cycbot | 7286f56b607b60fbaf5ad8d1e6809425646c639e417e91fa3fc1930cfe12efd8

General

Target

JaffaCakes118_570c4f83de6b15683d8bcc40565a7e9a.exe
Size

173KB
MD5

570c4f83de6b15683d8bcc40565a7e9a
SHA1

e4bc20440392cf90dd51d6e949baf753e886ab08
SHA256

7286f56b607b60fbaf5ad8d1e6809425646c639e417e91fa3fc1930cfe12efd8
SHA512

89d3e1535d0606cb1f76499d3c38a90c33485c5db676e2c23b8a13ee160b2da3e23baed01dc205b17cf811e8404f83aced9f3d48b3dcf4869c665062d27d39b2
SSDEEP

3072:OuTCZs9t9TIcRILdMRdMlS/zVSigDJ34j9EmEu3J1o2Xcf6:OsCa9PIcRsMRdOS7QiU4JBJFN

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 8 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2700-15-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2700-14-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2280-16-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2280-17-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral1/memory/2700-81-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2212-84-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2280-85-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2280-187-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\97E42\\AFE07.exe"	JaffaCakes118_570c4f83de6b15683d8bcc40565a7e9a.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2280-2-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2700-15-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2700-14-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2280-16-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2280-17-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2700-81-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2212-83-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2212-84-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2280-85-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2280-187-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_570c4f83de6b15683d8bcc40565a7e9a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_570c4f83de6b15683d8bcc40565a7e9a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_570c4f83de6b15683d8bcc40565a7e9a.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2700	2280	JaffaCakes118_570c4f83de6b15683d8bcc40565a7e9a.exe	30
PID 2280 wrote to memory of 2700	2280	JaffaCakes118_570c4f83de6b15683d8bcc40565a7e9a.exe	30
PID 2280 wrote to memory of 2700	2280	JaffaCakes118_570c4f83de6b15683d8bcc40565a7e9a.exe	30
PID 2280 wrote to memory of 2700	2280	JaffaCakes118_570c4f83de6b15683d8bcc40565a7e9a.exe	30
PID 2280 wrote to memory of 2212	2280	JaffaCakes118_570c4f83de6b15683d8bcc40565a7e9a.exe	32
PID 2280 wrote to memory of 2212	2280	JaffaCakes118_570c4f83de6b15683d8bcc40565a7e9a.exe	32
PID 2280 wrote to memory of 2212	2280	JaffaCakes118_570c4f83de6b15683d8bcc40565a7e9a.exe	32
PID 2280 wrote to memory of 2212	2280	JaffaCakes118_570c4f83de6b15683d8bcc40565a7e9a.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_570c4f83de6b15683d8bcc40565a7e9a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_570c4f83de6b15683d8bcc40565a7e9a.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_570c4f83de6b15683d8bcc40565a7e9a.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_570c4f83de6b15683d8bcc40565a7e9a.exe startC:\Program Files (x86)\LP\0739\01B.exe%C:\Program Files (x86)\LP\0739
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2700
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_570c4f83de6b15683d8bcc40565a7e9a.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_570c4f83de6b15683d8bcc40565a7e9a.exe startC:\Program Files (x86)\4208F\lvvm.exe%C:\Program Files (x86)\4208F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\97E42\208F.7E4

Filesize
1KB

MD5
84029f3f55c253dfdf43f99fa190e8c3

SHA1
dd8229a10747415bab7788e4392febaaa2b533f5

SHA256
bd2fe7df935523b8ba105bb483fbc8313ee02c2b85235db2fd9fd9fab8b9b9fc

SHA512
cb5b8f5bcbff7939d19445d3b6997d19f12a758d590ba1e65985dff9913172f704f42c289d70fd8f8f8fd8559a0a4c71b9c224fe27fad22e06a7178262a2b632

Download Submit
C:\Users\Admin\AppData\Roaming\97E42\208F.7E4

Filesize
600B

MD5
643e851019eb0e826bbab0a1519ee2ca

SHA1
ce7796b491f35f3395d7f511e802757eb955b759

SHA256
fa686a7621ddb10dfc4a6030f08e0e967750d4f284fc2af79560c2848ff4c045

SHA512
038fc64a7ce3e8299b33b435fa3916562d7e57a27eb9eae6ec5d152d722d7d90325061b1e0c8e25f169bbdaf48f07fc3585de7383d3486cb2d4e646bf81c5d7e

Download Submit
C:\Users\Admin\AppData\Roaming\97E42\208F.7E4

Filesize
996B

MD5
8aa328f60bf1ff55b250d90e1f38755f

SHA1
d8fb983bc7877fde4f0e3e6a4a847ae35ad5ac12

SHA256
4d3a49d5dfbaedd007c9f404495f31cd2cac4130b409cb09dab0a4d8bd8bb0c0

SHA512
4e3c54efab5c55547ec2ca8011ec1cda142191f9d3409ba3e7e089c0d474e3ef639d42fc8766e6c229c13f0ae5efa5108beb79c18a2de786627f6f686bd06be4

Download Submit
memory/2212-84-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2212-83-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2280-17-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2280-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2280-16-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2280-85-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2280-2-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2280-187-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2700-81-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2700-14-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2700-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2700-12-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads