cycbot | bbfba775d9f80238bef81390e896ce17d203e30201a3dc75f104f20b5ea0d855

General

Target

f708dd95a79a9b992ac0f49910151741_JaffaCakes118.exe
Size

165KB
MD5

f708dd95a79a9b992ac0f49910151741
SHA1

580ad861f01001eca3547cbbd3618edf59909a9f
SHA256

bbfba775d9f80238bef81390e896ce17d203e30201a3dc75f104f20b5ea0d855
SHA512

91f62ccef9a824fc6db7a7fb9aa97074c5ed26623ba3bc9ff3eb3d3a1bd65954f90cc09caa263c45985a60b5f8db7111523ada3ea987d28afe7fc5051407e789
SSDEEP

3072:ffdN7Ukm4khgdQHs5vfd+tOtv3AZi1z/lb5mxodrqwUPfzXYLS2xm5Hi:f104YsNFu/sB5yodewUzh2oC

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2476-6-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2476-8-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2132-16-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2132-82-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2772-86-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2132-198-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	f708dd95a79a9b992ac0f49910151741_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2132-2-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2476-5-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2476-6-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2476-8-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2132-16-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2132-82-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2772-86-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2772-85-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2132-198-0x0000000000400000-0x000000000046A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f708dd95a79a9b992ac0f49910151741_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f708dd95a79a9b992ac0f49910151741_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f708dd95a79a9b992ac0f49910151741_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2476	2132	f708dd95a79a9b992ac0f49910151741_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2476	2132	f708dd95a79a9b992ac0f49910151741_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2476	2132	f708dd95a79a9b992ac0f49910151741_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2476	2132	f708dd95a79a9b992ac0f49910151741_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2772	2132	f708dd95a79a9b992ac0f49910151741_JaffaCakes118.exe	33
PID 2132 wrote to memory of 2772	2132	f708dd95a79a9b992ac0f49910151741_JaffaCakes118.exe	33
PID 2132 wrote to memory of 2772	2132	f708dd95a79a9b992ac0f49910151741_JaffaCakes118.exe	33
PID 2132 wrote to memory of 2772	2132	f708dd95a79a9b992ac0f49910151741_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\f708dd95a79a9b992ac0f49910151741_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f708dd95a79a9b992ac0f49910151741_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\f708dd95a79a9b992ac0f49910151741_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f708dd95a79a9b992ac0f49910151741_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2476
- C:\Users\Admin\AppData\Local\Temp\f708dd95a79a9b992ac0f49910151741_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f708dd95a79a9b992ac0f49910151741_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\B67C.98C

Filesize
1KB

MD5
af3c51265538fa40ef1c177864d768bb

SHA1
ea8b3829752c2fe4de1d535c15a89680bc7d606b

SHA256
33a960a937c75ce6dff899931d19d0756c3a25a849c8cd461e8370be700f56f9

SHA512
76115e334f5d34aaee9051108e84facabda498405c6af2174575bb1d2584bb5eced00e11fad2739118399c970182726de8fed0359c135dbb939f291827fffafe

Download Submit
C:\Users\Admin\AppData\Roaming\B67C.98C

Filesize
600B

MD5
6f05dee6ec36fbc02fa7a8e3117b7c43

SHA1
2b354a49606c7bfcc32deacd95d49fb42e69cea2

SHA256
e032220041814dfab92d38b721a16882b26ea1bac76337659c8ad3a46518f169

SHA512
63d5b8c1bc31e2ff9111a6d89006d2b11ec8e5965ae4266f61589386fbabbd282aa4892153906b2d62084f831c2f2b4102a7ee15ea2c99210dd4f88c25cbb67e

Download Submit
C:\Users\Admin\AppData\Roaming\B67C.98C

Filesize
996B

MD5
d66b9c103f3a1c4609556c3759f44dd6

SHA1
de9c6e0012cdd2e3b0bd551cd54fd18e5ca3aecc

SHA256
183c73c889f922ddf5e11cd65fb15e59949a87b2799c82cfde8f76e7b2b6a590

SHA512
13fcff5ab7ba8efad7827397fe1333264c88a5b74ff1daafcc195b1896d3cfe00d03aae015ebc804ea36bc4a61db3f0312f64ca4b8f9293250d69977d04c943c

Download Submit
memory/2132-2-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2132-198-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2132-1-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2132-16-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2132-82-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2476-6-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2476-8-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2476-5-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2772-85-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2772-86-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads