cycbot | 298155e10c68dcfdf0e68fecaab1236dde0c2a358d65257a1d64a72206f4a960

General

Target

JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
Size

275KB
MD5

0d3393d6895b52c627e9cf42414a6359
SHA1

0cd99b800c92868245d951bdbd418e6f1f3a4a22
SHA256

298155e10c68dcfdf0e68fecaab1236dde0c2a358d65257a1d64a72206f4a960
SHA512

872f9c281541e6a421809cdbb726066d9b8efa2390f562d89af1e5a0bebce827a80ba4971b7f32aecd9fc9496e5a3152dd4d03f0e6e9722712cea09032d45ce5
SSDEEP

6144:KSokLsgu1AicWHNGECoL03tnJbCrg4njSdjLtotWYlt/T:KSXDu1Ai5IECoOnJeL6BnYlt

Score

10^/10

cycbot backdoor discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 7 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2352-13-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2352-15-0x0000000000400000-0x0000000000467000-memory.dmp	family_cycbot
behavioral1/memory/2024-19-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2352-120-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1256-124-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2352-310-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2352-313-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
2292	344A.tmp

Loads dropped DLL 5 IoCs

pid	Process
2352	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2352	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2884	WerFault.exe
2884	WerFault.exe
2884	WerFault.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\424.exe = "C:\\Program Files (x86)\\LP\\5E1A\\424.exe"	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2352-3-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2352-13-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2352-15-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/2024-19-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2024-17-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2352-120-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1256-122-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1256-124-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2352-310-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2352-313-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LP\5E1A\424.exe	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
File opened for modification	C:\Program Files (x86)\LP\5E1A\424.exe	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
File opened for modification	C:\Program Files (x86)\LP\5E1A\344A.tmp	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2884	2292	WerFault.exe	37

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	344A.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2352	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2352	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2352	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2352	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2352	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2352	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2352	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2352	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2352	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2352	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2352	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2352	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2352	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
2352	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1880	explorer.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeRestorePrivilege	2496	msiexec.exe
Token: SeTakeOwnershipPrivilege	2496	msiexec.exe
Token: SeSecurityPrivilege	2496	msiexec.exe
Token: SeShutdownPrivilege	1880	explorer.exe
Token: SeShutdownPrivilege	1880	explorer.exe
Token: SeShutdownPrivilege	1880	explorer.exe
Token: SeShutdownPrivilege	1880	explorer.exe
Token: SeShutdownPrivilege	1880	explorer.exe
Token: SeShutdownPrivilege	1880	explorer.exe
Token: SeShutdownPrivilege	1880	explorer.exe
Token: SeShutdownPrivilege	1880	explorer.exe
Token: SeShutdownPrivilege	1880	explorer.exe
Token: SeShutdownPrivilege	1880	explorer.exe
Token: SeShutdownPrivilege	1880	explorer.exe
Token: SeShutdownPrivilege	1880	explorer.exe
Token: SeShutdownPrivilege	1880	explorer.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe

Suspicious use of SendNotifyMessage 22 IoCs

pid	Process
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2024	2352	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	31
PID 2352 wrote to memory of 2024	2352	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	31
PID 2352 wrote to memory of 2024	2352	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	31
PID 2352 wrote to memory of 2024	2352	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	31
PID 2352 wrote to memory of 1256	2352	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	34
PID 2352 wrote to memory of 1256	2352	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	34
PID 2352 wrote to memory of 1256	2352	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	34
PID 2352 wrote to memory of 1256	2352	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	34
PID 2352 wrote to memory of 2292	2352	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	37
PID 2352 wrote to memory of 2292	2352	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	37
PID 2352 wrote to memory of 2292	2352	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	37
PID 2352 wrote to memory of 2292	2352	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe	37
PID 2292 wrote to memory of 2884	2292	344A.tmp	38
PID 2292 wrote to memory of 2884	2292	344A.tmp	38
PID 2292 wrote to memory of 2884	2292	344A.tmp	38
PID 2292 wrote to memory of 2884	2292	344A.tmp	38

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe"
1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2352
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe startC:\Users\Admin\AppData\Roaming\AFD5C\AAF5E.exe%C:\Users\Admin\AppData\Roaming\AFD5C
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2024
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d3393d6895b52c627e9cf42414a6359.exe startC:\Program Files (x86)\5CBDB\lvvm.exe%C:\Program Files (x86)\5CBDB
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1256
- C:\Program Files (x86)\LP\5E1A\344A.tmp
  "C:\Program Files (x86)\LP\5E1A\344A.tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 176
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2884

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

4

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AFD5C\CBDB.FD5

Filesize
996B

MD5
e3916aa8ba650fc02dcdd4cc3a577e4e

SHA1
f7cdc3152747629648c99781784c5bc2d4571b1e

SHA256
75d019e8836e9122dbf5fecc4eebb708e797dbd0e6642988fa2ba1343fb5140b

SHA512
f063f2d19c85fd4a927ab0843940bab87eb0fda5ab3bf1998cb1e42ba2389ff91abb69244117f62da0ebca8825077f69f39580c79272dc0a15603eeccff1f0f4

Download Submit
C:\Users\Admin\AppData\Roaming\AFD5C\CBDB.FD5

Filesize
600B

MD5
3e6bb1e12c4b04922226169cdeeba9bc

SHA1
7303c52ccbe976aa850c80048690be757e148588

SHA256
3e862bf36c251d6bdb3c81ea7f3159a68f2f30d16b1e1405a1ca89afd0e9454a

SHA512
0333d47784ed9c133e38e7b60d7ef9a31590acb523a2ec8b948704645ef1bf94dc1b84ac78017d46c91cd5a222e49c5f4725c94aeb5f29dc8f74bf21c705d108

Download Submit
C:\Users\Admin\AppData\Roaming\AFD5C\CBDB.FD5

Filesize
1KB

MD5
602fcee0bb167dfa1e474d0c0a5cc094

SHA1
6c1a222a784deca2f30d687e5c43d29616f7f435

SHA256
94520484f092c8a5041ba402e6ed443870ce88fc0b82c7234134f59fb8e66ffe

SHA512
5a35b33e6198924aed55e33809be14cfe5b281680e0062d5a28f5cc7548246432a74a40a38c5562a96cea44b5b0eeec47e3942d87fc8abaa999b3768486a6900

Download Submit
\Program Files (x86)\LP\5E1A\344A.tmp

Filesize
97KB

MD5
6b5ac6578a6569bd04a0cd84361d62a4

SHA1
47a4e0e5d0dba0cfa49e7714eb1132c1e124fec9

SHA256
fcf0d2693cdf1581388d1ea096f38af087f8fda24a0394bad49c6f33d6e1d0d2

SHA512
e95ae3ac6e37697ff2e967c5c08359c5425c288039e586d89009e1ed2bd58786ea5ae23c1425389e5ff46f31d3129b617d6a1e5f3eb92ba1955f91a183b0b87c

Download Submit
memory/1256-122-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1256-124-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2024-17-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2024-19-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2024-18-0x00000000002B8000-0x00000000002D8000-memory.dmp

Filesize
128KB

Download
memory/2352-3-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2352-0-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2352-120-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2352-2-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2352-15-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2352-13-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2352-310-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2352-313-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads