cycbot | 205ee3397aaacd58eedf3494f2c3f71007a27888de0d4bd1f718a65d067a980d

General

Target

JaffaCakes118_0548478fc4d1343ef0b9041c01750f77.exe
Size

166KB
MD5

0548478fc4d1343ef0b9041c01750f77
SHA1

08bd7502a46567d3cc213f2569cd5b6e79ea9c94
SHA256

205ee3397aaacd58eedf3494f2c3f71007a27888de0d4bd1f718a65d067a980d
SHA512

a227694c956173a78a878ab9c3c619a3ce5ceb146cf7dc6f672def16beede630670c00b756cf03c9dc9e791a14ce845fc6d1293b00b74fe2be8a4c6cd1160393
SSDEEP

3072:nYLcSldf4pukdE3ats+J8vMtDS4AmN0mWotFowQjaxmiKqd1NDfCJyc:nYgS34HdE/+J8vQDWotFvQjaIiKqdrDG

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2724-12-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2564-13-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/1176-127-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2564-128-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2564-322-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\36CC0\\C1054.exe"	JaffaCakes118_0548478fc4d1343ef0b9041c01750f77.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2724-12-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2564-13-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/1176-127-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2564-128-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2564-322-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0548478fc4d1343ef0b9041c01750f77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0548478fc4d1343ef0b9041c01750f77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0548478fc4d1343ef0b9041c01750f77.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 2724	2564	JaffaCakes118_0548478fc4d1343ef0b9041c01750f77.exe	31
PID 2564 wrote to memory of 2724	2564	JaffaCakes118_0548478fc4d1343ef0b9041c01750f77.exe	31
PID 2564 wrote to memory of 2724	2564	JaffaCakes118_0548478fc4d1343ef0b9041c01750f77.exe	31
PID 2564 wrote to memory of 2724	2564	JaffaCakes118_0548478fc4d1343ef0b9041c01750f77.exe	31
PID 2564 wrote to memory of 1176	2564	JaffaCakes118_0548478fc4d1343ef0b9041c01750f77.exe	33
PID 2564 wrote to memory of 1176	2564	JaffaCakes118_0548478fc4d1343ef0b9041c01750f77.exe	33
PID 2564 wrote to memory of 1176	2564	JaffaCakes118_0548478fc4d1343ef0b9041c01750f77.exe	33
PID 2564 wrote to memory of 1176	2564	JaffaCakes118_0548478fc4d1343ef0b9041c01750f77.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0548478fc4d1343ef0b9041c01750f77.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0548478fc4d1343ef0b9041c01750f77.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0548478fc4d1343ef0b9041c01750f77.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0548478fc4d1343ef0b9041c01750f77.exe startC:\Program Files (x86)\LP\54F3\0A0.exe%C:\Program Files (x86)\LP\54F3
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2724
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0548478fc4d1343ef0b9041c01750f77.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0548478fc4d1343ef0b9041c01750f77.exe startC:\Program Files (x86)\C05F9\lvvm.exe%C:\Program Files (x86)\C05F9
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\36CC0\05F9.6CC

Filesize
996B

MD5
a59e0307fc6a9f7e1480a5c29efde137

SHA1
1d614224d11fc16dcc2576e0c369135ba6165cb5

SHA256
aa7fe23a196632531e290398c5f374d1e6069d732a67652b3a86350fb4534cf5

SHA512
357616fd3d546bfa82fa81154c26294e4ed9d63d594cda55dd3af6eb80ab91281ec7095348a6b29e92f8a6abd8ce360202d62f7e7921ff506f056652745e0f06

Download Submit
C:\Users\Admin\AppData\Roaming\36CC0\05F9.6CC

Filesize
600B

MD5
288da6f665b7f3d5db4a623fddc9bf15

SHA1
398f253ef60bd8784c2fe99e9132e78ecf44d24b

SHA256
970725cbe8bd497078da3459173264c66acef914720a0b594bff622a89368ef9

SHA512
b0c07127a20f5f138bd11a985b07ef20e36714960713d40e1f652c724724a1cc3c84a93b68e7ce9aa964f676ed96a47719a071ee72a4ea1d713aa85f84b34675

Download Submit
C:\Users\Admin\AppData\Roaming\36CC0\05F9.6CC

Filesize
1KB

MD5
b89f455be049ad661af3421b92422a58

SHA1
9d4d761e0d1af8c5536c66b7a710a4caa21ee4d2

SHA256
0bbf51f3ef1f112267fae7144a1fe7410e737a0b451e9dbe25b9c7b4a1eb446a

SHA512
1036d299b3f3d5811afffd7b3a837854dd1669ad78c294dc1ffd2acbb2a51f02ef1528ce60273216582573e3e69f179773d8abc993e989998364e82d7aa8b978

Download Submit
memory/1176-127-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2564-0-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2564-13-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2564-128-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2564-322-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2724-12-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads