cycbot | 59d1a2def07c6d5cbf67773e9d9827d0fabe0e35d3cdd7e2ec30c400eb960d47

General

Target

fa13215c8ba0ad19e145e3ded304594d_JaffaCakes118.exe
Size

166KB
MD5

fa13215c8ba0ad19e145e3ded304594d
SHA1

f32ade890782f003a92b3ddcfb5c7301dfde85dd
SHA256

59d1a2def07c6d5cbf67773e9d9827d0fabe0e35d3cdd7e2ec30c400eb960d47
SHA512

6f25d3660894a919a8fe3540a4d7caaa1c0c8bf452dc203b111ff0e1fa249f9930a404bc6910a5483d3946b15aac53825d536d8a653800d69121de0a0f2f423c
SSDEEP

3072:Yhi/4AH4OZb3GWaef4Sc+ahiagxu2RkGUzu3jOEHNv02+a8lrhN+RF:ei/7zIe3agjHScv+aEE

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 7 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1536-14-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/1944-15-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/1944-16-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral1/memory/2868-136-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2868-135-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/1944-137-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/1944-311-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\7C1AD\\AA988.exe"	fa13215c8ba0ad19e145e3ded304594d_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1944-2-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1536-12-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1536-13-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1536-14-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1944-15-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1944-16-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2868-136-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2868-135-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1944-137-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1944-311-0x0000000000400000-0x0000000000490000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa13215c8ba0ad19e145e3ded304594d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 1536	1944	fa13215c8ba0ad19e145e3ded304594d_JaffaCakes118.exe	30
PID 1944 wrote to memory of 1536	1944	fa13215c8ba0ad19e145e3ded304594d_JaffaCakes118.exe	30
PID 1944 wrote to memory of 1536	1944	fa13215c8ba0ad19e145e3ded304594d_JaffaCakes118.exe	30
PID 1944 wrote to memory of 1536	1944	fa13215c8ba0ad19e145e3ded304594d_JaffaCakes118.exe	30
PID 1944 wrote to memory of 2868	1944	fa13215c8ba0ad19e145e3ded304594d_JaffaCakes118.exe	33
PID 1944 wrote to memory of 2868	1944	fa13215c8ba0ad19e145e3ded304594d_JaffaCakes118.exe	33
PID 1944 wrote to memory of 2868	1944	fa13215c8ba0ad19e145e3ded304594d_JaffaCakes118.exe	33
PID 1944 wrote to memory of 2868	1944	fa13215c8ba0ad19e145e3ded304594d_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\fa13215c8ba0ad19e145e3ded304594d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa13215c8ba0ad19e145e3ded304594d_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Users\Admin\AppData\Local\Temp\fa13215c8ba0ad19e145e3ded304594d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fa13215c8ba0ad19e145e3ded304594d_JaffaCakes118.exe startC:\Program Files (x86)\LP\88B7\5CE.exe%C:\Program Files (x86)\LP\88B7
  2⤵
  PID:1536
- C:\Users\Admin\AppData\Local\Temp\fa13215c8ba0ad19e145e3ded304594d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fa13215c8ba0ad19e145e3ded304594d_JaffaCakes118.exe startC:\Program Files (x86)\AD0B9\lvvm.exe%C:\Program Files (x86)\AD0B9
  2⤵
  PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\7C1AD\D0B9.C1A

Filesize
996B

MD5
ca01dee0fba4e01c06daab5a507e6375

SHA1
c20c392c5469829599630d032195d862be7559c5

SHA256
085e46ccd215ef3f15c231f6d31a38df9926495826249726d4914acedf2a0d07

SHA512
dff5324a9247582d4e8ca6396659c94c1f578f4a0eaf01ae5e63083d5e12e71a4003145c27668b8dd08c781dffb7c9bcd4d0d81c92d197d0ec43ab326afddf51

Download Submit
C:\Users\Admin\AppData\Roaming\7C1AD\D0B9.C1A

Filesize
600B

MD5
08ea55dcbb642b61a7b79d23239d10cf

SHA1
94bade71339c2adeebb82cfba781a0a6434896d3

SHA256
c447ffa596f1e12ab33961b5f32e00c5ede75a4f0685e3b0d6707bf736d87df6

SHA512
167a80195a2c23deae5a3debf16b7a3e93bcb4bfa4c89d1fa1be048db423a45355279766105c166a275b41f53598f0fed36d8bbf1a0b92fe04cfa6370bb8bd49

Download Submit
C:\Users\Admin\AppData\Roaming\7C1AD\D0B9.C1A

Filesize
1KB

MD5
e52231af9f6a7d3aca00f8cce7eb69e5

SHA1
6684c4d3724d9d33329544fc79da03864088ad10

SHA256
d1c968a6b7340a95e9d98b99612a41955d5922691a8a50c952f8380e965afa35

SHA512
ebe302a3c32a8bf0b15d8113ff4d0c7d693023be8853cbf3e94ac819b518caf27f7613f493152bf521d6b70d9bcbe1dda56f920b0d5b423061704e2c7b5463c5

Download Submit
memory/1536-12-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1536-13-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1536-14-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1944-16-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1944-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1944-137-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1944-15-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1944-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1944-311-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2868-133-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2868-136-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2868-135-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads