cycbot | a7d2335f5ae0c8d56b61a575f63d67adf75531b612f79159fe1ab188f6c95305

General

Target

e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe
Size

185KB
MD5

e755860f7cecd6e6d29b4d05a9d57850
SHA1

1c763d478a8e15dde9b14df33b572c1e8e73c6c3
SHA256

a7d2335f5ae0c8d56b61a575f63d67adf75531b612f79159fe1ab188f6c95305
SHA512

bc129288c4f80da85ca4617789717c713e761ed106e40d90420d88bb5f5a58d48221373e916bffd5dd8f50c26ce093cc21c20e036512066b9584a9e1aec30766
SSDEEP

3072:pLNmKrY2wW7KultckLEael5a00ciGS6725W8ZRfCdzvFVK6/U8WRG5OXc:x1rN37KYtc1Nl5aYMi20SCNvn/iRAO

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 7 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2544-15-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/2544-14-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/2536-20-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/2544-21-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/2536-86-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/980-90-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/2536-204-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2536-2-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2544-15-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2544-14-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2536-20-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2544-21-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2536-86-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/980-88-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/980-90-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2536-204-0x0000000000400000-0x000000000046C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2544	2536	e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe	30
PID 2536 wrote to memory of 2544	2536	e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe	30
PID 2536 wrote to memory of 2544	2536	e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe	30
PID 2536 wrote to memory of 2544	2536	e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe	30
PID 2536 wrote to memory of 980	2536	e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe	32
PID 2536 wrote to memory of 980	2536	e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe	32
PID 2536 wrote to memory of 980	2536	e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe	32
PID 2536 wrote to memory of 980	2536	e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Local\Temp\e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2544
- C:\Users\Admin\AppData\Local\Temp\e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e755860f7cecd6e6d29b4d05a9d57850_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AF99.5FC

Filesize
597B

MD5
4e081d0820b3aa56ba2f13da89c9b62e

SHA1
944ffb9d0d2e1bbe2eecfe7877d01f8836445ea1

SHA256
a92542ca90c854db2269f7405fa2a6259acfb66411fbd3019a3cf94b8c3d5315

SHA512
fb6d010dcdc9f597fb36d04fd1923a8a83dd823675f28435c222a5099317a9e46408d49048f71170e989b06e8e647faf20ec53bb016dd3500def02a3f67ecc6b

Download Submit
C:\Users\Admin\AppData\Roaming\AF99.5FC

Filesize
1KB

MD5
23728069a5eb563602ef987cbfa4131a

SHA1
ecf9e26edf82d2e41e8a1ab421ca0372c22db60e

SHA256
5bce2b18cc7c15e566fdb3e87c84a042088bc968a31236e8cc86d59fb635032e

SHA512
1efbb4591fa79fec1706c65c1888b5a7474eab8e2e077b0485ee49b382a8e38311e5a405b6c091a9c8d2c7db69c19b98f56a68e6ccdca82d24ea6bb8f5f8711c

Download Submit
C:\Users\Admin\AppData\Roaming\AF99.5FC

Filesize
897B

MD5
f2da458d2f54d0da3269e197321cd160

SHA1
2a35ea05330f1522774e185afba2dbeb59ea6fd9

SHA256
15a40fd367da0f817f306fb1521842505ddb7b6072a5a57f90ebe395b7949958

SHA512
6c9e7bfc9fb0188817a74ad641a48f0b29694b5bb860eb1a47eba3d42e30f508596f463b7541ff73c0514b18cc6d1837255f7e52523f4ffbacaba010510c3b3a

Download Submit
C:\Users\Admin\AppData\Roaming\AF99.5FC

Filesize
1KB

MD5
5b19f1d7fca019f08f9335fabf51b174

SHA1
d13bd5b31e16e3feaceeab12c8e7050218b7cab6

SHA256
fc337e35340b41df0364552d0bbac56f1ed63af41b5df770f3bb6c2cc0f12be2

SHA512
7bad84e69e552f5b2cf3eff90900666467601078e1590e2bcb1f3a9d2afe7046fb9d993096a01afb1823755ae74b7d823e31f48b1ba15449eb4f2df63b1067ff

Download Submit
memory/980-88-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/980-90-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2536-2-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2536-1-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2536-204-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2536-20-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2536-86-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2544-15-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2544-21-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2544-14-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads