cycbot | ab1bc691bfbe5f8bb76938bcf024678dc8505dcd4c0cc811d6db5eb0f5174537

General

Target

e767c8cc82455adeb3449c6f4b52eecf_JaffaCakes118.exe
Size

176KB
MD5

e767c8cc82455adeb3449c6f4b52eecf
SHA1

96ae33d589e81d7732bddd480165712e593619a6
SHA256

ab1bc691bfbe5f8bb76938bcf024678dc8505dcd4c0cc811d6db5eb0f5174537
SHA512

914192a5c92c1aac13d3e726ba7c512dc8cd8f34b98809b1d56ada8382f3e39219cd043404472e02e98ceb590d3a0456d76c051edaa19e9cf0e15f6e23f4398a
SSDEEP

3072:ZyMyARFdjQh68vOj+OdgHzMC5oWQWqGbItt7QPL+aD1L4K:ZyMy68Q+OdqZoWzbktJQzXD1kK

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/3024-8-0x0000000000400000-0x0000000000485000-memory.dmp	family_cycbot
behavioral1/memory/3020-15-0x0000000000400000-0x0000000000485000-memory.dmp	family_cycbot
behavioral1/memory/3020-16-0x0000000000400000-0x0000000000485000-memory.dmp	family_cycbot
behavioral1/memory/1244-79-0x0000000000400000-0x0000000000485000-memory.dmp	family_cycbot
behavioral1/memory/3020-80-0x0000000000400000-0x0000000000485000-memory.dmp	family_cycbot
behavioral1/memory/3020-175-0x0000000000400000-0x0000000000485000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	e767c8cc82455adeb3449c6f4b52eecf_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3020-2-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/3024-5-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/3024-8-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/3024-6-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/3020-15-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/3020-16-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/1244-78-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/1244-79-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/3020-80-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/3020-175-0x0000000000400000-0x0000000000485000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e767c8cc82455adeb3449c6f4b52eecf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e767c8cc82455adeb3449c6f4b52eecf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e767c8cc82455adeb3449c6f4b52eecf_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 3024	3020	e767c8cc82455adeb3449c6f4b52eecf_JaffaCakes118.exe	30
PID 3020 wrote to memory of 3024	3020	e767c8cc82455adeb3449c6f4b52eecf_JaffaCakes118.exe	30
PID 3020 wrote to memory of 3024	3020	e767c8cc82455adeb3449c6f4b52eecf_JaffaCakes118.exe	30
PID 3020 wrote to memory of 3024	3020	e767c8cc82455adeb3449c6f4b52eecf_JaffaCakes118.exe	30
PID 3020 wrote to memory of 1244	3020	e767c8cc82455adeb3449c6f4b52eecf_JaffaCakes118.exe	33
PID 3020 wrote to memory of 1244	3020	e767c8cc82455adeb3449c6f4b52eecf_JaffaCakes118.exe	33
PID 3020 wrote to memory of 1244	3020	e767c8cc82455adeb3449c6f4b52eecf_JaffaCakes118.exe	33
PID 3020 wrote to memory of 1244	3020	e767c8cc82455adeb3449c6f4b52eecf_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\e767c8cc82455adeb3449c6f4b52eecf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e767c8cc82455adeb3449c6f4b52eecf_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Local\Temp\e767c8cc82455adeb3449c6f4b52eecf_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e767c8cc82455adeb3449c6f4b52eecf_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3024
- C:\Users\Admin\AppData\Local\Temp\e767c8cc82455adeb3449c6f4b52eecf_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e767c8cc82455adeb3449c6f4b52eecf_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\B240.845

Filesize
1KB

MD5
b8825aefab0d8d233c384b5996f42c72

SHA1
3a1592638ced9242b680351d6547ed8117176318

SHA256
568f12c29f47c12fe442f8530873478b6f9dc9fbb1168fee382146142cf96709

SHA512
24c6552d44fba4a3c4ee915e7daf5782bc7024ace8f85029efed744ad68d9a8be669b259552aa2dc55d8403dd8fe3c36891392bc29f9ca21ae0162f8a768e443

Download Submit
C:\Users\Admin\AppData\Roaming\B240.845

Filesize
600B

MD5
65f47fa78ed54eb80830a7fd79360f1d

SHA1
d595d131b3e6407ac949c01b80f2d2cf02bebf08

SHA256
a215a77cb720ed101f00d9d6552131319ca03bd259d06d771ca18c04c87fea7e

SHA512
f7f70e818c4f15ae6153f1de7f8187dfd23c35c522e927bbb190c198988e5cc4cdd863f3f1ad7f939ee4fb732236bc12b90ee391ed219b2d30d22b33900bdb85

Download Submit
C:\Users\Admin\AppData\Roaming\B240.845

Filesize
996B

MD5
9d710fa918b5b854b2604c939925c92a

SHA1
dcc31f56a996c55dfeb9922d4f497b8aa973194a

SHA256
0813a761b7657683c60f4c9ea275463be215cc5db71a077692392266f7a577a2

SHA512
948c43bce1a3673c353db2dff1e6d71656f17f5cdeeae3eacdf6891b76108bfa9116c3a7abd224ada1566f3f42f4630eced5e6143594a2f54a3385b752a02094

Download Submit
memory/1244-79-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1244-78-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3020-16-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3020-1-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3020-15-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3020-80-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3020-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3020-175-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3024-6-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3024-8-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3024-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads