f45082987d403a83cfbeae573c1d603b466

SHA512
f14249ca154a3830619886d9704dcc9e64942bf0dbd46f1d4dfb5398e2c5e67ab3cdfd4f4a5a1f3dbe57f6a99b37a15de4ddaea0a0d279c79bc29a2292835411

Download Submit
memory/688-85-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2764-86-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2764-15-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2764-16-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2764-1-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2764-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2764-186-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2764-189-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2884-14-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2884-12-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2884-13-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads