cycbot | 4011693ae2f420ea3775f4382304d5938a44cb3400bee4ee964decf2177d9755

General

Target

e4078f024216d42ffb2cf93253d1e269_JaffaCakes118.exe
Size

202KB
MD5

e4078f024216d42ffb2cf93253d1e269
SHA1

388d33df212372db1baefe5dcd8a2952fbe2bfd5
SHA256

4011693ae2f420ea3775f4382304d5938a44cb3400bee4ee964decf2177d9755
SHA512

5e0b5ac29d8d6535cc355d24ca9ff30779e5d59321a02f180b62770e15429333e9296e90fd1184bede465b39b044c3d180dc34bbd899407d6557a5a828ab9a42
SSDEEP

3072:VbOCtDy04LH1tMYBhsYWc/iCah6R29Tjo4vEywZSQr6hlR9Zl2VMjdMYt8ssD3:pOUT4JngYWbCap9TjoohS3ejdPt8ss

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1736-8-0x0000000000400000-0x000000000048C000-memory.dmp	family_cycbot
behavioral1/memory/2308-16-0x0000000000400000-0x000000000048C000-memory.dmp	family_cycbot
behavioral1/memory/3012-78-0x0000000000400000-0x000000000048C000-memory.dmp	family_cycbot
behavioral1/memory/3012-77-0x0000000000400000-0x000000000048C000-memory.dmp	family_cycbot
behavioral1/memory/2308-79-0x0000000000400000-0x000000000048C000-memory.dmp	family_cycbot
behavioral1/memory/2308-183-0x0000000000400000-0x000000000048C000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	e4078f024216d42ffb2cf93253d1e269_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2308-2-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/1736-6-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/1736-8-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/1736-5-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2308-16-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/3012-78-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/3012-77-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2308-79-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2308-183-0x0000000000400000-0x000000000048C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e4078f024216d42ffb2cf93253d1e269_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e4078f024216d42ffb2cf93253d1e269_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e4078f024216d42ffb2cf93253d1e269_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 1736	2308	e4078f024216d42ffb2cf93253d1e269_JaffaCakes118.exe	31
PID 2308 wrote to memory of 1736	2308	e4078f024216d42ffb2cf93253d1e269_JaffaCakes118.exe	31
PID 2308 wrote to memory of 1736	2308	e4078f024216d42ffb2cf93253d1e269_JaffaCakes118.exe	31
PID 2308 wrote to memory of 1736	2308	e4078f024216d42ffb2cf93253d1e269_JaffaCakes118.exe	31
PID 2308 wrote to memory of 3012	2308	e4078f024216d42ffb2cf93253d1e269_JaffaCakes118.exe	33
PID 2308 wrote to memory of 3012	2308	e4078f024216d42ffb2cf93253d1e269_JaffaCakes118.exe	33
PID 2308 wrote to memory of 3012	2308	e4078f024216d42ffb2cf93253d1e269_JaffaCakes118.exe	33
PID 2308 wrote to memory of 3012	2308	e4078f024216d42ffb2cf93253d1e269_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\e4078f024216d42ffb2cf93253d1e269_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e4078f024216d42ffb2cf93253d1e269_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\e4078f024216d42ffb2cf93253d1e269_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e4078f024216d42ffb2cf93253d1e269_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1736
- C:\Users\Admin\AppData\Local\Temp\e4078f024216d42ffb2cf93253d1e269_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e4078f024216d42ffb2cf93253d1e269_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\C2A6.BFB

Filesize
1KB

MD5
ac8ae23485802296d6cc37dd3eb2b8ff

SHA1
509dbfb8af2760ee046d384bcf416c671b2aa696

SHA256
8c1a365a2c1e8fcf7f60a35ae81aa78e6609f10295304fd97042567999137ffb

SHA512
df4e02af8ec3eb2f8bf9f15304b7ee3468253518c45f6a5fe4bb865bbc6e5212c2a37bad7231e4ea2e7522f282f34b5d639be576c4cbbb43da26aa504c3d5b5e

Download Submit
C:\Users\Admin\AppData\Roaming\C2A6.BFB

Filesize
600B

MD5
ecf6e556e5c85f895bcc3917e7315849

SHA1
4e143d5cd24d96f22c5a950bdadfa72d6a9baca1

SHA256
0d0d721d67868d79c1a70c28ccc1f75a880278ee4eecc910a4fa72935b6277a9

SHA512
d9443982a2f8b5724dc440c0699a5b36a24b941f7c71ceb831c81fd08440c760f05f3eda04dffc61a8691efe32238e1f45107b6c21a1bc3cf9aa7003dce341eb

Download Submit
C:\Users\Admin\AppData\Roaming\C2A6.BFB

Filesize
996B

MD5
69adc9694111500f939b69d094f5334f

SHA1
12d2ec5b6a0b9452489313880b1f928ca26f167b

SHA256
6878b96a2503eb4bb408b57d2d7911bc0de2a206365dde47257dc613d75779b3

SHA512
7d309504cb8fa48203afbcc6e3548bdb1e7ba81c03759b72d1c7d9d98fff2457f4dae5fbf4bdc9923191b34ed6d3982bca062da686fea7a5a82b26cef81579dc

Download Submit
memory/1736-8-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1736-5-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1736-6-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2308-16-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2308-2-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2308-79-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2308-1-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2308-183-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3012-78-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3012-77-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads