cycbot | bade959efe3936aa50fa7d4cb08ff263b919e9780c94a1ff62ef2226214ab9f8

General

Target

f2cd6acac314ba9b13408077684e009d_JaffaCakes118.exe
Size

186KB
MD5

f2cd6acac314ba9b13408077684e009d
SHA1

b71ba4738ac34b22e8fd183947bcd6bf41eb7d59
SHA256

bade959efe3936aa50fa7d4cb08ff263b919e9780c94a1ff62ef2226214ab9f8
SHA512

57f5d0cc50c8ae1b5ea74446f1b076d20a1a34c851661ba774c2ff819c763eb1f4258cc5cef3257bfd0c7252a86fbd431155178fa3a00fd1489ff213e808f621
SSDEEP

3072:YuG8/3smz7a02gwm1c4w/BqkyBrioPp4GGcCdcqU9qHK3qhLwzumNJV9LjZaBB21:xG8/Pz7w3m1c5COyBmXCqhLwzvdpZc2

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1864-7-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2532-14-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/1292-76-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2532-77-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2532-172-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2532-205-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	f2cd6acac314ba9b13408077684e009d_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2532-2-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/1864-7-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/1864-5-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2532-14-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/1292-76-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/1292-75-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2532-77-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2532-172-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2532-205-0x0000000000400000-0x000000000048A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2cd6acac314ba9b13408077684e009d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2cd6acac314ba9b13408077684e009d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2cd6acac314ba9b13408077684e009d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 1864	2532	f2cd6acac314ba9b13408077684e009d_JaffaCakes118.exe	30
PID 2532 wrote to memory of 1864	2532	f2cd6acac314ba9b13408077684e009d_JaffaCakes118.exe	30
PID 2532 wrote to memory of 1864	2532	f2cd6acac314ba9b13408077684e009d_JaffaCakes118.exe	30
PID 2532 wrote to memory of 1864	2532	f2cd6acac314ba9b13408077684e009d_JaffaCakes118.exe	30
PID 2532 wrote to memory of 1292	2532	f2cd6acac314ba9b13408077684e009d_JaffaCakes118.exe	33
PID 2532 wrote to memory of 1292	2532	f2cd6acac314ba9b13408077684e009d_JaffaCakes118.exe	33
PID 2532 wrote to memory of 1292	2532	f2cd6acac314ba9b13408077684e009d_JaffaCakes118.exe	33
PID 2532 wrote to memory of 1292	2532	f2cd6acac314ba9b13408077684e009d_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\f2cd6acac314ba9b13408077684e009d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f2cd6acac314ba9b13408077684e009d_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Local\Temp\f2cd6acac314ba9b13408077684e009d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f2cd6acac314ba9b13408077684e009d_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1864
- C:\Users\Admin\AppData\Local\Temp\f2cd6acac314ba9b13408077684e009d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f2cd6acac314ba9b13408077684e009d_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\E5CE.49A

Filesize
1KB

MD5
504c23f0be48b2b6b8cde5cadb66ec98

SHA1
97e0b7f8de85ab53d922d35bb478ece8a7ada471

SHA256
3a6d330a3e772d3886cf6fea946208e820671a92eabb74757916737fb2ed4449

SHA512
00d975571d9cbfe4bf77075c492bde99ba38d53a6d563be68815abbcf84397cee62d90c9d5e5053e84c3b7cd47d67269782836a46bde4d0168877cfe10b90ca1

Download Submit
C:\Users\Admin\AppData\Roaming\E5CE.49A

Filesize
600B

MD5
f41dfcc82f64a13acf0d77fe69150263

SHA1
42693c2e928e0cbf877165c4d2592e8fbd4221d3

SHA256
4fe999a029d357da124d2aa148c5d29636807cff0b6a2206d7eaf863c255b717

SHA512
7a68ad4b9e1e6aab3fd9ec02eb7d8356bd85c80487ddf362cea857f9727cc87659a9b20182c1fb05d2a932bae98503a4f5cd074a25e3054cd367496733c3aa24

Download Submit
C:\Users\Admin\AppData\Roaming\E5CE.49A

Filesize
996B

MD5
7ebac1b7338ed15f0e2c316fb735d90b

SHA1
8e7e54ccd91c29bc0c01abb6fa2a7200fbcb9d87

SHA256
f822ed3488781d2dd9f46183e0ea4b3041b4c1893a901a0bf13d825352902053

SHA512
f53539ea945c27b3c6fb172c61e037b907840ddbc85c4e9852b5cc337580e99957b2eb919f289029a7ee470029d2ebbc4a3347fa348e0e4e91d651074f258e7c

Download Submit
memory/1292-76-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1292-75-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1864-5-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1864-7-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2532-14-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2532-1-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2532-77-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2532-2-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2532-172-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2532-205-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads