cycbot | 16eac02ab1978d841957f0fa1860f25caa6c5cfa5f684fa4f941416b58dab1bb

General

Target

JaffaCakes118_0e4aababa44e7c791885d4a1008bee08.exe
Size

168KB
MD5

0e4aababa44e7c791885d4a1008bee08
SHA1

bb938024657863666262cdeec834cf077679f973
SHA256

16eac02ab1978d841957f0fa1860f25caa6c5cfa5f684fa4f941416b58dab1bb
SHA512

bcd9a9acb938147bea1d5c5807a27df60728637e36c49096d21352df7ef4d28d211ddbc2212795c0b65ecb84492817c57625eee81b47e400b3a1fa20a6c4fcc8
SSDEEP

3072:JSl1S5zLQDDh10NRW3/n2kJWQvitdEZzK50CkF0VWfwG84CZxjOSOU2YOto9eJ:yUCDDhK63/2kJpa7EZzFF0co/4CPjjY2

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1840-14-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2428-15-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2428-16-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral1/memory/336-143-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2428-144-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2428-318-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\2D20C\\1B45C.exe"	JaffaCakes118_0e4aababa44e7c791885d4a1008bee08.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2428-2-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/1840-14-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2428-15-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2428-16-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/336-143-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2428-144-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2428-318-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0e4aababa44e7c791885d4a1008bee08.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0e4aababa44e7c791885d4a1008bee08.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0e4aababa44e7c791885d4a1008bee08.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 1840	2428	JaffaCakes118_0e4aababa44e7c791885d4a1008bee08.exe	30
PID 2428 wrote to memory of 1840	2428	JaffaCakes118_0e4aababa44e7c791885d4a1008bee08.exe	30
PID 2428 wrote to memory of 1840	2428	JaffaCakes118_0e4aababa44e7c791885d4a1008bee08.exe	30
PID 2428 wrote to memory of 1840	2428	JaffaCakes118_0e4aababa44e7c791885d4a1008bee08.exe	30
PID 2428 wrote to memory of 336	2428	JaffaCakes118_0e4aababa44e7c791885d4a1008bee08.exe	33
PID 2428 wrote to memory of 336	2428	JaffaCakes118_0e4aababa44e7c791885d4a1008bee08.exe	33
PID 2428 wrote to memory of 336	2428	JaffaCakes118_0e4aababa44e7c791885d4a1008bee08.exe	33
PID 2428 wrote to memory of 336	2428	JaffaCakes118_0e4aababa44e7c791885d4a1008bee08.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0e4aababa44e7c791885d4a1008bee08.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0e4aababa44e7c791885d4a1008bee08.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0e4aababa44e7c791885d4a1008bee08.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0e4aababa44e7c791885d4a1008bee08.exe startC:\Program Files (x86)\LP\5CA2\4D3.exe%C:\Program Files (x86)\LP\5CA2
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1840
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0e4aababa44e7c791885d4a1008bee08.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0e4aababa44e7c791885d4a1008bee08.exe startC:\Program Files (x86)\0CD7F\lvvm.exe%C:\Program Files (x86)\0CD7F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\2D20C\CD7F.D20

Filesize
996B

MD5
2acd862dc3bb23f394ed3c98094e9123

SHA1
5250352d52267d29def2a2555ee8a392fa34f95e

SHA256
d7689b62aef819d94d0154326ee14bcdfb4b587372ff7237d3f5976950e1ff0f

SHA512
603250d0254b3cb8da5f644a7aea56a98dbb01399112c794debe9e1b64c93dffe0d46a6d83bac57fe0f0e9c99b41b9bcbfdefae6c585b7df6063fbf268f97dd8

Download Submit
C:\Users\Admin\AppData\Roaming\2D20C\CD7F.D20

Filesize
600B

MD5
e348cf9002ce3cb04a716f40ee1eb34c

SHA1
cfc2811a0dc444a242f57e1ecbe59c69cba8cb5a

SHA256
5fe21e7d5471f8302f47d5d04a61d60e21fe68ae5741aa57cfa76e10bfc9b692

SHA512
59126979f3d0cdacdff840a159fb8058938b2ac727dfc79fb9ceaa1e6ab0c9edbd6b0a840b9e08a4f9f1a38681911eb70505fe194a6ce2db6a733603c953aca4

Download Submit
C:\Users\Admin\AppData\Roaming\2D20C\CD7F.D20

Filesize
1KB

MD5
badecbea07c376ad06026f05828f0f40

SHA1
74ccc37a93815f682cf2a97d2c91ef7bde6c8b5d

SHA256
68d2880e7eedef4d13e537b1e1a7dec2c12bb1b44ded0aae360fa723cd6fe48b

SHA512
67c446f45e6c1e6c43fe72e898587f88f5985f812502ae332ec37d18ea9fe797f235b773d0656e35259be8e323d7bcc4f4397caae2a227c1aee510ec8bbaa51d

Download Submit
memory/336-143-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/336-141-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1840-14-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1840-12-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2428-16-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2428-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2428-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2428-144-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2428-2-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2428-318-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads