cycbot | 2c71302bcb0c1f092e815ab70fa095f953eb442b81113e11a77106b6a2a3e6a8

General

Target

f97c42e7b7b15980a321d4ee16ba4d56_JaffaCakes118.exe
Size

189KB
MD5

f97c42e7b7b15980a321d4ee16ba4d56
SHA1

ba18a8c2fb2ccfec2f5c27de54a914af66f862f4
SHA256

2c71302bcb0c1f092e815ab70fa095f953eb442b81113e11a77106b6a2a3e6a8
SHA512

a1778dff9094fb3e2c314d3e0f06d53301dae87abb9c5265af4ad861438e9b638acd96f666c13924be209d1158c46a928868e1d3e0c5f4cfc5636a69562f7d17
SSDEEP

3072:OBC+NFXbyd8uFzusZoL77t2ycruRj4Iox4tskjvNxZgoXvXBJtx6Yfa8b1t6PKn:CNN+EnMhuRj8x43VxZgoXvBLs4a8Jt

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2420-17-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/2116-18-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/1132-87-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/1132-88-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/2116-89-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/2116-195-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	f97c42e7b7b15980a321d4ee16ba4d56_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2116-2-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2420-17-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2116-18-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1132-87-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1132-88-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2116-89-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2116-195-0x0000000000400000-0x000000000046C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f97c42e7b7b15980a321d4ee16ba4d56_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f97c42e7b7b15980a321d4ee16ba4d56_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f97c42e7b7b15980a321d4ee16ba4d56_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2420	2116	f97c42e7b7b15980a321d4ee16ba4d56_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2420	2116	f97c42e7b7b15980a321d4ee16ba4d56_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2420	2116	f97c42e7b7b15980a321d4ee16ba4d56_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2420	2116	f97c42e7b7b15980a321d4ee16ba4d56_JaffaCakes118.exe	30
PID 2116 wrote to memory of 1132	2116	f97c42e7b7b15980a321d4ee16ba4d56_JaffaCakes118.exe	32
PID 2116 wrote to memory of 1132	2116	f97c42e7b7b15980a321d4ee16ba4d56_JaffaCakes118.exe	32
PID 2116 wrote to memory of 1132	2116	f97c42e7b7b15980a321d4ee16ba4d56_JaffaCakes118.exe	32
PID 2116 wrote to memory of 1132	2116	f97c42e7b7b15980a321d4ee16ba4d56_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\f97c42e7b7b15980a321d4ee16ba4d56_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f97c42e7b7b15980a321d4ee16ba4d56_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\f97c42e7b7b15980a321d4ee16ba4d56_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f97c42e7b7b15980a321d4ee16ba4d56_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2420
- C:\Users\Admin\AppData\Local\Temp\f97c42e7b7b15980a321d4ee16ba4d56_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f97c42e7b7b15980a321d4ee16ba4d56_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ADC0.DC9

Filesize
1KB

MD5
de6b5a442d9a3e37fc9fb052a3567b01

SHA1
db2db8c4258c7593ce51dca01d75cde9174cc1ce

SHA256
dbb33a8b95dedd6a1ee126b218bbacd31967d344f3214be1183452253cbc1af2

SHA512
766695f1d82055fe62bf13318b4e0342c1a02804a685d1539328c8823ee25d5b012b8ff2de1b4bb866d4fe95e4080166ab40c3e5424147002fd644b6a94c1f2b

Download Submit
C:\Users\Admin\AppData\Roaming\ADC0.DC9

Filesize
1KB

MD5
f90798b1d5b5ce6caf92cfe37e529b84

SHA1
90859bb35b181e801ac3b2842ef3786c8368aa2a

SHA256
774dfcc4b0277467ff4ca17afb89cd2007c0f0fb62d0333b3b1ee3f4ec90def2

SHA512
79f11c06195e94897643174d49aff04e95cd230ef9b42fbd60ee4024109d26f5c2c1f6ba0615fefbebac4de4bae0995864ced5f4fa79980fc1a7b6155c44ecf8

Download Submit
C:\Users\Admin\AppData\Roaming\ADC0.DC9

Filesize
897B

MD5
5c23ccf98481b82614eecce0d4f43740

SHA1
f91d3c6d0e0a3ba198e51643805280a3093bf5a9

SHA256
67b8f48c1fd9ae575de56c4b5817875289a6989ef84213cf1003d1a7a6ca3a77

SHA512
185a230a30149acef0baef16ad237006c5da5aba7c044a3a9ecc3b115b2c75c884661ca219a5b9422cce5a941fb975190178dda47a9719e7323f204d7a7c7613

Download Submit
C:\Users\Admin\AppData\Roaming\ADC0.DC9

Filesize
597B

MD5
2301818019d7280fd82c0afe309b6ec4

SHA1
3c59bf25d73a397995ff9a005c1fbca3bbaf177b

SHA256
d342890a0c5f7694d70d6fb4f13d589a69b2ef75608463c7b02bd0fdee788012

SHA512
257a2d2158a999485b6e367a354b2c7f35417ef9231525d9f4f3e7d73563db13933ec097f50a444e418896b2161949dbc34a38013288c16478b816300e6a6881

Download Submit
C:\Users\Admin\AppData\Roaming\ADC0.DC9

Filesize
1KB

MD5
9eefdc3b3a97160f95eb006f656429c8

SHA1
e9c345164f09314d73ac9d4b390888bc5efde4e1

SHA256
782eb035e0b9f395a24d93ca173d50895c3dea2632b61a852129cd63de896fee

SHA512
bdd48e06ab67b904021cbec698ba1ac572a07ec345b998d58e69ac29f96cdb93beea245fcc36201c05e3cc84e77e6566c059d8268068846e11ecde6e6f33e913

Download Submit
memory/1132-88-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1132-85-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1132-87-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2116-18-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2116-1-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2116-89-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2116-2-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2116-195-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2420-17-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads