cycbot | 27dbd55f0a916a37c858ebcad87c4fd4b56d30768c6b8fad1b7bd52d3da9321d

General

Target

JaffaCakes118_0f8ff1d02f4d2ab438537afb36cf0bfd.exe
Size

166KB
MD5

0f8ff1d02f4d2ab438537afb36cf0bfd
SHA1

468fc26a61057e42e34fd9d7ca567d81b4fe7b07
SHA256

27dbd55f0a916a37c858ebcad87c4fd4b56d30768c6b8fad1b7bd52d3da9321d
SHA512

c9460d922a16272e8c902a2f9b240e811a12903265a9d907b5ee29fc5c7dd67d705ac22115de815626619f5a1511692f40a3a456ec4f9ebddd37893e6ff82c69
SSDEEP

3072:H45D2T8WZ9Et60okcy94lywywBs6zukCSQlx93WH9wQ/QRgpcNGSH2RCxzo:H48pEt60o1yMyT+sRhT93fQ/Y6cNGSWK

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 7 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1588-14-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/1588-15-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2420-16-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral1/memory/2420-17-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/1924-141-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2420-142-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2420-304-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\C9630\\AAF5E.exe"	JaffaCakes118_0f8ff1d02f4d2ab438537afb36cf0bfd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2420-2-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1588-12-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1588-14-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1588-15-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2420-16-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2420-17-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1924-139-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1924-141-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2420-142-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2420-304-0x0000000000400000-0x0000000000490000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0f8ff1d02f4d2ab438537afb36cf0bfd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 1588	2420	JaffaCakes118_0f8ff1d02f4d2ab438537afb36cf0bfd.exe	31
PID 2420 wrote to memory of 1588	2420	JaffaCakes118_0f8ff1d02f4d2ab438537afb36cf0bfd.exe	31
PID 2420 wrote to memory of 1588	2420	JaffaCakes118_0f8ff1d02f4d2ab438537afb36cf0bfd.exe	31
PID 2420 wrote to memory of 1588	2420	JaffaCakes118_0f8ff1d02f4d2ab438537afb36cf0bfd.exe	31
PID 2420 wrote to memory of 1924	2420	JaffaCakes118_0f8ff1d02f4d2ab438537afb36cf0bfd.exe	33
PID 2420 wrote to memory of 1924	2420	JaffaCakes118_0f8ff1d02f4d2ab438537afb36cf0bfd.exe	33
PID 2420 wrote to memory of 1924	2420	JaffaCakes118_0f8ff1d02f4d2ab438537afb36cf0bfd.exe	33
PID 2420 wrote to memory of 1924	2420	JaffaCakes118_0f8ff1d02f4d2ab438537afb36cf0bfd.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0f8ff1d02f4d2ab438537afb36cf0bfd.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0f8ff1d02f4d2ab438537afb36cf0bfd.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0f8ff1d02f4d2ab438537afb36cf0bfd.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0f8ff1d02f4d2ab438537afb36cf0bfd.exe startC:\Program Files (x86)\LP\5E1C\424.exe%C:\Program Files (x86)\LP\5E1C
  2⤵
  PID:1588
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0f8ff1d02f4d2ab438537afb36cf0bfd.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0f8ff1d02f4d2ab438537afb36cf0bfd.exe startC:\Program Files (x86)\303F5\lvvm.exe%C:\Program Files (x86)\303F5
  2⤵
  PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\C9630\03F5.963

Filesize
996B

MD5
0daf3b0a84e06149678a142b6ea48705

SHA1
37a7531e147e461099d011aa9e1db039bdd32c88

SHA256
e2606c4d94ab46b83ae2eb7d85de23ee432e5da0d39c3106d547dd508c3c1dd9

SHA512
ad2e6d77103bcb24eea0835cceb9d98e0fe51317fdf9bfa1bcfdcd7aacb7e88aa09a2bb72516c1c37ed0e531536bd0b849df7b1e3506506697aa1bd332e2d520

Download Submit
C:\Users\Admin\AppData\Roaming\C9630\03F5.963

Filesize
600B

MD5
6df147d4a846117f17004b2e125af1ad

SHA1
7f6abb83d54c113d1eb49cff8bc2fc1582af7d90

SHA256
34a436058177a97c61a084ddebab93b33e0e01fae67bec0a23780887a85a95f3

SHA512
2630b653987fc06c5ff9cc542ea5c72ab147bf707454b46c3f73dabe24d45de91aeefa3946c1103d108146cebb52c09f07c43519dc66924ca7f6dd91e5064646

Download Submit
C:\Users\Admin\AppData\Roaming\C9630\03F5.963

Filesize
1KB

MD5
dd56158900fe36a27efade74adec876c

SHA1
9a1007d8f42d8b68bcf7033488a0f24bc83ce8c7

SHA256
14e854c09cfb7887e11484d251b673d65f6847973fe9f05634b6e3b9f6a5e25c

SHA512
9d04b273c4f34d3ac3e90d2574a79818228acb4e44fa67ab6d4e1cb8e3149c0bc4a671e445fc1f8790365f62dadc11ad5cce251dc7520db993bcc7183082b822

Download Submit
memory/1588-12-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1588-14-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1588-15-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1924-141-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1924-139-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1924-138-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2420-17-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2420-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2420-142-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2420-16-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2420-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2420-304-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads