cycbot | 27bf80cedb77bb41032aa4e3deaebea453de9ccca209725790d93fcee5bfd79b

General

Target

JaffaCakes118_6e92d1f3c45230d7774baced558ac9af.exe
Size

179KB
MD5

6e92d1f3c45230d7774baced558ac9af
SHA1

9c02ea0af74289ef82f1e6f92f900f6e6ce5d43e
SHA256

27bf80cedb77bb41032aa4e3deaebea453de9ccca209725790d93fcee5bfd79b
SHA512

eff679c4ae18946de70b435f19ec60d35e4aa7f25f880cbb8da0bba1ee1bcb83ea997b843a8f3ef199aff9328409c2a712d5389c01a15640161b4e99bf356a9f
SSDEEP

3072:J5c3fSRIhyjmaXbQ1b320SHPemkDFroMXcwwJFugUBko1fs5FtNFP4ifTZQCb:Jpbr+3AeZFroyNwJYgABq1F1v

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 8 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2928-9-0x0000000000400000-0x0000000000486000-memory.dmp	family_cycbot
behavioral1/memory/2928-8-0x0000000000400000-0x0000000000486000-memory.dmp	family_cycbot
behavioral1/memory/2888-19-0x0000000000400000-0x0000000000486000-memory.dmp	family_cycbot
behavioral1/memory/2888-20-0x0000000000400000-0x0000000000486000-memory.dmp	family_cycbot
behavioral1/memory/1112-82-0x0000000000400000-0x0000000000486000-memory.dmp	family_cycbot
behavioral1/memory/2888-83-0x0000000000400000-0x0000000000486000-memory.dmp	family_cycbot
behavioral1/memory/2888-178-0x0000000000400000-0x0000000000486000-memory.dmp	family_cycbot
behavioral1/memory/2888-211-0x0000000000400000-0x0000000000486000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_6e92d1f3c45230d7774baced558ac9af.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2888-2-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/2928-6-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/2928-9-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/2928-8-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/2888-19-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/2888-20-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/1112-81-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/1112-82-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/2888-83-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/2888-178-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/2888-211-0x0000000000400000-0x0000000000486000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6e92d1f3c45230d7774baced558ac9af.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6e92d1f3c45230d7774baced558ac9af.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6e92d1f3c45230d7774baced558ac9af.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2928	2888	JaffaCakes118_6e92d1f3c45230d7774baced558ac9af.exe	30
PID 2888 wrote to memory of 2928	2888	JaffaCakes118_6e92d1f3c45230d7774baced558ac9af.exe	30
PID 2888 wrote to memory of 2928	2888	JaffaCakes118_6e92d1f3c45230d7774baced558ac9af.exe	30
PID 2888 wrote to memory of 2928	2888	JaffaCakes118_6e92d1f3c45230d7774baced558ac9af.exe	30
PID 2888 wrote to memory of 1112	2888	JaffaCakes118_6e92d1f3c45230d7774baced558ac9af.exe	32
PID 2888 wrote to memory of 1112	2888	JaffaCakes118_6e92d1f3c45230d7774baced558ac9af.exe	32
PID 2888 wrote to memory of 1112	2888	JaffaCakes118_6e92d1f3c45230d7774baced558ac9af.exe	32
PID 2888 wrote to memory of 1112	2888	JaffaCakes118_6e92d1f3c45230d7774baced558ac9af.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6e92d1f3c45230d7774baced558ac9af.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6e92d1f3c45230d7774baced558ac9af.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6e92d1f3c45230d7774baced558ac9af.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6e92d1f3c45230d7774baced558ac9af.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2928
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6e92d1f3c45230d7774baced558ac9af.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6e92d1f3c45230d7774baced558ac9af.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5C20.843

Filesize
597B

MD5
4f7daad4069db2be755e9a45e9a01386

SHA1
34f12042b1ed14d18486d3030bcdccde384a8613

SHA256
1949e9055e14e28d0e76f2c9092da4b9ed9fb76fae251af0dcf2a43777e23d06

SHA512
903572adfbf153a00742db1a8722f0d0d16975216f7dc8c6a53d11726fa07166eae4927a977b812c6a73c626c9c024c00fb096f74f7d177e89fe72f96a458e1e

Download Submit
C:\Users\Admin\AppData\Roaming\5C20.843

Filesize
1KB

MD5
59ac4c638575e4b23848cab4ca1f18d8

SHA1
29f6b11cf2b0a74c1b3596558d6888727a137691

SHA256
c8f6010ece0fc78c19929e69f6bf069bd09952397348171df608bb4958a5ee86

SHA512
914e784668c136c114708750fb8f6538d058fe104d92730afdc8aa633b255893e047d77aad549597ccd68a7181c31dab8caa2e7ddd6e3d8cd56fd786a409822a

Download Submit
C:\Users\Admin\AppData\Roaming\5C20.843

Filesize
897B

MD5
00d39a56883ada4b80d03fa6cd2f4710

SHA1
eb62012bd1466946463d792221f476713f900764

SHA256
4f8ae10c325107aba632e2f45f95d71d9372f6c45b4b676c3133479ef12afc93

SHA512
ece9a28c318b8426194f324772a9313ca33ef60edfae08be5655eabad38abadde18d11acd7a81f421fa20c1c454b2b07f5a38605e64f16d488b6b978a860b4af

Download Submit
C:\Users\Admin\AppData\Roaming\5C20.843

Filesize
1KB

MD5
8c69c6b7ce6871dd545cfea5f7a17265

SHA1
7a6a554915d9bc63880b51837d08833635e83fdb

SHA256
c074ef403cf459a8ed76f8fcdf9b2965cc6d24c3e03d3d04bbfa27a6c63ecbee

SHA512
d8bb906791a3b8ed476eceff2c541d62b5e73ef13761ff82ad1a1a7a88ea69174c3048e7572bf7f4b2d3d3fbc0d70e6b406d64f56d484e73a071f8b8041ca10b

Download Submit
memory/1112-81-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1112-82-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2888-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2888-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2888-83-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2888-1-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2888-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2888-178-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2888-211-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2928-8-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2928-9-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2928-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads