cycbot | 2645b0cd0c35f48bbd041f9ff421082a39c5b6ab476aedc5b567fa81b18756ed

General

Target

e95d073aff907081e40e70a50dcc1f94_JaffaCakes118.exe
Size

181KB
MD5

e95d073aff907081e40e70a50dcc1f94
SHA1

79241ada685fd1b3839822402ab787f66eba8943
SHA256

2645b0cd0c35f48bbd041f9ff421082a39c5b6ab476aedc5b567fa81b18756ed
SHA512

18f3928718d7ae3285e982b137a0df87d7e3b4f084f8063e81c7cda3e7c3a6c6da4280dd68d34c3e987cb5fb13f6a5edd4d5e97dd57dffe416f6b522a2ff67a3
SSDEEP

3072:7mAJJqsaaHD1wt6iOB2HQK6Lc0G2GQycOAi5rlv/vvoHMN5cGLJE:aAis3wg2SLWBcOA05v/vveajL

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 7 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2832-15-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/2832-14-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/2688-16-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/2688-77-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/2924-81-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/2924-80-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/2688-184-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	e95d073aff907081e40e70a50dcc1f94_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2688-2-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2832-12-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2832-15-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2832-14-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2688-16-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2688-77-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2924-81-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2924-80-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2688-184-0x0000000000400000-0x000000000048D000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e95d073aff907081e40e70a50dcc1f94_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e95d073aff907081e40e70a50dcc1f94_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e95d073aff907081e40e70a50dcc1f94_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2832	2688	e95d073aff907081e40e70a50dcc1f94_JaffaCakes118.exe	31
PID 2688 wrote to memory of 2832	2688	e95d073aff907081e40e70a50dcc1f94_JaffaCakes118.exe	31
PID 2688 wrote to memory of 2832	2688	e95d073aff907081e40e70a50dcc1f94_JaffaCakes118.exe	31
PID 2688 wrote to memory of 2832	2688	e95d073aff907081e40e70a50dcc1f94_JaffaCakes118.exe	31
PID 2688 wrote to memory of 2924	2688	e95d073aff907081e40e70a50dcc1f94_JaffaCakes118.exe	33
PID 2688 wrote to memory of 2924	2688	e95d073aff907081e40e70a50dcc1f94_JaffaCakes118.exe	33
PID 2688 wrote to memory of 2924	2688	e95d073aff907081e40e70a50dcc1f94_JaffaCakes118.exe	33
PID 2688 wrote to memory of 2924	2688	e95d073aff907081e40e70a50dcc1f94_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\e95d073aff907081e40e70a50dcc1f94_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e95d073aff907081e40e70a50dcc1f94_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Users\Admin\AppData\Local\Temp\e95d073aff907081e40e70a50dcc1f94_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e95d073aff907081e40e70a50dcc1f94_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2832
- C:\Users\Admin\AppData\Local\Temp\e95d073aff907081e40e70a50dcc1f94_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e95d073aff907081e40e70a50dcc1f94_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\38B5.019

Filesize
1KB

MD5
0e09dc756cd1df9ecaf38b64fb8ba51a

SHA1
47279696ad07f05bd79fd905617b1a577d518d55

SHA256
d8f984e3f55d55cfbfb5f0e4a18a05645745451db49d9ff447f8180eb239cd63

SHA512
b364c93ed95447d37705b3511ed0256ef3c6d49ffcb495c28ae8fa72f6d3e735f90b9c6f3aeb9c770049a32b46e4314ef18c3373e3f00758abb5e6adcaecb0e2

Download Submit
C:\Users\Admin\AppData\Roaming\38B5.019

Filesize
1KB

MD5
26e036e53be67395059f528fc71f34ab

SHA1
cac32e16ed270f72671f3286f1b9d5fc239d6842

SHA256
ce9810e0e6641889784177d03c66d494cf279bcdb30283149e28d2f0151c2358

SHA512
ebe64ec9b409093b6b4a2b7721071228ae5b87575673ec4a347aae6dcfbf6aba47acd7297676b91e5349e51358fb53e3efa84ba277625f967a31b6b03cf6e79a

Download Submit
C:\Users\Admin\AppData\Roaming\38B5.019

Filesize
600B

MD5
75f7311d16d0e17bf427871b7cba1a73

SHA1
7b18a8213bf04efcca17956f62bdfc34172d6944

SHA256
8310e320cc5e8db9600b897f0bc59f7edc9e72f7db9fd761edcb4b5c264dda9c

SHA512
cbde02e92158da9759a2cb79d50abc69204c3c166c381cbd415b491c0936661f26f7bd47f8de1011c9653b61fa07ae9a44501d9d835070b91b9e224ab0800148

Download Submit
C:\Users\Admin\AppData\Roaming\38B5.019

Filesize
996B

MD5
53e410538c156cc24b095565a04d50ee

SHA1
0659abcd7e24af0ec67177858a18e0c31b0458b6

SHA256
47e5b5880c2e9d734298c57166c46a6033731edabad503ba7876d6167909e972

SHA512
d2db9c26c1bec28c29c50b942e9607baa5421e5c8406b8dd084ff94126e1fdac429333a96f58500da5171ae6c6d5e4809527eba7ab2a7281eef14472de303ed0

Download Submit
memory/2688-2-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2688-184-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2688-1-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2688-16-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2688-77-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2832-15-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2832-14-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2832-12-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2924-80-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2924-81-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads