cycbot | b2211ed17c01dc1d776917f2118523861019cf31bb5950b2df66558e1eda2b50

General

Target

f00b22133decb7741075874e71c7f044_JaffaCakes118.exe
Size

179KB
MD5

f00b22133decb7741075874e71c7f044
SHA1

df7ec7102a71f2cab5a9371e94e681348c3d6482
SHA256

b2211ed17c01dc1d776917f2118523861019cf31bb5950b2df66558e1eda2b50
SHA512

479f22801709b3347e88a276fcafd60b4c2d5d372768a42396e28bd3d8d2a78546915bf156b082b50d2090f310dea0a2438835e75d4a619ef9b916070f890e3a
SSDEEP

3072:dzsZiout/AXYFpqBGygV8XyrH7HqQyAUdiSQPdaTQe1cuhk8OVcs6IHLaD7ZOhjY:aZjuAXYLqBpgVkkHTDUd9Q1a8rH8OVPK

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2148-13-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2148-12-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/1244-14-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/1980-85-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/1244-86-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/1244-184-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	f00b22133decb7741075874e71c7f044_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1244-2-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2148-13-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2148-12-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1244-14-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1980-83-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1980-85-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1244-86-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1244-184-0x0000000000400000-0x0000000000490000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f00b22133decb7741075874e71c7f044_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f00b22133decb7741075874e71c7f044_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f00b22133decb7741075874e71c7f044_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2148	1244	f00b22133decb7741075874e71c7f044_JaffaCakes118.exe	30
PID 1244 wrote to memory of 2148	1244	f00b22133decb7741075874e71c7f044_JaffaCakes118.exe	30
PID 1244 wrote to memory of 2148	1244	f00b22133decb7741075874e71c7f044_JaffaCakes118.exe	30
PID 1244 wrote to memory of 2148	1244	f00b22133decb7741075874e71c7f044_JaffaCakes118.exe	30
PID 1244 wrote to memory of 1980	1244	f00b22133decb7741075874e71c7f044_JaffaCakes118.exe	33
PID 1244 wrote to memory of 1980	1244	f00b22133decb7741075874e71c7f044_JaffaCakes118.exe	33
PID 1244 wrote to memory of 1980	1244	f00b22133decb7741075874e71c7f044_JaffaCakes118.exe	33
PID 1244 wrote to memory of 1980	1244	f00b22133decb7741075874e71c7f044_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\f00b22133decb7741075874e71c7f044_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f00b22133decb7741075874e71c7f044_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Local\Temp\f00b22133decb7741075874e71c7f044_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f00b22133decb7741075874e71c7f044_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2148
- C:\Users\Admin\AppData\Local\Temp\f00b22133decb7741075874e71c7f044_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f00b22133decb7741075874e71c7f044_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\3EED.07A

Filesize
1KB

MD5
efa71b1675fac4f69638f9454d6e05e6

SHA1
e8cc2f0b7a047df37c7241a7dc4135e64adbdca9

SHA256
66a72bb4c7e6d0804de310a5542d5512e1b78cb83223086a1858b5edc7920777

SHA512
10a264bc47bb160968f9a1914692fb92c6317b00a0a7265c8a6f7ed55f802526f8a816fa5a15c7525567a52a3793f1ed00dcb8ff64748fada7ac559d1b705abd

Download Submit
C:\Users\Admin\AppData\Roaming\3EED.07A

Filesize
600B

MD5
5f4196c1f043e6479e8d716fd4983cff

SHA1
cd1f606ac05b6cbf467371f6c74247fcacfab0a8

SHA256
405c2a4ef79116037f606e0b67460f3bb6b0c34f78a0d8771e34d84808fec26d

SHA512
06115f4f3c5faf26f18d004b0a98dba57a52c1f6811493ad0bfc16aa879b8b84e893bc95c3762448d32688f679c8d9fb76dd14e0059b98b948f598c4478374aa

Download Submit
C:\Users\Admin\AppData\Roaming\3EED.07A

Filesize
996B

MD5
604e1f7ef0f3a865e18e9c516bbe0839

SHA1
88bdafb8a6bde5191fe19ba2068ae6a0d9dda29a

SHA256
4175ab68b454cf6c59d243d01fc99b66044ddc95e70e3907d8585b70c8887456

SHA512
d8c627b1e050c2e115e1ba8460070872f91ac7e64614c8dc174c2894aad8259b9888b8d2da54ebe463e97422a9a494c6b62643d5847037255169409605006343

Download Submit
memory/1244-1-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1244-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1244-14-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1244-86-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1244-184-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1980-83-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1980-85-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2148-13-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2148-12-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads