cycbot | e5a1b30146921c278a8d7a4f19e96c5a742cfc4d683d27e73c7e23f2c324f763

General

Target

fd4575948af4915c4cbeabfec0ef3675_JaffaCakes118.exe
Size

178KB
MD5

fd4575948af4915c4cbeabfec0ef3675
SHA1

fed1aa052d6c28c0668f1d24dcf5ba03ace24266
SHA256

e5a1b30146921c278a8d7a4f19e96c5a742cfc4d683d27e73c7e23f2c324f763
SHA512

03b0246b4c55c5b62a528d9a6410295c9374978e35a21e1b1d98550720bdde47fb4c27d5a74cea2fae1e6588423e9d6030adbab1ecd3ec117794048a0f92b265
SSDEEP

3072:jPajLWEGUhzyvHUpykkZWeS1B7a4GF7/hYYbqbdd+LjMI9gxj2ZJsZ:jPafW5AS0IWe0B7a4GZ3+pejMhxj2ZJ0

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2692-12-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral1/memory/2980-13-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral1/memory/2980-90-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral1/memory/1608-93-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral1/memory/2980-200-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	fd4575948af4915c4cbeabfec0ef3675_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2980-2-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2692-12-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2980-13-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2980-90-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1608-92-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1608-93-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2980-200-0x0000000000400000-0x000000000046E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd4575948af4915c4cbeabfec0ef3675_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2692	2980	fd4575948af4915c4cbeabfec0ef3675_JaffaCakes118.exe	31
PID 2980 wrote to memory of 2692	2980	fd4575948af4915c4cbeabfec0ef3675_JaffaCakes118.exe	31
PID 2980 wrote to memory of 2692	2980	fd4575948af4915c4cbeabfec0ef3675_JaffaCakes118.exe	31
PID 2980 wrote to memory of 2692	2980	fd4575948af4915c4cbeabfec0ef3675_JaffaCakes118.exe	31
PID 2980 wrote to memory of 1608	2980	fd4575948af4915c4cbeabfec0ef3675_JaffaCakes118.exe	33
PID 2980 wrote to memory of 1608	2980	fd4575948af4915c4cbeabfec0ef3675_JaffaCakes118.exe	33
PID 2980 wrote to memory of 1608	2980	fd4575948af4915c4cbeabfec0ef3675_JaffaCakes118.exe	33
PID 2980 wrote to memory of 1608	2980	fd4575948af4915c4cbeabfec0ef3675_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\fd4575948af4915c4cbeabfec0ef3675_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd4575948af4915c4cbeabfec0ef3675_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Local\Temp\fd4575948af4915c4cbeabfec0ef3675_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fd4575948af4915c4cbeabfec0ef3675_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:2692
- C:\Users\Admin\AppData\Local\Temp\fd4575948af4915c4cbeabfec0ef3675_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fd4575948af4915c4cbeabfec0ef3675_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\8B8E.F1B

Filesize
1KB

MD5
5dbbf0bc366c887b6da35d197603393e

SHA1
0b35215a34ad3390a43b4fba6bc6673690b6d980

SHA256
e5fb062c0bd59808c33788537f79f7b103111c056b7115b89ba1e959e79b4901

SHA512
a9d603c18e658e63a1a9e1f904c962774ca689746c29cbc78046a12e7d53413f5974b2b48d6ceb692b2e4cd33e366d1ca4dd9269e0aacff4f55268990b4a5a52

Download Submit
C:\Users\Admin\AppData\Roaming\8B8E.F1B

Filesize
600B

MD5
9c15c73925ee25c35e177a7349367dd2

SHA1
7096f7c92993ad9c1a83122b5b529ba1d37d2059

SHA256
14f1e5792ced99a596e249cfbc1dfc389f02a7dc86bec7f44fde776ce5697321

SHA512
01488ac3f785a4a1e5271b4dab82c4e930a69c58a870ab3cbcc6744c7c3d4b8335d1507b48e3029d5dbd1c388d5718ec5c6b6d4a45012cda06a17b9edd706a08

Download Submit
C:\Users\Admin\AppData\Roaming\8B8E.F1B

Filesize
996B

MD5
1514a61853e0ebfb1ee26e469b626472

SHA1
323661e5d1d14a1ebc90008d10cc8f2058fa73fe

SHA256
ea5deb2caed2a1f696379436884c5ccd95c9196b6d766ff99e5d71a5e3ff88fc

SHA512
2e03181e7d6dcf4c7244d4bfbb69b884ac8764b0a79f2ba53582bbb2983846ae97ff1d3b2181a8f382e8ee6c67e518ddac9fc073d6624c82a7f3a67ab5be5415

Download Submit
memory/1608-92-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1608-93-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2692-12-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2980-1-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2980-2-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2980-13-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2980-90-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2980-200-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads