cycbot | 6c1756aa530b36cac92d6ddcd49b9bc2b4b3b72ee86db90963a426c13257fae1

General

Target

efe5a4dc47a3973279f70e844233de67_JaffaCakes118.exe
Size

169KB
MD5

efe5a4dc47a3973279f70e844233de67
SHA1

14deca72174952578ceabb767f58f5ac6dadb638
SHA256

6c1756aa530b36cac92d6ddcd49b9bc2b4b3b72ee86db90963a426c13257fae1
SHA512

f0bd44b4bf10f714b49dc6d8ed675268b3f8ec135b87abfc0887b4bda444d32fea9635c8b9b3a656edf9a304922be82543ec5de2e9e0313e0c5a0f7dca1f0b51
SSDEEP

3072:3YGy9/koA4KzeRZtDb6n7MckPJHgqH9OZxG8YT1jKbvwuCXhgbGtV4tNIHlol49b:oGyNkh8HDEGxgrxpYTNLGtNIul49qSMQ

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1988-15-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/1796-16-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/1796-17-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral1/memory/2692-88-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/1796-89-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/1796-187-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\38B8E\\0D779.exe"	efe5a4dc47a3973279f70e844233de67_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1796-2-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/1988-13-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/1988-15-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/1796-16-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/1796-17-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2692-88-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2692-87-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/1796-89-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/1796-187-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efe5a4dc47a3973279f70e844233de67_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efe5a4dc47a3973279f70e844233de67_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efe5a4dc47a3973279f70e844233de67_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 1988	1796	efe5a4dc47a3973279f70e844233de67_JaffaCakes118.exe	30
PID 1796 wrote to memory of 1988	1796	efe5a4dc47a3973279f70e844233de67_JaffaCakes118.exe	30
PID 1796 wrote to memory of 1988	1796	efe5a4dc47a3973279f70e844233de67_JaffaCakes118.exe	30
PID 1796 wrote to memory of 1988	1796	efe5a4dc47a3973279f70e844233de67_JaffaCakes118.exe	30
PID 1796 wrote to memory of 2692	1796	efe5a4dc47a3973279f70e844233de67_JaffaCakes118.exe	33
PID 1796 wrote to memory of 2692	1796	efe5a4dc47a3973279f70e844233de67_JaffaCakes118.exe	33
PID 1796 wrote to memory of 2692	1796	efe5a4dc47a3973279f70e844233de67_JaffaCakes118.exe	33
PID 1796 wrote to memory of 2692	1796	efe5a4dc47a3973279f70e844233de67_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\efe5a4dc47a3973279f70e844233de67_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\efe5a4dc47a3973279f70e844233de67_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Users\Admin\AppData\Local\Temp\efe5a4dc47a3973279f70e844233de67_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\efe5a4dc47a3973279f70e844233de67_JaffaCakes118.exe startC:\Program Files (x86)\LP\7913\CFA.exe%C:\Program Files (x86)\LP\7913
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1988
- C:\Users\Admin\AppData\Local\Temp\efe5a4dc47a3973279f70e844233de67_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\efe5a4dc47a3973279f70e844233de67_JaffaCakes118.exe startC:\Program Files (x86)\8E228\lvvm.exe%C:\Program Files (x86)\8E228
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\38B8E\E228.8B8

Filesize
1KB

MD5
a3532e98c04e4fd45ee16d78d53e752d

SHA1
9bac3b9880e58c011789f08609ecad94e12b46f5

SHA256
6c5d9704d6fee1bd1de84db964c4af5a1d4d7b39d48d06155a4909509e681fd9

SHA512
389fa207ee5710fe272cd7d07e06196a2a25cbf984b4b7193f8278599e6b6b9982d7e407c2039b419be0908c6e17a287508073a78b6064917b1d15bd4ad7b47f

Download Submit
C:\Users\Admin\AppData\Roaming\38B8E\E228.8B8

Filesize
600B

MD5
66790641771b1f2a97a3c5aca2ca5ebc

SHA1
8973e996b423838a8fa80530f7321faf2852a3e7

SHA256
38a4c72b054a608238e146a311b321bb50df2fd4a41583b71085f7fac9218126

SHA512
267441e6df8347501a110300cd3a9fadb881ee90e608d12392fbfd5ba5dc58d107654cfa770650dff56d6df5de96e25eea76ccc276d149945845887a16a6daf2

Download Submit
C:\Users\Admin\AppData\Roaming\38B8E\E228.8B8

Filesize
300B

MD5
2dc1c7de54a7494553bebb4fc9fe9f2d

SHA1
a6d07499194e6bbb6f6c2fd393964225fd32258a

SHA256
98cc9792244ba01c214a075ff5d75fda6c5241933bb8a4c3574609924bf75bfc

SHA512
df5fabb85eb32892ee6f1f3ff65ade622df02d5e20eda675b1bddf278bb73622c3c82495e55c1b7baa779689fbf997d147b3a279a3b9dde8c410237c73cdca32

Download Submit
C:\Users\Admin\AppData\Roaming\38B8E\E228.8B8

Filesize
996B

MD5
2e9abee9430b16636bd519456fbdb066

SHA1
9fd3e7d61a94f03ff74203caccfda3abd1cbb3c6

SHA256
2792112bc89db6da10abfc67a3d39e7e1da3dfe0d5e7d2146cc9e965c7211aad

SHA512
a2d4d1772c6bbb8e67b234fd8488f50e32bb2f0969004d9c84afbe5c54014e30aef395b08d8c010dd120a26b17b686ca8e1889776966ed5417c3f11d75aa2746

Download Submit
memory/1796-89-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1796-2-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1796-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1796-187-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1796-16-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1796-17-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1988-12-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1988-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1988-13-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2692-87-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2692-88-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads