cycbot | b4b6fdc095a7d4a5ef3ed7e9dbc5761bbb41153d0ec67921d2e595aa5e50f514

General

Target

fbc9869c4dfc9ba6420202e949e20ea3_JaffaCakes118.exe
Size

181KB
MD5

fbc9869c4dfc9ba6420202e949e20ea3
SHA1

b8bd21f6d020efcc73dd1a030a85bcbe99e577a9
SHA256

b4b6fdc095a7d4a5ef3ed7e9dbc5761bbb41153d0ec67921d2e595aa5e50f514
SHA512

ad6d305cea5980127850244d2329d72c6b8f70931f96da4a8fb82ba161559ea3c8270888d07a7f7ff80734f21659f6d82491c809c890b70f9b09acafc8d839c5
SSDEEP

3072:Gxl1HO4NAPPrQv93zKRKtgI0H97iBAdjUYy6N7GaUnzyI5dTjfREoOuQHOOZzo:GbdO4ePPa3zdkH9kAd5N7GhnHtjfREo8

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2564-6-0x0000000000400000-0x0000000000466000-memory.dmp	family_cycbot
behavioral1/memory/2668-17-0x0000000000400000-0x0000000000466000-memory.dmp	family_cycbot
behavioral1/memory/2668-79-0x0000000000400000-0x0000000000466000-memory.dmp	family_cycbot
behavioral1/memory/2168-83-0x0000000000400000-0x0000000000466000-memory.dmp	family_cycbot
behavioral1/memory/2668-187-0x0000000000400000-0x0000000000466000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	fbc9869c4dfc9ba6420202e949e20ea3_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2668-2-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2564-7-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2564-6-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2668-17-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2668-79-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2168-81-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2168-83-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2668-187-0x0000000000400000-0x0000000000466000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbc9869c4dfc9ba6420202e949e20ea3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbc9869c4dfc9ba6420202e949e20ea3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbc9869c4dfc9ba6420202e949e20ea3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2564	2668	fbc9869c4dfc9ba6420202e949e20ea3_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2564	2668	fbc9869c4dfc9ba6420202e949e20ea3_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2564	2668	fbc9869c4dfc9ba6420202e949e20ea3_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2564	2668	fbc9869c4dfc9ba6420202e949e20ea3_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2168	2668	fbc9869c4dfc9ba6420202e949e20ea3_JaffaCakes118.exe	33
PID 2668 wrote to memory of 2168	2668	fbc9869c4dfc9ba6420202e949e20ea3_JaffaCakes118.exe	33
PID 2668 wrote to memory of 2168	2668	fbc9869c4dfc9ba6420202e949e20ea3_JaffaCakes118.exe	33
PID 2668 wrote to memory of 2168	2668	fbc9869c4dfc9ba6420202e949e20ea3_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\fbc9869c4dfc9ba6420202e949e20ea3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fbc9869c4dfc9ba6420202e949e20ea3_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Local\Temp\fbc9869c4dfc9ba6420202e949e20ea3_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fbc9869c4dfc9ba6420202e949e20ea3_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2564
- C:\Users\Admin\AppData\Local\Temp\fbc9869c4dfc9ba6420202e949e20ea3_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fbc9869c4dfc9ba6420202e949e20ea3_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\A985.CFE

Filesize
597B

MD5
06e07dab6ff0781b064abc8d9c3277ad

SHA1
740e84573b4980adefa0ab52513e8b0f1c69f62f

SHA256
b9b13f5cb415bfa99987236fa19dcf08fbba4efb8fb93481d73f5818f503b7c0

SHA512
42e43bbbc4075ffd7ba3928b18cb48ee5d00e9ea1d8dcb73dd5a814b7ac24ecc1e4f72a3b072a95a5e361ffd5adcb7642c5df7e0e1f5f44ddd0c8c8240161b1e

Download Submit
C:\Users\Admin\AppData\Roaming\A985.CFE

Filesize
1KB

MD5
0d210fc1c58d4f7022e02706ea2b1769

SHA1
0a71d4a3c60be00d45b28fb3596533c5210a2d6a

SHA256
1cbc4f55dd210b5ba6e91044f9be7ebecf4c50af507cf11fcddec4c9995a6bfb

SHA512
890426db4073b805e210f58252565997f4f92cc5d694cd0287faddb16d46e6ac5cd4aa56e460d395cf9572e95bffa3c80bc57e20b1b65dbf8c9035829296827c

Download Submit
C:\Users\Admin\AppData\Roaming\A985.CFE

Filesize
897B

MD5
90c5ff4bb97829a31d22ee1e2d88d5bd

SHA1
587e654049d4342fa35e346940b86d8e68a0ba3e

SHA256
23724505ff0b0c6109846b023dc89cd09959289d1112462edc059574db806713

SHA512
e328787e6138fc7d6bb8b0aad3b7100cdc564abea269d0677725143d3a3d72f384a788d1ac89b0eceffbf5e80fbd4643e8fead36c41fd18ffed1526908bfa4eb

Download Submit
C:\Users\Admin\AppData\Roaming\A985.CFE

Filesize
1KB

MD5
fa1197a9f1d445815939fc00510ba338

SHA1
339eb5eddc07f14c6b45ef12cb6a73982024e04c

SHA256
772ad50bc8e766fe593eb1baba65b0b6da56ad4b9e403b676f7aa1deb11bf1e7

SHA512
c6f169600d01ada8ab6d3a1a5aad9eb749f33b925bf838b662a6330adb8b97365bf467a7353254f5c554c9f40c7de6a3f06236b2f024bc9f92f949454ea6ecf3

Download Submit
memory/2168-83-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2168-81-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2564-6-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2564-7-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2668-17-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2668-79-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2668-1-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2668-2-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2668-187-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads