cycbot | 0a67c215dfb9deb1957afc5c48e7d3b92671a744ad957c84c1d1c6a1251118ee

General

Target

JaffaCakes118_7954234d238ec0d58f2bdab1900a08c2.exe
Size

178KB
MD5

7954234d238ec0d58f2bdab1900a08c2
SHA1

e84c32ca7d6e8d0e2495e77dd1223a5c33ff6583
SHA256

0a67c215dfb9deb1957afc5c48e7d3b92671a744ad957c84c1d1c6a1251118ee
SHA512

a21820f484e4a8f9c289f0e8563561b52480c1f24db5c2e101ab35fe19b546796043e08597643b68493b59d7249d5e3e1c10f201b7bc13994a7ad45dbe50d9c6
SSDEEP

3072:AxfwhcNwS+YJbuAf8PF8o1IqNaqsoQgZReFv9CMEwWIammbbltlhHQo/uTBz:9GbJbvto1OoQg6uMENXltlVQo/ut

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 7 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2532-14-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/2212-15-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/2532-77-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/1068-85-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/1068-87-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/2212-88-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/2212-150-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_7954234d238ec0d58f2bdab1900a08c2.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2212-2-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2532-12-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2532-14-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2212-15-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2532-77-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/1068-85-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/1068-87-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2212-88-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2212-150-0x0000000000400000-0x000000000048D000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7954234d238ec0d58f2bdab1900a08c2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7954234d238ec0d58f2bdab1900a08c2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7954234d238ec0d58f2bdab1900a08c2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2532	2212	JaffaCakes118_7954234d238ec0d58f2bdab1900a08c2.exe	30
PID 2212 wrote to memory of 2532	2212	JaffaCakes118_7954234d238ec0d58f2bdab1900a08c2.exe	30
PID 2212 wrote to memory of 2532	2212	JaffaCakes118_7954234d238ec0d58f2bdab1900a08c2.exe	30
PID 2212 wrote to memory of 2532	2212	JaffaCakes118_7954234d238ec0d58f2bdab1900a08c2.exe	30
PID 2212 wrote to memory of 1068	2212	JaffaCakes118_7954234d238ec0d58f2bdab1900a08c2.exe	32
PID 2212 wrote to memory of 1068	2212	JaffaCakes118_7954234d238ec0d58f2bdab1900a08c2.exe	32
PID 2212 wrote to memory of 1068	2212	JaffaCakes118_7954234d238ec0d58f2bdab1900a08c2.exe	32
PID 2212 wrote to memory of 1068	2212	JaffaCakes118_7954234d238ec0d58f2bdab1900a08c2.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7954234d238ec0d58f2bdab1900a08c2.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7954234d238ec0d58f2bdab1900a08c2.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7954234d238ec0d58f2bdab1900a08c2.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7954234d238ec0d58f2bdab1900a08c2.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2532
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7954234d238ec0d58f2bdab1900a08c2.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7954234d238ec0d58f2bdab1900a08c2.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DDE1.886

Filesize
1KB

MD5
5d7bcb559b54aab7bf071b29e49a431f

SHA1
7d5264765c404e7987aadf17495c735c931e2f34

SHA256
ad92da38859b4ebe293bde5604383436cb299be831aae5b57a155166b4e5c9be

SHA512
74f9231dcb42eae02f9b5f3d620ed7b9654359de052dda6e5c073ebbec5ad5607cd015674d253a391ca1097a1b11c03b3b02c2185ebb60491e1af555bdebed65

Download Submit
C:\Users\Admin\AppData\Roaming\DDE1.886

Filesize
600B

MD5
be418e28c441455081a7c749193ea5bc

SHA1
b53bead5802311fa0a8c54ea8e956c1d2fd70a7d

SHA256
a44b72114c2bb98f3f45f37411af6df469d08a6eef5d6167f055cee4d9789e57

SHA512
a27e95788c4c3a99a73bacb5fa5186a79584b65436be28a5c3ed2f5ef033977879f880ff0693938c67b65440bbf1e5f3b7bb45c54374e2198dfb37076299e081

Download Submit
C:\Users\Admin\AppData\Roaming\DDE1.886

Filesize
996B

MD5
23ebd5fec82938a9efb39246af516f84

SHA1
da6014db4299e62e3fe8c1ec570b94307ad1ad91

SHA256
7cf48cdc22d97e5f61965eb358e2b02abdda756ca605ed2f0ea4b5ca69bbc882

SHA512
8a55a5c3c396187f1e3f213303e19de7cf222bb7eebf3a4002e195ef2d6e15e52a623bcfd8eb689e25377a5ba4aed0f584be91fe7e160e19e365bc15eaf891e3

Download Submit
memory/1068-84-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1068-85-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1068-87-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2212-2-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2212-150-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2212-1-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2212-15-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2212-88-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2532-14-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2532-77-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2532-12-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads