cycbot | 37f3cdb5d0221a875a5f151e6f01c273b3e225d8886cad481c1d054a9680b924

General

Target

e53d5f6a8efc6e31d4f56b9d8841275f_JaffaCakes118.exe
Size

165KB
MD5

e53d5f6a8efc6e31d4f56b9d8841275f
SHA1

4cfe2dbd02182c160199ec84e5d6555102b8f246
SHA256

37f3cdb5d0221a875a5f151e6f01c273b3e225d8886cad481c1d054a9680b924
SHA512

db951769e3e135cc3b2aa661dd6cbe693ddffb691faa3fc63826782a79d5fcd4eb7a505260e26231205f03d90e3d6941c039fb34d6d9fdca89c66d920127a9b4
SSDEEP

3072:tXRVUWm/NO0z6Qm35ed/hc9rzuhGbpObz4BnKyD16VC5ina6DhXd6G2:tXvANWP8GwXiX6V

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2556-13-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2508-15-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2508-16-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral1/memory/2424-140-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2508-141-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2508-291-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\42123\\AAF5E.exe"	e53d5f6a8efc6e31d4f56b9d8841275f_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2508-2-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2556-14-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2556-13-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2556-12-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2508-15-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2508-16-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2424-140-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2424-139-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2508-141-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2508-291-0x0000000000400000-0x0000000000490000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e53d5f6a8efc6e31d4f56b9d8841275f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2556	2508	e53d5f6a8efc6e31d4f56b9d8841275f_JaffaCakes118.exe	30
PID 2508 wrote to memory of 2556	2508	e53d5f6a8efc6e31d4f56b9d8841275f_JaffaCakes118.exe	30
PID 2508 wrote to memory of 2556	2508	e53d5f6a8efc6e31d4f56b9d8841275f_JaffaCakes118.exe	30
PID 2508 wrote to memory of 2556	2508	e53d5f6a8efc6e31d4f56b9d8841275f_JaffaCakes118.exe	30
PID 2508 wrote to memory of 2424	2508	e53d5f6a8efc6e31d4f56b9d8841275f_JaffaCakes118.exe	33
PID 2508 wrote to memory of 2424	2508	e53d5f6a8efc6e31d4f56b9d8841275f_JaffaCakes118.exe	33
PID 2508 wrote to memory of 2424	2508	e53d5f6a8efc6e31d4f56b9d8841275f_JaffaCakes118.exe	33
PID 2508 wrote to memory of 2424	2508	e53d5f6a8efc6e31d4f56b9d8841275f_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\e53d5f6a8efc6e31d4f56b9d8841275f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e53d5f6a8efc6e31d4f56b9d8841275f_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Users\Admin\AppData\Local\Temp\e53d5f6a8efc6e31d4f56b9d8841275f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e53d5f6a8efc6e31d4f56b9d8841275f_JaffaCakes118.exe startC:\Program Files (x86)\LP\5E14\424.exe%C:\Program Files (x86)\LP\5E14
  2⤵
  PID:2556
- C:\Users\Admin\AppData\Local\Temp\e53d5f6a8efc6e31d4f56b9d8841275f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e53d5f6a8efc6e31d4f56b9d8841275f_JaffaCakes118.exe startC:\Program Files (x86)\236FC\lvvm.exe%C:\Program Files (x86)\236FC
  2⤵
  PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\42123\36FC.212

Filesize
996B

MD5
a8d0cfde7ab4a061aa994ad2f6c64209

SHA1
a078517c759e465ad0d69819268a922933b2fe90

SHA256
aa8a12b23067158f1101148714a62a15e57b14605f7676bee2341df15ca7c572

SHA512
2cd739633f144314e63ca50ca8d3049a310f2184412cdd57f0ac0dd50e36eeaea90b187837d935308ba79f2a699f35fcd9251e58ad7e19d441288d9ed9a25ddf

Download Submit
C:\Users\Admin\AppData\Roaming\42123\36FC.212

Filesize
600B

MD5
d0268ff5d6f479de2e2f0348aa23f860

SHA1
9a4fa37be455fbe5007f0d50f7eb742d86c68aed

SHA256
6ce668cb764fae05e77d69099534fcbbad4954cae57fc1863772577c5c5570fe

SHA512
4e0783da0389f8704d7fbfe7b91628caa5e40edce54f8a0b7842ceaefe669db10ea4f4cb100f88eb9d915c8b5645e3f64a03b1e77813a8ee20575d991ac09301

Download Submit
C:\Users\Admin\AppData\Roaming\42123\36FC.212

Filesize
1KB

MD5
1e16f5dcc84d6efe720d9f737c473e31

SHA1
537350076e48d5ba88ae762369f29ec1d367d60b

SHA256
21b91907a874a2926f64c732ed21da1e6303023acd01e5219bed1d4906a674a9

SHA512
aeae9fb83aad2efcab3d464f365b4706c40a765ef13450174959b342f6b25261209666018a550b224bf923e45645df08cccd6a492c0d184ebe07c661e97635eb

Download Submit
memory/2424-139-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2424-140-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2424-137-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2508-16-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2508-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2508-15-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2508-141-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2508-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2508-291-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2556-12-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2556-13-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2556-14-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads