cycbot | 1908eabcb9778e7b488c8f56e3456e5bf714bce0fdeed2fe9279da3f0eff0006

General

Target

JaffaCakes118_62e27168213f71451be4cc375810644a.exe
Size

189KB
MD5

62e27168213f71451be4cc375810644a
SHA1

4dbef09ef6f1e56b7eadf0efa446f033cd71e94b
SHA256

1908eabcb9778e7b488c8f56e3456e5bf714bce0fdeed2fe9279da3f0eff0006
SHA512

2f994bede176fca98aaa38ea4b76e48d6adb00a613fb1828c73e4cc7682c3b31a1926b84a01c67f64df3c659ae68557a8a30ce2334ab5834d354584cc21e24a8
SSDEEP

3072:5PRCsaLwju5S248EQ8pyesOL7/jzjNrlU+e3ofbKmqC0ud2PIujzjDleOeJP+CDS:5PRkmfD4esY7/zNRUN34KtC0ucPIujzG

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 7 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1664-14-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2444-15-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2504-82-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2504-83-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2444-84-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2504-156-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2444-160-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_62e27168213f71451be4cc375810644a.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2444-2-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1664-14-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1664-12-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2444-15-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2504-82-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2504-83-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2444-84-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2504-156-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2444-160-0x0000000000400000-0x0000000000490000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_62e27168213f71451be4cc375810644a.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 1664	2444	JaffaCakes118_62e27168213f71451be4cc375810644a.exe	30
PID 2444 wrote to memory of 1664	2444	JaffaCakes118_62e27168213f71451be4cc375810644a.exe	30
PID 2444 wrote to memory of 1664	2444	JaffaCakes118_62e27168213f71451be4cc375810644a.exe	30
PID 2444 wrote to memory of 1664	2444	JaffaCakes118_62e27168213f71451be4cc375810644a.exe	30
PID 2444 wrote to memory of 2504	2444	JaffaCakes118_62e27168213f71451be4cc375810644a.exe	33
PID 2444 wrote to memory of 2504	2444	JaffaCakes118_62e27168213f71451be4cc375810644a.exe	33
PID 2444 wrote to memory of 2504	2444	JaffaCakes118_62e27168213f71451be4cc375810644a.exe	33
PID 2444 wrote to memory of 2504	2444	JaffaCakes118_62e27168213f71451be4cc375810644a.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62e27168213f71451be4cc375810644a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62e27168213f71451be4cc375810644a.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62e27168213f71451be4cc375810644a.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62e27168213f71451be4cc375810644a.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:1664
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62e27168213f71451be4cc375810644a.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62e27168213f71451be4cc375810644a.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5BB6.C92

Filesize
1KB

MD5
86520137b6a1c864ac62292df69d45cf

SHA1
711c24089e200f71ee61176105120ea581787fec

SHA256
84eb834795554075c9756548907ceb41d9d1c4b900262475cfab0155c375a920

SHA512
4de757d4c73f8ddc74f4538c2c641bcdd2305fc242ab7395b8ba20ebcdce98bc14d89bd1bc733ff40b658b2ca2ea1fc486b7d3669678a86ddd008e628b580933

Download Submit
C:\Users\Admin\AppData\Roaming\5BB6.C92

Filesize
600B

MD5
c52b23ac695896a1843a6d42d8f748fb

SHA1
9ef61a308cc38c4c89d708d27b613ba33a3f1547

SHA256
226143f2abfa4f309440254c76eb6e2190b44bcc67712d28ef3105e00d45dcc5

SHA512
34861bf5cc3c094385c57600e99e946838d12b47f257a95256d820c6e1dff313345d6bc14c8cbf0494253e829dd6de96ce7d8516f368656c4991fa66a79a0804

Download Submit
C:\Users\Admin\AppData\Roaming\5BB6.C92

Filesize
996B

MD5
eeda9c6296b7b3ac3f18ee0a026f7d94

SHA1
87174e2f67052f90dc4c0575895b08171976b5d5

SHA256
518544e54ee3e9192b4812a240e66cbcec2e30ac7843f5127b7ce9104ba26814

SHA512
4fc7090fd424b86223b5922d14849caf26bb9945dadfdc56b9a72bb82b6c3e050f825b7df304af27dea064587455a1b16d1a04cd7f6e74248feee766ee8b5d63

Download Submit
memory/1664-14-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1664-12-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2444-84-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2444-1-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2444-15-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2444-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2444-160-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2504-82-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2504-80-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2504-83-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2504-156-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads