cycbot | 19abfd29560432b083bdc06842c2f17304a50bd09f8e3e1bca7341aefd0492bb

General

Target

JaffaCakes118_63b6e99946066ff0a4524bf40077a25d.exe
Size

169KB
MD5

63b6e99946066ff0a4524bf40077a25d
SHA1

72e13910d756720e952999803fef05d9a336cbb6
SHA256

19abfd29560432b083bdc06842c2f17304a50bd09f8e3e1bca7341aefd0492bb
SHA512

5fa231a1454016061caea55438fb0dc18444a6b518e2441eac7784da421c1c531724886cbacb29528adbbafd6e45a4bae1bd6bc1168b3fea9b987bb41c84570e
SSDEEP

3072:4EIFKOKD1rajcxrFZsvGg+wURIoCsmSIiDVI6AiTOpGKSIV3rTMwWVrK0nJXdf2k:2FTKD1O4RZsvFRfsnsiTOpGxg3XMwWVF

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2020-13-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2372-15-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2372-16-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral1/memory/2364-117-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2372-119-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2372-273-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\619FC\\6773D.exe"	JaffaCakes118_63b6e99946066ff0a4524bf40077a25d.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2372-2-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2020-13-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2372-15-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2372-16-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2364-118-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2364-117-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2372-119-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2372-273-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_63b6e99946066ff0a4524bf40077a25d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_63b6e99946066ff0a4524bf40077a25d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_63b6e99946066ff0a4524bf40077a25d.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2020	2372	JaffaCakes118_63b6e99946066ff0a4524bf40077a25d.exe	31
PID 2372 wrote to memory of 2020	2372	JaffaCakes118_63b6e99946066ff0a4524bf40077a25d.exe	31
PID 2372 wrote to memory of 2020	2372	JaffaCakes118_63b6e99946066ff0a4524bf40077a25d.exe	31
PID 2372 wrote to memory of 2020	2372	JaffaCakes118_63b6e99946066ff0a4524bf40077a25d.exe	31
PID 2372 wrote to memory of 2364	2372	JaffaCakes118_63b6e99946066ff0a4524bf40077a25d.exe	33
PID 2372 wrote to memory of 2364	2372	JaffaCakes118_63b6e99946066ff0a4524bf40077a25d.exe	33
PID 2372 wrote to memory of 2364	2372	JaffaCakes118_63b6e99946066ff0a4524bf40077a25d.exe	33
PID 2372 wrote to memory of 2364	2372	JaffaCakes118_63b6e99946066ff0a4524bf40077a25d.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63b6e99946066ff0a4524bf40077a25d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63b6e99946066ff0a4524bf40077a25d.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63b6e99946066ff0a4524bf40077a25d.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63b6e99946066ff0a4524bf40077a25d.exe startC:\Program Files (x86)\LP\3DD6\337.exe%C:\Program Files (x86)\LP\3DD6
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2020
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63b6e99946066ff0a4524bf40077a25d.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63b6e99946066ff0a4524bf40077a25d.exe startC:\Program Files (x86)\FC38C\lvvm.exe%C:\Program Files (x86)\FC38C
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\619FC\C38C.19F

Filesize
996B

MD5
c2b65f1f46b571b3bf1a1cf16abf3b3d

SHA1
a610a2b0de0963815e82459b5dbdffb26140bce4

SHA256
96359b5f8ca15cc65c894a7f7583bd06cd7ad11580ef5012eb15a34c62fb196d

SHA512
a75ded797773426dc2d667a345adc041ff2e5bf9ac5376dfce3459e08499624ba0878aef965ed23323462b04bb5b6f9054da098a73a32e40c854b5a45aa87a45

Download Submit
C:\Users\Admin\AppData\Roaming\619FC\C38C.19F

Filesize
600B

MD5
c6d58b0a300fd4c3cf7a1b4e4e49b23a

SHA1
8a6274f6fcd0b1a57faaf22afd3030e28b467987

SHA256
5eb3495f374caa5a2a70d360d2e0a2f2473db4981f0619441686fd3d89ef6bc8

SHA512
f848bb6abe20ad82b064ef88fcc9dd0a97d83ce97b6ec3d27b2daede3aae8eb7603f1a39bba0e264a05fb547b0218cb9f9c012b2927c0f43b8400e2344fd383b

Download Submit
C:\Users\Admin\AppData\Roaming\619FC\C38C.19F

Filesize
1KB

MD5
bd279fee86806d9e377102de92e56416

SHA1
7f052813a9c7a16b2c14a1a9e88ca8a4dd829ae1

SHA256
2ec61be13dfc3b6e2f8beb3cadf08b2b21e049bc495722f704d45ec7a712f761

SHA512
f2ae17ffdbedbb0a637f9d8287fad7e4a3c6a3a9d0542456626f9780aac3b70a4cf645f37e0944e2352319677e53325530d34b24e7a63cc57f519d833181601c

Download Submit
memory/2020-12-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2020-13-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2020-14-0x00000000020C0000-0x000000000213C000-memory.dmp

Filesize
496KB

Download
memory/2364-117-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2364-118-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2372-16-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2372-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2372-119-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2372-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2372-2-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2372-273-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads