cycbot | 5c84ea53ca85a16d74601cdee6d7b3943f9d10ea8262a9078f7bd0ddc38d3540

General

Target

e47cb440b43181cb694bc1ebb22d922d_JaffaCakes118.exe
Size

176KB
MD5

e47cb440b43181cb694bc1ebb22d922d
SHA1

1ca90c03c9060b73e74f3469d859db89819eec7c
SHA256

5c84ea53ca85a16d74601cdee6d7b3943f9d10ea8262a9078f7bd0ddc38d3540
SHA512

877d21f34de7c82210df6cde2b08cce7e4547ae94baffe7f75959cc033475393743d82b516671d8d589faff58af376de82347db3270b3bfb5979d06efae77424
SSDEEP

3072:KxCrVBXL/RVGnMVzIUA0YNue4TrKAfH8jzzKGT0kcIsnWiP4MUm2:1pQszJCNue4HZfH8jPrbuWiP4G2

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 7 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2316-13-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2316-14-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2508-15-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2508-69-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2612-71-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2612-72-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2508-146-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\conhost.exe"	e47cb440b43181cb694bc1ebb22d922d_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2508-2-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2316-13-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2316-12-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2316-14-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2508-15-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2508-69-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2612-71-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2612-72-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2508-146-0x0000000000400000-0x0000000000490000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e47cb440b43181cb694bc1ebb22d922d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e47cb440b43181cb694bc1ebb22d922d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e47cb440b43181cb694bc1ebb22d922d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2316	2508	e47cb440b43181cb694bc1ebb22d922d_JaffaCakes118.exe	30
PID 2508 wrote to memory of 2316	2508	e47cb440b43181cb694bc1ebb22d922d_JaffaCakes118.exe	30
PID 2508 wrote to memory of 2316	2508	e47cb440b43181cb694bc1ebb22d922d_JaffaCakes118.exe	30
PID 2508 wrote to memory of 2316	2508	e47cb440b43181cb694bc1ebb22d922d_JaffaCakes118.exe	30
PID 2508 wrote to memory of 2612	2508	e47cb440b43181cb694bc1ebb22d922d_JaffaCakes118.exe	33
PID 2508 wrote to memory of 2612	2508	e47cb440b43181cb694bc1ebb22d922d_JaffaCakes118.exe	33
PID 2508 wrote to memory of 2612	2508	e47cb440b43181cb694bc1ebb22d922d_JaffaCakes118.exe	33
PID 2508 wrote to memory of 2612	2508	e47cb440b43181cb694bc1ebb22d922d_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\e47cb440b43181cb694bc1ebb22d922d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e47cb440b43181cb694bc1ebb22d922d_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Users\Admin\AppData\Local\Temp\e47cb440b43181cb694bc1ebb22d922d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e47cb440b43181cb694bc1ebb22d922d_JaffaCakes118.exe startC:\Program Files (x86)\Internet Explorer\lvvm.exe%C:\Program Files (x86)\Internet Explorer
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2316
- C:\Users\Admin\AppData\Local\Temp\e47cb440b43181cb694bc1ebb22d922d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e47cb440b43181cb694bc1ebb22d922d_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\dwm.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\C148.7C4

Filesize
1KB

MD5
8cc3e5d65fd0fc3a47ac61186a29f9c6

SHA1
fbf79893cbf89b7a82e380632e64313c67d76b77

SHA256
945d29115c862c933d6c2209c5cfcea22cc17881cbbe623d06801a7141766140

SHA512
b96322ea9a166790e38f909ce58f6dea2ba54ffbd50aaac8a9136b09bd76ee00f75d665c90dd28011293d0044709259f3d84ce8f5644aee898f3a3e05b8a65a6

Download Submit
C:\Users\Admin\AppData\Roaming\C148.7C4

Filesize
600B

MD5
18553d4b094316986c2ae3260971e8ed

SHA1
44c869b8c4eb7d089b5153002140c6b46e1860c1

SHA256
5aa0cfe41583d854e0078378dde5abd88c2274f823a80a4154ff849e9c2061a7

SHA512
502c3a24e4162f9cc3fd9356ec5bd48d0bd409ae2d159e94873f2178fe376bc5aff08e19fb0dc7f12fa6997ecba1827b6e4291b07a8d1fbe4d0e343ca3ce3dda

Download Submit
C:\Users\Admin\AppData\Roaming\C148.7C4

Filesize
996B

MD5
e55c63dacedbb3cbd6e10f30c5fa1c5c

SHA1
b613983af6fff34d9fadc77a1710865ab73349ca

SHA256
b000f22d8b25c3a15bcd70bd6127ab7640de6cea2477350337219fac197b6743

SHA512
258ff7158fc00441c59440290d00f453b413d6742d69dcb451005f2fa6ca19e861997cc22d62aa2ec296746726ba68ebd28ddaf1bc6245e7e415d131660d1ac9

Download Submit
memory/2316-12-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2316-14-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2316-13-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2508-15-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2508-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2508-69-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2508-1-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2508-146-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2612-71-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2612-72-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads