cycbot | 192b3c07d7331b338bc400ca0b8c12dfea74fed83363992a801e6d0e1654884a

General

Target

ee314beed37dd444c4a6b1c5f6de4487_JaffaCakes118.exe
Size

169KB
MD5

ee314beed37dd444c4a6b1c5f6de4487
SHA1

17787582760b4522cc92ac218df3c3774a5b38cc
SHA256

192b3c07d7331b338bc400ca0b8c12dfea74fed83363992a801e6d0e1654884a
SHA512

3d6ae0cf2ba47e9d7b40a5ebc2df1f0394094ce1906875365978e16f885fbb1a18e6ad018b380b08bc47636677a8b311f74ebf1f50aa87cf662862bb5038d64a
SSDEEP

3072:ZYGy9/koA4KzZRZtDb6n7MckPJHgqH9OZxG8YT1jKbvwuCXhgbGtV4tNIHlol49b:WGyNkhfHDEGxgrxpYTNLGtNIul49qSMQ

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 7 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2100-3-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2896-14-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2100-15-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2100-16-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral1/memory/2404-80-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2100-81-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2100-181-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\F1B89\\15105.exe"	ee314beed37dd444c4a6b1c5f6de4487_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2100-3-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2896-13-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2896-14-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2100-15-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2100-16-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2404-79-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2404-80-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2100-81-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2100-181-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee314beed37dd444c4a6b1c5f6de4487_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee314beed37dd444c4a6b1c5f6de4487_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee314beed37dd444c4a6b1c5f6de4487_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2896	2100	ee314beed37dd444c4a6b1c5f6de4487_JaffaCakes118.exe	30
PID 2100 wrote to memory of 2896	2100	ee314beed37dd444c4a6b1c5f6de4487_JaffaCakes118.exe	30
PID 2100 wrote to memory of 2896	2100	ee314beed37dd444c4a6b1c5f6de4487_JaffaCakes118.exe	30
PID 2100 wrote to memory of 2896	2100	ee314beed37dd444c4a6b1c5f6de4487_JaffaCakes118.exe	30
PID 2100 wrote to memory of 2404	2100	ee314beed37dd444c4a6b1c5f6de4487_JaffaCakes118.exe	32
PID 2100 wrote to memory of 2404	2100	ee314beed37dd444c4a6b1c5f6de4487_JaffaCakes118.exe	32
PID 2100 wrote to memory of 2404	2100	ee314beed37dd444c4a6b1c5f6de4487_JaffaCakes118.exe	32
PID 2100 wrote to memory of 2404	2100	ee314beed37dd444c4a6b1c5f6de4487_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\ee314beed37dd444c4a6b1c5f6de4487_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ee314beed37dd444c4a6b1c5f6de4487_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\ee314beed37dd444c4a6b1c5f6de4487_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ee314beed37dd444c4a6b1c5f6de4487_JaffaCakes118.exe startC:\Program Files (x86)\LP\053F\73C.exe%C:\Program Files (x86)\LP\053F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2896
- C:\Users\Admin\AppData\Local\Temp\ee314beed37dd444c4a6b1c5f6de4487_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ee314beed37dd444c4a6b1c5f6de4487_JaffaCakes118.exe startC:\Program Files (x86)\89F9B\lvvm.exe%C:\Program Files (x86)\89F9B
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\F1B89\9F9B.1B8

Filesize
1KB

MD5
dac408d2a56157ceb232791b73db9075

SHA1
e4a23f0c8956dd545ecb2e31db75a5f856fe0802

SHA256
0fceb80cc52477cdff6cab10e4d75e4d581e4fe60f0442cdfeea19d1609a20ec

SHA512
850322947554135fece00792948e7362fcbdea960c4c5a257be5ca27d96f46211684645c6c4d2fc08f00b0b73d022f99379b94fe80dcab0cb139b2753cf3f873

Download Submit
C:\Users\Admin\AppData\Roaming\F1B89\9F9B.1B8

Filesize
600B

MD5
52fb6928134a2f58c1646dc5e55870f4

SHA1
bc5f378129d0f75f84c6dca39c6a374723c241ca

SHA256
ff9d7f0d27e03457281c3670271fdca4ead7228ef4bbcec7a8e457cc5c3a49f6

SHA512
1858384b6626ceca158c89d9d3a61d4b8fa4cf6cb21cc6f693809eb292ee4f004ba6caeb16c2423774100f0cad11e3f79a08f36f3f2913e339de7d26d5c75e86

Download Submit
C:\Users\Admin\AppData\Roaming\F1B89\9F9B.1B8

Filesize
996B

MD5
e67dafb34160e846e2efcf0822ca94b7

SHA1
e8ed45d005dfb4669a975ff7f7b26db9f4cf3ef2

SHA256
731b5f9eb8900fa96b6e6e1c1f031038a8a319d1a937a017c18e8702a2ca2a14

SHA512
2f9c1425a088201a54d6f2b348a9a1111164043e374b8819e3dce50b00b72a31e48fa31937a813790457203ebf89effa1140bca7b100176acfe0a9022e059273

Download Submit
memory/2100-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2100-3-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2100-181-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2100-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2100-16-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2100-81-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2404-80-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2404-79-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2896-14-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2896-13-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2896-12-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads