cycbot | c7374243439e3c3c8255d16edc4b4bc88d58ce41852b8fc231410d30443093c6

General

Target

JaffaCakes118_63a64fab1dcd6d59778659d433304664.exe
Size

175KB
MD5

63a64fab1dcd6d59778659d433304664
SHA1

e7db1b5fc5cbc531dbc19fc18082a77ef04a8fbe
SHA256

c7374243439e3c3c8255d16edc4b4bc88d58ce41852b8fc231410d30443093c6
SHA512

a5148019a28e1fdec192bfc0c48242a98c86065ef814f9afaba67ba103c1443b633416c2f24d03067665297a60e6702298b94abe440d681119dc7656da25dc88
SSDEEP

3072:eyhMAEU+IpLrMRWZnXGadK6PeYpNkpLPqeKP4Hgtr4LcSu0iSjqUU1:eSCURauGUFUcSu0iSC

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1972-9-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral1/memory/1972-8-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral1/memory/1732-14-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral1/memory/1732-75-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral1/memory/1032-78-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral1/memory/1732-183-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_63a64fab1dcd6d59778659d433304664.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1732-2-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1972-9-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1972-8-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1732-14-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1732-75-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1032-77-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1032-78-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1732-183-0x0000000000400000-0x000000000046E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_63a64fab1dcd6d59778659d433304664.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_63a64fab1dcd6d59778659d433304664.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_63a64fab1dcd6d59778659d433304664.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1972	1732	JaffaCakes118_63a64fab1dcd6d59778659d433304664.exe	30
PID 1732 wrote to memory of 1972	1732	JaffaCakes118_63a64fab1dcd6d59778659d433304664.exe	30
PID 1732 wrote to memory of 1972	1732	JaffaCakes118_63a64fab1dcd6d59778659d433304664.exe	30
PID 1732 wrote to memory of 1972	1732	JaffaCakes118_63a64fab1dcd6d59778659d433304664.exe	30
PID 1732 wrote to memory of 1032	1732	JaffaCakes118_63a64fab1dcd6d59778659d433304664.exe	32
PID 1732 wrote to memory of 1032	1732	JaffaCakes118_63a64fab1dcd6d59778659d433304664.exe	32
PID 1732 wrote to memory of 1032	1732	JaffaCakes118_63a64fab1dcd6d59778659d433304664.exe	32
PID 1732 wrote to memory of 1032	1732	JaffaCakes118_63a64fab1dcd6d59778659d433304664.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63a64fab1dcd6d59778659d433304664.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63a64fab1dcd6d59778659d433304664.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63a64fab1dcd6d59778659d433304664.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63a64fab1dcd6d59778659d433304664.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1972
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63a64fab1dcd6d59778659d433304664.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63a64fab1dcd6d59778659d433304664.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\3E40.F95

Filesize
1KB

MD5
de6a63c560f54ce116b33499708d0995

SHA1
d54c14f1780186d9acc74b2600f6de8775fb36a7

SHA256
e3b479e1101a0d84cb855c614cbf22665de480056d6d267723ae8437210b8a78

SHA512
ee1584fc361c15f03d74450877e39c8765847bf7880892ff39eff9ab7b3799c886236bc0da08e61e1b8d1ed240d003b972f8eeafa883ece76e6666e66a020331

Download Submit
C:\Users\Admin\AppData\Roaming\3E40.F95

Filesize
600B

MD5
2f8e5aefaa7770cd5e32362131ac152d

SHA1
d4ee9e0fb3638afb9d1b7076e2afdb6249d4e7c1

SHA256
4372f6ada5aaba2f02d5689b031bed4fc849a1d15f3af1cbc4442ae9e4f4e915

SHA512
b955752ae72488123b942acaa069eca9f5f6c2624469bd1a151747c96f34ad346515c4919d93a1ca3bce01784a27ac2f487eb8cf81ddb6f6689561562b10485c

Download Submit
C:\Users\Admin\AppData\Roaming\3E40.F95

Filesize
996B

MD5
bb56c642240e5299531c219bbd00d0a8

SHA1
ee189debef74cb65fac41d1300b4ac0dcd8ddda2

SHA256
8a3cc976ec8c97d4edc90f00da73e5408c4cc30d909faf67f26cd12f9cb0cfbe

SHA512
c3cfe22361b91478f1457b57dfee96a59daeb537e40e81985f88cb0482e14d842f280491057bc64ff94316fa7cb3aebd0ac5da4d4817c9608e753eaba43295ec

Download Submit
memory/1032-77-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1032-78-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1732-1-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1732-2-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1732-14-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1732-75-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1732-183-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1972-9-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1972-8-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads