cycbot | 1795680039b7f5ea2136fdf7737224a050793f2b880293cc677d9c6364ce54b5

General

Target

JaffaCakes118_1f589d8ebed6941364c045855980148f.exe
Size

169KB
MD5

1f589d8ebed6941364c045855980148f
SHA1

5be03970a7e53a094c21d9f210a8bd277c20c377
SHA256

1795680039b7f5ea2136fdf7737224a050793f2b880293cc677d9c6364ce54b5
SHA512

be6f01ba8090c6da94e4009199de31a7b800f3ebe7e72e4aa6efc14c798532c2aa7ee60888b7c2e390f86def9059d02053f1b3ccb6c7e808c7d0cad0bb7c95d6
SSDEEP

3072:auJwwuZ7D7SX9rYJebD58bL4FD5Bdt03vsVpJfwVddWpWVgTuK5L:a4uFU9rCebD58b0tBVHfGjOugTuw

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 8 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2860-14-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2860-13-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2916-15-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral1/memory/2916-16-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2088-85-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2088-84-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2916-86-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2916-196-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\D20B6\\3EC17.exe"	JaffaCakes118_1f589d8ebed6941364c045855980148f.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2916-2-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2860-14-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2860-13-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2916-15-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2916-16-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2088-85-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2088-84-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2916-86-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2916-196-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1f589d8ebed6941364c045855980148f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1f589d8ebed6941364c045855980148f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1f589d8ebed6941364c045855980148f.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2860	2916	JaffaCakes118_1f589d8ebed6941364c045855980148f.exe	30
PID 2916 wrote to memory of 2860	2916	JaffaCakes118_1f589d8ebed6941364c045855980148f.exe	30
PID 2916 wrote to memory of 2860	2916	JaffaCakes118_1f589d8ebed6941364c045855980148f.exe	30
PID 2916 wrote to memory of 2860	2916	JaffaCakes118_1f589d8ebed6941364c045855980148f.exe	30
PID 2916 wrote to memory of 2088	2916	JaffaCakes118_1f589d8ebed6941364c045855980148f.exe	32
PID 2916 wrote to memory of 2088	2916	JaffaCakes118_1f589d8ebed6941364c045855980148f.exe	32
PID 2916 wrote to memory of 2088	2916	JaffaCakes118_1f589d8ebed6941364c045855980148f.exe	32
PID 2916 wrote to memory of 2088	2916	JaffaCakes118_1f589d8ebed6941364c045855980148f.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1f589d8ebed6941364c045855980148f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1f589d8ebed6941364c045855980148f.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1f589d8ebed6941364c045855980148f.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1f589d8ebed6941364c045855980148f.exe startC:\Program Files (x86)\LP\178D\D92.exe%C:\Program Files (x86)\LP\178D
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2860
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1f589d8ebed6941364c045855980148f.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1f589d8ebed6941364c045855980148f.exe startC:\Program Files (x86)\B66CF\lvvm.exe%C:\Program Files (x86)\B66CF
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\D20B6\66CF.20B

Filesize
996B

MD5
14bda5e1e903a9b4b8d3f6134d2f93b3

SHA1
6c87b803dd648973563c8b66b2866cf618e54aa6

SHA256
def052da708e01c346879a6bd5d2c2c15bfad224b9ea0a12828b53bf13e811d4

SHA512
c9c987f05a95c187b570e54f94309476ac70d7bd94bb76248fff7681566562ad274f6fcf808aa6629a2ac0e462b565cee26f995902a3d1f2f6ee41a3c46543c2

Download Submit
C:\Users\Admin\AppData\Roaming\D20B6\66CF.20B

Filesize
1KB

MD5
cbfd599b79c263e3f09869b3c806ff53

SHA1
a5a1617746ce2382942685b177096d711557b94a

SHA256
b5aee989f25323c2607030804cd67e0305b56c97d56f9c6c5045fb201944b0f8

SHA512
c654f84427559411feef59ce34fde84c13348243eafdb4520a2453280967c3390212ab35747b3a137b13ef00095bbb0de2cbe2516c1eaa00b6e34b4a780b2f46

Download Submit
C:\Users\Admin\AppData\Roaming\D20B6\66CF.20B

Filesize
600B

MD5
30bcfe70d9c7558f2f4d90ec55bdb744

SHA1
ea32a22075a1eea1b80770c70efcfc57a5e96536

SHA256
69a8e7ef84c00f59bc39b39d8a7c050dbac6ab25800abe2584a182e61ec827a8

SHA512
d289c0aba25caadb3c7a35c4d280f77b8eadf7712840d03375f6b5a649a0a576a6efe34c6492d6eec9b3279ea6ac53d0eb7d664439cd384ab4a0237c9389d8ca

Download Submit
memory/2088-83-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2088-85-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2088-84-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2860-13-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2860-14-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2916-15-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2916-16-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2916-2-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2916-86-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2916-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2916-196-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads