cycbot | 4fcf450667218a1df9353065002c149c5114c3dbb1fe1c3b637e8ec6c31d7fde

General

Target

JaffaCakes118_1881000e125840e2f1ce8e11fd11fd79.exe
Size

167KB
MD5

1881000e125840e2f1ce8e11fd11fd79
SHA1

373c1710c52a49b837c916c2e5f7f9f89262ea98
SHA256

4fcf450667218a1df9353065002c149c5114c3dbb1fe1c3b637e8ec6c31d7fde
SHA512

789198b085b9e7e060b0bbb4879c9c61ebcca3a6777dadda43b85cc7164540ac071d25539f0db5e86e88a2805c55c8c170fa356bf6e026c2a8a8d9af183a9860
SSDEEP

3072:qDcGnHuWxN1GNscDYyKGXms753/oUlX47aJfi97ynwXMI/VJZot:UfnOWLyKGXn3QkZJ479XrVJZot

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2844-7-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2136-15-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2136-78-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2220-82-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2136-181-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_1881000e125840e2f1ce8e11fd11fd79.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2136-2-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2844-5-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2844-6-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2844-7-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2136-15-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2136-78-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2220-81-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2220-82-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2136-181-0x0000000000400000-0x000000000048A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1881000e125840e2f1ce8e11fd11fd79.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1881000e125840e2f1ce8e11fd11fd79.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1881000e125840e2f1ce8e11fd11fd79.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2844	2136	JaffaCakes118_1881000e125840e2f1ce8e11fd11fd79.exe	31
PID 2136 wrote to memory of 2844	2136	JaffaCakes118_1881000e125840e2f1ce8e11fd11fd79.exe	31
PID 2136 wrote to memory of 2844	2136	JaffaCakes118_1881000e125840e2f1ce8e11fd11fd79.exe	31
PID 2136 wrote to memory of 2844	2136	JaffaCakes118_1881000e125840e2f1ce8e11fd11fd79.exe	31
PID 2136 wrote to memory of 2220	2136	JaffaCakes118_1881000e125840e2f1ce8e11fd11fd79.exe	33
PID 2136 wrote to memory of 2220	2136	JaffaCakes118_1881000e125840e2f1ce8e11fd11fd79.exe	33
PID 2136 wrote to memory of 2220	2136	JaffaCakes118_1881000e125840e2f1ce8e11fd11fd79.exe	33
PID 2136 wrote to memory of 2220	2136	JaffaCakes118_1881000e125840e2f1ce8e11fd11fd79.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1881000e125840e2f1ce8e11fd11fd79.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1881000e125840e2f1ce8e11fd11fd79.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1881000e125840e2f1ce8e11fd11fd79.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1881000e125840e2f1ce8e11fd11fd79.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2844
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1881000e125840e2f1ce8e11fd11fd79.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1881000e125840e2f1ce8e11fd11fd79.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\7536.D21

Filesize
1KB

MD5
6d0b1d256126afe7ec8d054789d2a45b

SHA1
7ebfa2de160859c9f33daeb98f58d140003c3480

SHA256
f952812c77e652aca5b5a5666c9d56d1632e3194673d753a1ef6ea079c9e13a2

SHA512
ebfd301f9995a82be66e3d307967b9e4c61782bd0031bb6512cc45349e08775a681f63537b0f6b824430a23ec52f81be8303d3fa365db01b7fcfb7fe06b8202a

Download Submit
C:\Users\Admin\AppData\Roaming\7536.D21

Filesize
600B

MD5
e2078c5d460c8fa7e29ef9cae926fe5b

SHA1
5dc806eb732fb96d7e770fd0d350c3c79f461e69

SHA256
d1232d8c7e0b5c3292ef0bcdd2873fa616dd1bbae2178d6838b5fdcd509b31eb

SHA512
de5633e15d15dbc8b5cb3ef0fd7486712cd0d8801393d785779c6f9e5dc239c84e3c6ac196a2dd508edae8722fa17d3218ad3123508033c1e7e453be7548c35d

Download Submit
C:\Users\Admin\AppData\Roaming\7536.D21

Filesize
996B

MD5
b46fb88d7228a9e56a8c4347b001a9a0

SHA1
4acd2929f05fc44f74ed74df529abe5d376a2ce5

SHA256
814ab9feedaa86ce4a5e3a9ddfac506233c47ee324e2898320675d7603349a28

SHA512
e598896b02ab438e3aaf8aafbe58a7a759ca5f4b8e90abe1feb6170206f425b400c943ed25e86bfd0b6154ad1a123eb6bbc092994c907ad50a8cc400e75fc11e

Download Submit
memory/2136-1-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2136-2-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2136-181-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2136-15-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2136-78-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2220-81-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2220-80-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2220-82-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2844-7-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2844-6-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2844-5-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads