cycbot | 2194e3586812e02a34217a3595a401b2773d3f6a79e4540223e1db08020a5b1f

General

Target

JaffaCakes118_793b164fbc24330e512d3f739f113784.exe
Size

180KB
MD5

793b164fbc24330e512d3f739f113784
SHA1

91c0c1e5b0dcb4890706afde962dad0312e334db
SHA256

2194e3586812e02a34217a3595a401b2773d3f6a79e4540223e1db08020a5b1f
SHA512

6c681c60d0ef247f4f13990575cd0b50679ccfb823dc1e247dddd1c73edc033b52ecb23a13ed928fbe219af2f06596e3e964dfdfe1355c7057bb77b84e6db4e1
SSDEEP

3072:cGOkBoMfT2CXXcPhro8CwnFGUSzbMYT6rezPbEaWfXYyEDx2Kkk+DGavz5:cGOk6loXcJk87TY2rejbEaWfoH27k+yi

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1720-13-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral1/memory/1720-15-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral1/memory/2492-16-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral1/memory/2492-87-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral1/memory/2884-92-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral1/memory/2492-213-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_793b164fbc24330e512d3f739f113784.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2492-2-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1720-12-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1720-13-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1720-15-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2492-16-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2492-87-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2884-89-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2884-91-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2884-92-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2492-213-0x0000000000400000-0x000000000046E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_793b164fbc24330e512d3f739f113784.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_793b164fbc24330e512d3f739f113784.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_793b164fbc24330e512d3f739f113784.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 1720	2492	JaffaCakes118_793b164fbc24330e512d3f739f113784.exe	30
PID 2492 wrote to memory of 1720	2492	JaffaCakes118_793b164fbc24330e512d3f739f113784.exe	30
PID 2492 wrote to memory of 1720	2492	JaffaCakes118_793b164fbc24330e512d3f739f113784.exe	30
PID 2492 wrote to memory of 1720	2492	JaffaCakes118_793b164fbc24330e512d3f739f113784.exe	30
PID 2492 wrote to memory of 2884	2492	JaffaCakes118_793b164fbc24330e512d3f739f113784.exe	32
PID 2492 wrote to memory of 2884	2492	JaffaCakes118_793b164fbc24330e512d3f739f113784.exe	32
PID 2492 wrote to memory of 2884	2492	JaffaCakes118_793b164fbc24330e512d3f739f113784.exe	32
PID 2492 wrote to memory of 2884	2492	JaffaCakes118_793b164fbc24330e512d3f739f113784.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_793b164fbc24330e512d3f739f113784.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_793b164fbc24330e512d3f739f113784.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_793b164fbc24330e512d3f739f113784.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_793b164fbc24330e512d3f739f113784.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1720
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_793b164fbc24330e512d3f739f113784.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_793b164fbc24330e512d3f739f113784.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\01EF.B5D

Filesize
1KB

MD5
c13e6d8c01e420f1b6082e4ea20feb6d

SHA1
b4a0026fda67c168d7e3a4e0ee152d47b6ce0419

SHA256
b7a2958a67f08aba079a413288c544571468d1bddd36424838018b85408d4b88

SHA512
5db5a694b61f777b85b2b2f77fd31002fd52c7e8f6a02f1b2ff606657499a3a4c6c196765f7c43b869fde6e99e0213551ab80cf81e9b5d8ef8b3f23d14b533c0

Download Submit
C:\Users\Admin\AppData\Roaming\01EF.B5D

Filesize
600B

MD5
e205ffe96e67f152306f312d49e1afbf

SHA1
0d1b282e678ebde917bbd632df472177ee3d67c0

SHA256
3f32b7679b0a299a85b4d111857cb936b924f9631a02c18c0128644409d4f290

SHA512
e9c5344be8e0e467323b9247a7b1bec0109aff3502c489b5ac61c9eacc41b289c41ae14856953ab856bd8125173603fee40ca4a430184ac65d408ae92e4be04d

Download Submit
C:\Users\Admin\AppData\Roaming\01EF.B5D

Filesize
996B

MD5
296a8e9dfe6fdb0c45059e7a0a4abd3b

SHA1
b37ca94be21c1d7040d9629df2b0c4a70f906c9f

SHA256
c6b8cf8a7c5477dd1361436ae3a3673f0c8a27c09c7909dedefd82cbf3c24e94

SHA512
a8afe581fa8ca25f720146f234da0acfad3290b0baa4861f29f787d04affaa050a8e287e11fb5593adef751fbfa4f4d856f85064646fa488ba7b88b08bdb87c4

Download Submit
memory/1720-13-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1720-15-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1720-12-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2492-16-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2492-1-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2492-87-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2492-2-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2492-213-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2884-89-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2884-91-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2884-92-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads