cycbot | d0197ce66acc70262f8c61e92b5791c6a21883de2c36e87a9341bf50af89dde5

General

Target

fea600a8de189f2bb2c855d4bb9be01c_JaffaCakes118.exe
Size

170KB
MD5

fea600a8de189f2bb2c855d4bb9be01c
SHA1

5ed7bd9864320e329ab552362fe116c660ddecb2
SHA256

d0197ce66acc70262f8c61e92b5791c6a21883de2c36e87a9341bf50af89dde5
SHA512

5083425bba0d1297436feca6bb2290c0012b9664cdfc7f1aa0b4988899d85f06fbbac052ec0ed82a8853d93fd79875a8f9ce37f3e1bef7082185d9bae98691d6
SSDEEP

3072:mc26ztd+oAyCaGivZcWcrGBsA4Ms+dyE/zoapy9u941LkHC1N9f:J26/3G/WQYs+q9848MB

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2780-15-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2648-16-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2648-17-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral1/memory/2856-122-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2648-123-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2648-289-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\DC5F9\\3CD43.exe"	fea600a8de189f2bb2c855d4bb9be01c_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2648-2-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2780-14-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2780-15-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2648-16-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2648-17-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2856-122-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2648-123-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2648-289-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fea600a8de189f2bb2c855d4bb9be01c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fea600a8de189f2bb2c855d4bb9be01c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fea600a8de189f2bb2c855d4bb9be01c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2780	2648	fea600a8de189f2bb2c855d4bb9be01c_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2780	2648	fea600a8de189f2bb2c855d4bb9be01c_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2780	2648	fea600a8de189f2bb2c855d4bb9be01c_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2780	2648	fea600a8de189f2bb2c855d4bb9be01c_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2856	2648	fea600a8de189f2bb2c855d4bb9be01c_JaffaCakes118.exe	32
PID 2648 wrote to memory of 2856	2648	fea600a8de189f2bb2c855d4bb9be01c_JaffaCakes118.exe	32
PID 2648 wrote to memory of 2856	2648	fea600a8de189f2bb2c855d4bb9be01c_JaffaCakes118.exe	32
PID 2648 wrote to memory of 2856	2648	fea600a8de189f2bb2c855d4bb9be01c_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\fea600a8de189f2bb2c855d4bb9be01c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fea600a8de189f2bb2c855d4bb9be01c_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\Temp\fea600a8de189f2bb2c855d4bb9be01c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fea600a8de189f2bb2c855d4bb9be01c_JaffaCakes118.exe startC:\Program Files (x86)\LP\43CD\BF8.exe%C:\Program Files (x86)\LP\43CD
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2780
- C:\Users\Admin\AppData\Local\Temp\fea600a8de189f2bb2c855d4bb9be01c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fea600a8de189f2bb2c855d4bb9be01c_JaffaCakes118.exe startC:\Program Files (x86)\F9F33\lvvm.exe%C:\Program Files (x86)\F9F33
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DC5F9\9F33.C5F

Filesize
996B

MD5
8cca92cdb2eec1725e814e58d9e3a0c5

SHA1
118f48d3ed00a5f251586f78b92d2e66e3f3f88c

SHA256
b33e330782760cb6111521cf03c7d2747d530693bf7d2e0664805213b1fe1488

SHA512
f73f0295e7db592b8d1ebb985e5a16186fe83a7e2e0fdc0a08b6f00c482531877189fa7adf9244f44e222ddb9c3ef92740ad6c9b3f04f4b9671ad660a774543e

Download Submit
C:\Users\Admin\AppData\Roaming\DC5F9\9F33.C5F

Filesize
600B

MD5
3725e2cebd9577a6fe255b1d88ad1f5c

SHA1
11ec9906ff4636fc32ce0bf72345ad9cb95ab6ed

SHA256
9d547ff488c54452e07feae374452800264e44303bd228856c88cd7f0ba92d41

SHA512
b16ad8961478ed77656699b9eb0838f6163d997309f8798f29ab026ca853b855164fc0597d626e4fef8b75c45453ae69784027c5415bccd6618f0bb67900f740

Download Submit
C:\Users\Admin\AppData\Roaming\DC5F9\9F33.C5F

Filesize
1KB

MD5
bf04ed115f16eee8fa4aea6d20d46227

SHA1
326eaec0a96b22908f62a780f157b561c497dc51

SHA256
71affdefd31536b9aba565e489c90413055bb53de5f21cb93a30062b515cbdeb

SHA512
99fde8735c37a24815ff2f4307ef72576dc656bca375eab218384644fcb1450c806ee5cd9c95c746c1d2d2eecfe8f504d2ff9d93671ff6d80fb2dac9ead588d1

Download Submit
memory/2648-123-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2648-16-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2648-17-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2648-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2648-2-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2648-289-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2780-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2780-14-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2780-12-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2856-122-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads