cycbot | 4681be9de166cdde7329c10f635d1338a8c8e3abbf6e3dfa50c3395e7d2ad010

General

Target

fdc658870f0437189cd1e25a1f8b36ca_JaffaCakes118.exe
Size

185KB
MD5

fdc658870f0437189cd1e25a1f8b36ca
SHA1

a6a617fba90f64a56caf6eb518f14a1b33dbadfd
SHA256

4681be9de166cdde7329c10f635d1338a8c8e3abbf6e3dfa50c3395e7d2ad010
SHA512

c0cdc81ebbfda7611df0e05161d20269c7e908d74a306792c5ad6e66f3ad4b8fcd1d133f7235209c6eeb1df15eb1bb0e8243a11854fa4d4eb31e3b8e05d1d58e
SSDEEP

3072:G8AkSbDZfP1C+q1MXWWgwuEHxLDHP14DGM8nM2MbbwAYQdQY1xVvCBcxx7K:G8/MZfPPmWhH9iDnYKbYiX1XNxx7

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2368-13-0x0000000000400000-0x000000000048C000-memory.dmp	family_cycbot
behavioral1/memory/2420-15-0x0000000000400000-0x000000000048C000-memory.dmp	family_cycbot
behavioral1/memory/2420-78-0x0000000000400000-0x000000000048C000-memory.dmp	family_cycbot
behavioral1/memory/2668-83-0x0000000000400000-0x000000000048C000-memory.dmp	family_cycbot
behavioral1/memory/2668-82-0x0000000000400000-0x000000000048C000-memory.dmp	family_cycbot
behavioral1/memory/2420-190-0x0000000000400000-0x000000000048C000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	fdc658870f0437189cd1e25a1f8b36ca_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2420-2-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2368-13-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2368-12-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2420-15-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2420-78-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2668-83-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2668-82-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2420-190-0x0000000000400000-0x000000000048C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdc658870f0437189cd1e25a1f8b36ca_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdc658870f0437189cd1e25a1f8b36ca_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdc658870f0437189cd1e25a1f8b36ca_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2368	2420	fdc658870f0437189cd1e25a1f8b36ca_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2368	2420	fdc658870f0437189cd1e25a1f8b36ca_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2368	2420	fdc658870f0437189cd1e25a1f8b36ca_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2368	2420	fdc658870f0437189cd1e25a1f8b36ca_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2668	2420	fdc658870f0437189cd1e25a1f8b36ca_JaffaCakes118.exe	32
PID 2420 wrote to memory of 2668	2420	fdc658870f0437189cd1e25a1f8b36ca_JaffaCakes118.exe	32
PID 2420 wrote to memory of 2668	2420	fdc658870f0437189cd1e25a1f8b36ca_JaffaCakes118.exe	32
PID 2420 wrote to memory of 2668	2420	fdc658870f0437189cd1e25a1f8b36ca_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\fdc658870f0437189cd1e25a1f8b36ca_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fdc658870f0437189cd1e25a1f8b36ca_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\fdc658870f0437189cd1e25a1f8b36ca_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fdc658870f0437189cd1e25a1f8b36ca_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2368
- C:\Users\Admin\AppData\Local\Temp\fdc658870f0437189cd1e25a1f8b36ca_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fdc658870f0437189cd1e25a1f8b36ca_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5EAA.3DF

Filesize
1KB

MD5
fd98ff204c18034d1c14244f03c5d207

SHA1
1184bd373b6a54638d1f7666865223767e13005d

SHA256
d0eb652d0511157d0e963474d0b88c8ea1e142cc88d0a6d7b3ed4800ad01a0b8

SHA512
72b4c80c702fc7f5d026bfa531c1d44c8cf44c83b56a6387830c77e64e597cef5a9dcb725b7921f60379f8d2784a75d8683b4d5f1a165e303d13799fc78c4f60

Download Submit
C:\Users\Admin\AppData\Roaming\5EAA.3DF

Filesize
600B

MD5
5a6279ab03abbc543b5905b9ecb4ad0c

SHA1
3e624101253beb3754cd5e1304156df21566be84

SHA256
9b445bd2a03f226676bbd3cc669306f331a4077b68d4ab349c7b9b7f66a57b4f

SHA512
97d026b5ba8175789691bd1bd8ea633f185ee28f248a5a439a8a55df305aeaa7af46bfa8cde908cd679432f1ae5216f24e21354a6da38947be93b24e98170b38

Download Submit
C:\Users\Admin\AppData\Roaming\5EAA.3DF

Filesize
996B

MD5
ccb1db493d57d5fa6109affd077f1b3d

SHA1
363928f0ce58d5406361a99c9581c43f74bc2c19

SHA256
53886afe8d2d86c2ea8ca5b1ae557ec0825c8966f07f9c68f9e9af1e789e0931

SHA512
99a1e50562e2bb439b05567e0ff51c0cd927a683996833c5b04c3fe45cdfc543b02b271e1cde25317e47118312e1a88ded4d7089251cf8d4bfc28fbfae877c77

Download Submit
memory/2368-12-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2368-13-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2420-15-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2420-1-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2420-78-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2420-2-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2420-190-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2668-80-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2668-83-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2668-82-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads