cycbot | adbdb8436b47f907de5bbc6aa0cecd0d69ecb7ad1049b41aeb0b5e49d3af2c4e

General

Target

JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe
Size

182KB
MD5

3195e5c0a2481f5b4ebddd7d2044f66e
SHA1

f4b63ea4be71d6384fdf1b5c5e17a6ed706ae841
SHA256

adbdb8436b47f907de5bbc6aa0cecd0d69ecb7ad1049b41aeb0b5e49d3af2c4e
SHA512

de6769f09ec4c6e568c70527c73767a83dc983a740f60d22f95d23b5103c5fb5154e24e3871c4bc46717278050800d66a72ea8b9ce82f84f36ca3f2de1294a0b
SSDEEP

3072:1h2kPSwsifzeSprPbouzcGhPfqBcG/eIuP/P7vt+2Vw8+GqWPG+rbh8XWVMWPUr:/2kECBrDo2iBAIuTFvVwmqW2KK

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2880-15-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2880-14-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/1684-16-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/1600-73-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/1684-74-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/1684-161-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1684-2-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2880-12-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2880-15-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2880-14-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1684-16-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1600-73-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1684-74-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1684-161-0x0000000000400000-0x0000000000490000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2880	1684	JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe	30
PID 1684 wrote to memory of 2880	1684	JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe	30
PID 1684 wrote to memory of 2880	1684	JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe	30
PID 1684 wrote to memory of 2880	1684	JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe	30
PID 1684 wrote to memory of 1600	1684	JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe	32
PID 1684 wrote to memory of 1600	1684	JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe	32
PID 1684 wrote to memory of 1600	1684	JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe	32
PID 1684 wrote to memory of 1600	1684	JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2880
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3195e5c0a2481f5b4ebddd7d2044f66e.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\6C88.231

Filesize
1KB

MD5
52f935e3b6e653c7435898c48083d543

SHA1
facea52b40cebc86d8a775f64e53b96203b330fc

SHA256
79248d74a38ee2980ee59908708821dd6edf184ae1b4417bc733a6fba2e2dad7

SHA512
8d02fc58fd746ca46470f20f80d449e95f9fda3205a7c1e56e38ed373f0c8c909a40c6e32c762e09082750a2e93a3ce72af37fdba5066caba123ac7d96984cef

Download Submit
C:\Users\Admin\AppData\Roaming\6C88.231

Filesize
600B

MD5
253408204bc543538964106fc44c5aa3

SHA1
2d0e375cd0a5c84554dca08e31581caf2df1149b

SHA256
70d9a33ab31d75357dd8ca1a7aa6a1ab973988c5243fa20ad434725257cd9ebb

SHA512
023669a23f900228efebd7787417de179abbee789f7d747979b16823cf142a1471cf5136f4943a031e27b6a970b12b01b1aeb7ee29bb3c257f17c803af4121c5

Download Submit
C:\Users\Admin\AppData\Roaming\6C88.231

Filesize
996B

MD5
7b6ea187e2dec71805f2974df5072357

SHA1
5fa48f9023043cff2b6b4604126b103d198c42bc

SHA256
c925d4c83adf8549fc63ab714f81808b864cdf99782e6c932ed648c26ca5e2ef

SHA512
bf42c195fc658dc8a12aefa7d935d7007e84102187344b4ae57e81a548d36e15cf75f305fedddeef5e20b2cbb17bf75c98668760350d240bd5fd7ce21a56a0e0

Download Submit
memory/1600-73-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1600-71-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1600-72-0x0000000000917000-0x0000000000934000-memory.dmp

Filesize
116KB

Download
memory/1684-16-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1684-1-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1684-74-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1684-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1684-161-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2880-14-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2880-15-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2880-68-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2880-12-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads