cycbot | 7af75b257f5bc4f4324c0dfd66b00d151b49e1e167903439f15022fc09fcbb9e

General

Target

ef284bd39e5166fbd51daa027494a3b7_JaffaCakes118.exe
Size

171KB
MD5

ef284bd39e5166fbd51daa027494a3b7
SHA1

6e7be07b1bd64eea4c66e6599fca7a34b911b2fa
SHA256

7af75b257f5bc4f4324c0dfd66b00d151b49e1e167903439f15022fc09fcbb9e
SHA512

60a50d7c74ec86bce86fe3598f02b4b4e7069b5a2e0a5f0ded6a64573f18daa5f6e64a263003d6884807182ef72b352ef180fc5cc4758bd00936b7ee65a1c1ec
SSDEEP

3072:YAgKXXQs6KIMcxScZNUTBaDi1Aj0E0nzWzKBRkwt:Qg5wUFbEs3vkw

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 9 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2388-15-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2388-14-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2504-16-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2504-17-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral1/memory/2640-75-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2640-74-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2504-76-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2640-140-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2504-175-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\BC5DF\\1F41D.exe"	ef284bd39e5166fbd51daa027494a3b7_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2504-2-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2388-15-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2388-14-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2504-16-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2504-17-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2640-75-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2640-74-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2504-76-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2640-140-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2504-175-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef284bd39e5166fbd51daa027494a3b7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef284bd39e5166fbd51daa027494a3b7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef284bd39e5166fbd51daa027494a3b7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2388	2504	ef284bd39e5166fbd51daa027494a3b7_JaffaCakes118.exe	30
PID 2504 wrote to memory of 2388	2504	ef284bd39e5166fbd51daa027494a3b7_JaffaCakes118.exe	30
PID 2504 wrote to memory of 2388	2504	ef284bd39e5166fbd51daa027494a3b7_JaffaCakes118.exe	30
PID 2504 wrote to memory of 2388	2504	ef284bd39e5166fbd51daa027494a3b7_JaffaCakes118.exe	30
PID 2504 wrote to memory of 2640	2504	ef284bd39e5166fbd51daa027494a3b7_JaffaCakes118.exe	33
PID 2504 wrote to memory of 2640	2504	ef284bd39e5166fbd51daa027494a3b7_JaffaCakes118.exe	33
PID 2504 wrote to memory of 2640	2504	ef284bd39e5166fbd51daa027494a3b7_JaffaCakes118.exe	33
PID 2504 wrote to memory of 2640	2504	ef284bd39e5166fbd51daa027494a3b7_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\ef284bd39e5166fbd51daa027494a3b7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ef284bd39e5166fbd51daa027494a3b7_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\AppData\Local\Temp\ef284bd39e5166fbd51daa027494a3b7_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ef284bd39e5166fbd51daa027494a3b7_JaffaCakes118.exe startC:\Program Files (x86)\LP\1DBB\A42.exe%C:\Program Files (x86)\LP\1DBB
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2388
- C:\Users\Admin\AppData\Local\Temp\ef284bd39e5166fbd51daa027494a3b7_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ef284bd39e5166fbd51daa027494a3b7_JaffaCakes118.exe startC:\Program Files (x86)\DFE2F\lvvm.exe%C:\Program Files (x86)\DFE2F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\BC5DF\FE2F.C5D

Filesize
1KB

MD5
3342f6c76019f87864a5112d2ea2d774

SHA1
58848e8c8c781fcf912c8a67564d8fbb796f261c

SHA256
630f6da6161cfdf8cb7fa3cbb1f57aac24fba826d32da415f0122e1a84ad58e3

SHA512
7e53257383cef03dab7920ab50249c786d781b9d7a8ccfd0a219ee5754249035ca17053ced17f4ee3dee82a1a516c440c9801de00a24e0b0d86dc21068a5165f

Download Submit
C:\Users\Admin\AppData\Roaming\BC5DF\FE2F.C5D

Filesize
600B

MD5
62b2e3e3a41e9270ba895ffdf08dcb9f

SHA1
269b532ce89d7027842b884af461d953ca83a323

SHA256
ec35de19421a7056974ff0c335f8827202dce2292fd9f2ade71f71f1164b544e

SHA512
b62959f568f3b757be482f72a50445fa7abbad00e95f9c818bebc25627b5cf81c83c61d343d806a5b14e592d37db2e43a43dfd779daea68b87e06f2deb67a0f5

Download Submit
C:\Users\Admin\AppData\Roaming\BC5DF\FE2F.C5D

Filesize
996B

MD5
0c1c087def27a34b05aa36d78bf8c9d5

SHA1
48cf5318dd926227491576935bf15f94c7847319

SHA256
15aa2c772060f006d04bfa1ef2ebeae1d69bc06daa0e91bd3c61e5239925f93e

SHA512
c922b01c54832cc825a4d3594d202d1e4ebdbb0923b20e969250c1f49321bb2f8fc1799b109ed019d2b7302681a05260e89701c7d860d86de1a19410bc715176

Download Submit
memory/2388-14-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2388-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2388-12-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2504-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2504-16-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2504-17-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2504-76-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2504-2-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2504-175-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2640-72-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2640-75-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2640-74-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2640-140-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads