cycbot | 6f84907ff69c67a295786991d199157942d35edd3c7351eb1ada13d26734b953

General

Target

JaffaCakes118_1ca91f0e0fc16e2eedee7f9076578c81.exe
Size

181KB
MD5

1ca91f0e0fc16e2eedee7f9076578c81
SHA1

215c6823ce9ca0ff4a652e2e94ee18e96ff76a99
SHA256

6f84907ff69c67a295786991d199157942d35edd3c7351eb1ada13d26734b953
SHA512

d87e792be2c40b76c0d78174868f6ca5557e7d6bb154f3baa26239964fc2359dc512320a5d94745c042257a0c346c3f5f6909bd1ddff9084b53f44f6f21ffda2
SSDEEP

3072:ypTafsJaImvR5yAiFy7z/axIRi5kaj+v+kmKVTbI8h68lfLxXMGsjsMP5HZ4GHU8:gTafSsb/BRi5jRkmKVPZh68ljxXMNsvi

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1260-6-0x0000000000400000-0x0000000000485000-memory.dmp	family_cycbot
behavioral1/memory/2584-13-0x0000000000400000-0x0000000000485000-memory.dmp	family_cycbot
behavioral1/memory/1572-80-0x0000000000400000-0x0000000000485000-memory.dmp	family_cycbot
behavioral1/memory/2584-81-0x0000000000400000-0x0000000000485000-memory.dmp	family_cycbot
behavioral1/memory/2584-168-0x0000000000400000-0x0000000000485000-memory.dmp	family_cycbot
behavioral1/memory/2584-199-0x0000000000400000-0x0000000000485000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_1ca91f0e0fc16e2eedee7f9076578c81.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2584-2-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/1260-5-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/1260-6-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2584-13-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/1572-79-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/1572-80-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2584-81-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2584-168-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2584-199-0x0000000000400000-0x0000000000485000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1ca91f0e0fc16e2eedee7f9076578c81.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1ca91f0e0fc16e2eedee7f9076578c81.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1ca91f0e0fc16e2eedee7f9076578c81.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 1260	2584	JaffaCakes118_1ca91f0e0fc16e2eedee7f9076578c81.exe	30
PID 2584 wrote to memory of 1260	2584	JaffaCakes118_1ca91f0e0fc16e2eedee7f9076578c81.exe	30
PID 2584 wrote to memory of 1260	2584	JaffaCakes118_1ca91f0e0fc16e2eedee7f9076578c81.exe	30
PID 2584 wrote to memory of 1260	2584	JaffaCakes118_1ca91f0e0fc16e2eedee7f9076578c81.exe	30
PID 2584 wrote to memory of 1572	2584	JaffaCakes118_1ca91f0e0fc16e2eedee7f9076578c81.exe	33
PID 2584 wrote to memory of 1572	2584	JaffaCakes118_1ca91f0e0fc16e2eedee7f9076578c81.exe	33
PID 2584 wrote to memory of 1572	2584	JaffaCakes118_1ca91f0e0fc16e2eedee7f9076578c81.exe	33
PID 2584 wrote to memory of 1572	2584	JaffaCakes118_1ca91f0e0fc16e2eedee7f9076578c81.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1ca91f0e0fc16e2eedee7f9076578c81.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1ca91f0e0fc16e2eedee7f9076578c81.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1ca91f0e0fc16e2eedee7f9076578c81.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1ca91f0e0fc16e2eedee7f9076578c81.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1260
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1ca91f0e0fc16e2eedee7f9076578c81.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1ca91f0e0fc16e2eedee7f9076578c81.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ECE9.536

Filesize
1KB

MD5
788e5387c202a79a2233e02bd220097b

SHA1
82b318d4e338cf086e2bab51e7780efe5902939b

SHA256
54aebbc9fd83c2051f5034bf2e0ea3472b6dcde40c780ef54dc67e396192029e

SHA512
195729513b8d669824bda72e7624231469b1eafc282f52be2ac260486554419224c95b91109659ff2876da383f6095e3fa88d56b11742ff82974fd69deeb886a

Download Submit
C:\Users\Admin\AppData\Roaming\ECE9.536

Filesize
600B

MD5
e9d27775e5c0b45cb0c03f370e7a5280

SHA1
b9a215564c5642a98ce5c3346fba6183bede91bf

SHA256
f7324026caa0464696948ead2413e5ec08b50e4c07b491ef9bf2caf20ecf1ff5

SHA512
d2d2487d2fdf0044968d685d2d8c12095d6b9cd3cdfe0d2f262629575e328585ec1458e173ed368eb0a16febb13b4ad35a47b137cd19a25f7ffe7d62a65ddef2

Download Submit
C:\Users\Admin\AppData\Roaming\ECE9.536

Filesize
996B

MD5
59328459102638663d8b635d7b255156

SHA1
5fecaed4e7b4c305154323ffe84bcb860d7e3910

SHA256
5f4fee45cf2708d73b6f4be25ee72b0acf5388d4a430d9c76c4924538d7c77b4

SHA512
2bad32c5ca08d2dcb8dbb8a16691383174dbb3b94d9f930227206f2781703aeddd308d3d44dd9c467f44b5b7d146fa0e75fbffa8062e2004fc7515dde61d7dc1

Download Submit
memory/1260-6-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1260-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1572-79-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1572-80-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2584-13-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2584-1-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2584-81-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2584-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2584-168-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2584-199-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads