cycbot | 022f6814e9b899b018dd57d851b35624211af54caa4f78387412c2cf96f4b799

General

Target

ef935cf2d475a56ccdbaba16a5da0206_JaffaCakes118.exe
Size

177KB
MD5

ef935cf2d475a56ccdbaba16a5da0206
SHA1

3e9c9fa7804a76affa23ccad289e4dd0ca5636cf
SHA256

022f6814e9b899b018dd57d851b35624211af54caa4f78387412c2cf96f4b799
SHA512

4556ecec8f2447e5916ac2ed22be0aeb4f5116911247087b3dfe1368959ce1f0a8055316dce646fd454ca13768994f16564c42d55bda96e96278b7aa2acbd5c7
SSDEEP

3072:ztQ/wltNDbwnEELshZ/wN1NujLZ32Y7c6Sm/s+7tP0XPj8A/tb+Fry/:6/wlPDbTEgEN14jLwx6Sf+7KXYab+

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2396-8-0x0000000000400000-0x0000000000465000-memory.dmp	family_cycbot
behavioral1/memory/2068-15-0x0000000000400000-0x0000000000465000-memory.dmp	family_cycbot
behavioral1/memory/3064-82-0x0000000000400000-0x0000000000465000-memory.dmp	family_cycbot
behavioral1/memory/2068-83-0x0000000000400000-0x0000000000465000-memory.dmp	family_cycbot
behavioral1/memory/2068-174-0x0000000000400000-0x0000000000465000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	ef935cf2d475a56ccdbaba16a5da0206_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2068-2-0x0000000000400000-0x0000000000465000-memory.dmp	upx
behavioral1/memory/2396-6-0x0000000000400000-0x0000000000465000-memory.dmp	upx
behavioral1/memory/2396-8-0x0000000000400000-0x0000000000465000-memory.dmp	upx
behavioral1/memory/2068-15-0x0000000000400000-0x0000000000465000-memory.dmp	upx
behavioral1/memory/3064-81-0x0000000000400000-0x0000000000465000-memory.dmp	upx
behavioral1/memory/3064-82-0x0000000000400000-0x0000000000465000-memory.dmp	upx
behavioral1/memory/2068-83-0x0000000000400000-0x0000000000465000-memory.dmp	upx
behavioral1/memory/2068-174-0x0000000000400000-0x0000000000465000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef935cf2d475a56ccdbaba16a5da0206_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef935cf2d475a56ccdbaba16a5da0206_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef935cf2d475a56ccdbaba16a5da0206_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2396	2068	ef935cf2d475a56ccdbaba16a5da0206_JaffaCakes118.exe	30
PID 2068 wrote to memory of 2396	2068	ef935cf2d475a56ccdbaba16a5da0206_JaffaCakes118.exe	30
PID 2068 wrote to memory of 2396	2068	ef935cf2d475a56ccdbaba16a5da0206_JaffaCakes118.exe	30
PID 2068 wrote to memory of 2396	2068	ef935cf2d475a56ccdbaba16a5da0206_JaffaCakes118.exe	30
PID 2068 wrote to memory of 3064	2068	ef935cf2d475a56ccdbaba16a5da0206_JaffaCakes118.exe	32
PID 2068 wrote to memory of 3064	2068	ef935cf2d475a56ccdbaba16a5da0206_JaffaCakes118.exe	32
PID 2068 wrote to memory of 3064	2068	ef935cf2d475a56ccdbaba16a5da0206_JaffaCakes118.exe	32
PID 2068 wrote to memory of 3064	2068	ef935cf2d475a56ccdbaba16a5da0206_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\ef935cf2d475a56ccdbaba16a5da0206_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ef935cf2d475a56ccdbaba16a5da0206_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\ef935cf2d475a56ccdbaba16a5da0206_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ef935cf2d475a56ccdbaba16a5da0206_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2396
- C:\Users\Admin\AppData\Local\Temp\ef935cf2d475a56ccdbaba16a5da0206_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ef935cf2d475a56ccdbaba16a5da0206_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5296.551

Filesize
1KB

MD5
c95a0250351853ef5e6fddb6bfc70060

SHA1
d65f3046038b2517edceeff972f54d3023783b19

SHA256
52348968141b6b3df64637aaca8d8cbc5644766d3d35f8f2e2fe3a33e3875b9e

SHA512
9fead2eb72dbb7adbe32997510aa99065c7d367319d8c3deb2c0670d502a19a4ef4d23272b20f574afa20a0c2225970cf5bd4c1d6fa41a657b7e5aa6426a2b4e

Download Submit
C:\Users\Admin\AppData\Roaming\5296.551

Filesize
600B

MD5
bf3879e2fb66be42be3936a15b65cf77

SHA1
38969f1c4e5081bbe65091f657849eb9bf41d35b

SHA256
473892e162e41826ea16c2c5694e1d437544fc4caad25cc5009c8702ce97bd65

SHA512
8a4fad28435d998ee325ca05bfa5b87f7b3272339a466c037498d696b2fc0525538762986bd208f6afedca03d16670e0e298de66063e0970cfc5788274cd7f22

Download Submit
C:\Users\Admin\AppData\Roaming\5296.551

Filesize
996B

MD5
9027d628dbbc008cdd77e50a7aa153bb

SHA1
7f249b38d0d61d3ed18648c002fc3d437d460620

SHA256
cd8da16e2357b4417863b8f2f335e139f4070cd95d134b9e25ccecd4c2006602

SHA512
325d15444425fce66a5709ee5bf50685f0225225189f70680d20f2eda819c6c7fd0f420e197d2366d14c88613d88f331640b5a3b8ca80230dd890b8125dd2b7d

Download Submit
memory/2068-83-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2068-15-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2068-1-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2068-2-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2068-174-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2396-8-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2396-6-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2396-5-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3064-81-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3064-82-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads