cycbot | 2f19a6bdb0d94422a7b0d3ef587cec244fb537c147eb28ea5c891cd763af0c80

General

Target

f1427f067f387dbfbc1e5f12b39a017f_JaffaCakes118.exe
Size

167KB
MD5

f1427f067f387dbfbc1e5f12b39a017f
SHA1

47f08cd4604b99ebb73344358a38989ea1984ec9
SHA256

2f19a6bdb0d94422a7b0d3ef587cec244fb537c147eb28ea5c891cd763af0c80
SHA512

0155f6c14fbbc6344ad3381d262284ba959f196062d7f94e1f10e9a89eff67b48c00402061659506fb0db2c246c2121750b95d5e4a386effd1cf6a4fefd48690
SSDEEP

3072:cdEg6SIBWURMoMEPF4BUAB0fl/J7Xe1nZwZxGZYUJLtZSpO:uEgCMoMoqUG0fZ1OJZEGDVtZSpO

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 7 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2696-8-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2696-6-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2692-16-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2692-75-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2060-79-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2060-78-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2692-188-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	f1427f067f387dbfbc1e5f12b39a017f_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2692-2-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2696-5-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2696-8-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2696-6-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2692-16-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2692-75-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2060-79-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2060-78-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2692-188-0x0000000000400000-0x000000000048A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f1427f067f387dbfbc1e5f12b39a017f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f1427f067f387dbfbc1e5f12b39a017f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f1427f067f387dbfbc1e5f12b39a017f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2696	2692	f1427f067f387dbfbc1e5f12b39a017f_JaffaCakes118.exe	31
PID 2692 wrote to memory of 2696	2692	f1427f067f387dbfbc1e5f12b39a017f_JaffaCakes118.exe	31
PID 2692 wrote to memory of 2696	2692	f1427f067f387dbfbc1e5f12b39a017f_JaffaCakes118.exe	31
PID 2692 wrote to memory of 2696	2692	f1427f067f387dbfbc1e5f12b39a017f_JaffaCakes118.exe	31
PID 2692 wrote to memory of 2060	2692	f1427f067f387dbfbc1e5f12b39a017f_JaffaCakes118.exe	33
PID 2692 wrote to memory of 2060	2692	f1427f067f387dbfbc1e5f12b39a017f_JaffaCakes118.exe	33
PID 2692 wrote to memory of 2060	2692	f1427f067f387dbfbc1e5f12b39a017f_JaffaCakes118.exe	33
PID 2692 wrote to memory of 2060	2692	f1427f067f387dbfbc1e5f12b39a017f_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\f1427f067f387dbfbc1e5f12b39a017f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f1427f067f387dbfbc1e5f12b39a017f_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Users\Admin\AppData\Local\Temp\f1427f067f387dbfbc1e5f12b39a017f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f1427f067f387dbfbc1e5f12b39a017f_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2696
- C:\Users\Admin\AppData\Local\Temp\f1427f067f387dbfbc1e5f12b39a017f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f1427f067f387dbfbc1e5f12b39a017f_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5ADD.562

Filesize
1KB

MD5
9a62b335a8dd921a67537c3e2af1de03

SHA1
97896e7c17e183efdf9ac068ff56d599e470133f

SHA256
3f55bfa3eb76838e3ce029cc32a2fddbba09bfa73ee5062a933fdc0fda398d83

SHA512
d0be700283051283fc4a21e5bf0867311dc3d1f333e6bdf0afe1039f07826de9da735861352809a09d5690a41458a3ad186857ffd912f893c1bf08a537c2ee26

Download Submit
C:\Users\Admin\AppData\Roaming\5ADD.562

Filesize
1KB

MD5
291552181ea210ab1687d0ca3c8e0fd2

SHA1
96c92102b563eeabfab709ab40c0c73a7aa21a7b

SHA256
91d3f9872cef4d6ebeaf445d83e85f58da40dba5256bef32dec81174b31cde8c

SHA512
ca3f42252df4764cc48a39f08c5f84384f6c1ef2d990657e176212103375ca2211c352da165ea75af5d15fe8b5c773e44bb598dbadb8de77025400d51343e56a

Download Submit
C:\Users\Admin\AppData\Roaming\5ADD.562

Filesize
600B

MD5
7df899c6532b09f191229584f7ac39a4

SHA1
c2b3a3878acc6ab574e4fd5f27d451d6012b8c8a

SHA256
37d2a1a7b547b68df95638b6cc2072c1b86d68b941bda37c6466df62abaf851b

SHA512
e969b9f0b287a54de33a913d62b4e08eb2a04e0a5d38aea90978137c0e68adf15478389c46ef4d51797be291b15c7624bd9f214ea27f5aedcb226d9816fa3c82

Download Submit
C:\Users\Admin\AppData\Roaming\5ADD.562

Filesize
996B

MD5
b013e01f1703c7e38bd0ae70438b9e40

SHA1
4a6c7b5948a174b38b1437336e045048c2e3e87b

SHA256
9b8f77ef10df2ee16ff3c7f986f3f0d35bd446de9546ae08dd9e2805f97fe568

SHA512
c157080f8488ee2d857d5d2bbc224ddbff06e0121d75c01fbee062c8ef18c35ba8d1999a9c080cc69ca4fa497d92557e608cf790c567e0991f0b0bc2efe68114

Download Submit
memory/2060-78-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2060-79-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2060-77-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2692-16-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2692-75-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2692-1-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2692-2-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2692-188-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2696-6-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2696-8-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2696-5-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads