cycbot | ddb7ee610fb0013021643b1256bfe8912e9795e85f2d1333dc1d6479e165f322

General

Target

e50dc1e7b89c7d295e02fb8b694aa6f1_JaffaCakes118.exe
Size

202KB
MD5

e50dc1e7b89c7d295e02fb8b694aa6f1
SHA1

0599cd6977923bcb30c759feedb6bcb0c50f9267
SHA256

ddb7ee610fb0013021643b1256bfe8912e9795e85f2d1333dc1d6479e165f322
SHA512

41e5980f06a81526095bd083e3a6d4cb78cf43a387e36f58cdec261b4024bcf88842104a3d3fc3d0e17f477dbd62ee68bff5d95788495ff931b023acfdf88b80
SSDEEP

6144:vvQP4rdorivBNbKVWNRPIDEkkBSzez4YJ84iKlfE+crsZDHE8:HhrdoripJgWNRPIACyz4YCpKlfE+ciT

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2492-7-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral1/memory/1852-15-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral1/memory/1852-70-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral1/memory/2680-74-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral1/memory/1852-184-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	e50dc1e7b89c7d295e02fb8b694aa6f1_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1852-2-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2492-5-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2492-7-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1852-15-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1852-70-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2680-72-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2680-74-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1852-184-0x0000000000400000-0x000000000046E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e50dc1e7b89c7d295e02fb8b694aa6f1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e50dc1e7b89c7d295e02fb8b694aa6f1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e50dc1e7b89c7d295e02fb8b694aa6f1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 2492	1852	e50dc1e7b89c7d295e02fb8b694aa6f1_JaffaCakes118.exe	31
PID 1852 wrote to memory of 2492	1852	e50dc1e7b89c7d295e02fb8b694aa6f1_JaffaCakes118.exe	31
PID 1852 wrote to memory of 2492	1852	e50dc1e7b89c7d295e02fb8b694aa6f1_JaffaCakes118.exe	31
PID 1852 wrote to memory of 2492	1852	e50dc1e7b89c7d295e02fb8b694aa6f1_JaffaCakes118.exe	31
PID 1852 wrote to memory of 2680	1852	e50dc1e7b89c7d295e02fb8b694aa6f1_JaffaCakes118.exe	33
PID 1852 wrote to memory of 2680	1852	e50dc1e7b89c7d295e02fb8b694aa6f1_JaffaCakes118.exe	33
PID 1852 wrote to memory of 2680	1852	e50dc1e7b89c7d295e02fb8b694aa6f1_JaffaCakes118.exe	33
PID 1852 wrote to memory of 2680	1852	e50dc1e7b89c7d295e02fb8b694aa6f1_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\e50dc1e7b89c7d295e02fb8b694aa6f1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e50dc1e7b89c7d295e02fb8b694aa6f1_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Users\Admin\AppData\Local\Temp\e50dc1e7b89c7d295e02fb8b694aa6f1_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e50dc1e7b89c7d295e02fb8b694aa6f1_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2492
- C:\Users\Admin\AppData\Local\Temp\e50dc1e7b89c7d295e02fb8b694aa6f1_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e50dc1e7b89c7d295e02fb8b694aa6f1_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\7DDB.FDE

Filesize
1KB

MD5
3044f541114bf3db08a95f43269f7a7c

SHA1
95a273a735cf1a4d6e5a819e8dd0deec31c0be02

SHA256
25afe5b0f0b654e3b8e98f694108f8981f1d01ebfad3d365e96262cccd60c933

SHA512
471d1ab54d4c36bce0aa89676cca0c6cce71c3405b9cf924955717c1118c7a1b1a07d6c46d7fff17e32a5165c24ab4cbc73f149daa9fa4b96a97f833d1f7427c

Download Submit
C:\Users\Admin\AppData\Roaming\7DDB.FDE

Filesize
600B

MD5
eaae119cc09ad3e17e626f316e9558d7

SHA1
1d1968486f9f1980387db3ab7bfcaf8f9d1e1dd0

SHA256
45fdef702e1178e37a2af797caabd72525833f4c1ad32567e4a27bda0d7becb1

SHA512
6f12ae85e351d58b00bb3e23f343618b3580f14200232e596a356ba50ec3a20587b2c5741ae6715576834a2e75ec434888963e8b3cf5a929c01bafb32e8979bf

Download Submit
C:\Users\Admin\AppData\Roaming\7DDB.FDE

Filesize
996B

MD5
ca2fd2788816b771198a865545f0bf83

SHA1
0e8a1023c31d73eee4e454b57a675f54a1dacf7a

SHA256
54fda612ae63cc9a5f7445616bf84ac747575d55fbfd4241872d8b29de04a423

SHA512
db6e3c5e369809e32604cbf09943ab1f90fb9780ce3196acaa2452863558906f823a739fef017f3f42fc55774b4e9570e55238107962049430bf6c65ea05e1ff

Download Submit
memory/1852-1-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1852-2-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1852-15-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1852-70-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1852-184-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2492-5-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2492-7-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2680-72-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2680-74-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads