cycbot | 291018d22b3afb4ed1fe56900d2cb38ed480ef13e7d55eea371480d121ca0361

General

Target

JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exe
Size

185KB
MD5

22f1858717583dbd59c18d6dbb5b049b
SHA1

887be3af12e0430df89eddb47eeefb8f1ce59ea7
SHA256

291018d22b3afb4ed1fe56900d2cb38ed480ef13e7d55eea371480d121ca0361
SHA512

8b5fa6b1d3553d508b8ff2233b1e6c3ebb8440e7ac46440e347ec7ff15c799fb58acb086912a49bc9714d57b937423e86dccb6a4b58fea8ab500f262ffba31d9
SSDEEP

3072:xFP6GrH8SAPPrcfqoaC4uNQq8Zgz5batZoZR9qui3YhrAsAAifNcI5bP:xl6IH8SmgfzNQq8Zgz52ty9quUYxzAR1

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1736-8-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/2328-14-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/960-83-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/960-81-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/2328-84-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/2328-194-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2328-1-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1736-7-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1736-8-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2328-14-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/960-83-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/960-81-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2328-84-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2328-194-0x0000000000400000-0x000000000046C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 1736	2328	JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exe	30
PID 2328 wrote to memory of 1736	2328	JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exe	30
PID 2328 wrote to memory of 1736	2328	JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exe	30
PID 2328 wrote to memory of 1736	2328	JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exe	30
PID 2328 wrote to memory of 960	2328	JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exe	32
PID 2328 wrote to memory of 960	2328	JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exe	32
PID 2328 wrote to memory of 960	2328	JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exe	32
PID 2328 wrote to memory of 960	2328	JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1736
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22f1858717583dbd59c18d6dbb5b049b.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\2083.67C

Filesize
1KB

MD5
2a5ff04a5f8271135b382df6a5e74cbc

SHA1
245613020e30323045c2730e1f77ec0e69e7bc22

SHA256
ecf08b28f2e3b896ea48f6e70b518cd4e6cf844de6d2d612d0b55116c7348574

SHA512
6e27a653dcd8d438f7ba466fdd6a17d1ae3d7d3f409c1bac86ab8fde94fd780316bcbc3f922722ce8ede3391bab5d6f86c66191759ab92290c91ec2ba86cb451

Download Submit
C:\Users\Admin\AppData\Roaming\2083.67C

Filesize
600B

MD5
6e71b9467080436ddd5b45ac6721b789

SHA1
5f159111f4493f3dc7b5d464a8f13aa1ccd75db1

SHA256
fa571c2540265ccc57e78bf4e92035bfbc33435710e1dca787f547d51cb381ba

SHA512
fecc81a20cedaeefaed5a72e47b1a09005a69c63e5e947ee8cb4072fac7dbcba74b08af6b8d0157d84eca63c4867dac4b4524b6960ed022e7500dfac0b5feb7c

Download Submit
C:\Users\Admin\AppData\Roaming\2083.67C

Filesize
996B

MD5
6c6028c9be0820a0325cdfe45dcbc250

SHA1
a7e645d35c6bdbd2cab040bd14a1d9447034c9db

SHA256
a8258f10c2eade25c4f6908af77f253e0603eb190935f5867d4d2ffff648f178

SHA512
8318a830dcaf8d81fc58cf18c23135a605890d32dc75d6658cc01a336d064966a20b7ae566b334d321c6958dfc4a8e42b240fa4d3fb9d9a97efa652cbf4ae939

Download Submit
memory/960-80-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/960-83-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/960-81-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1736-7-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1736-8-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2328-1-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2328-14-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2328-84-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2328-194-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads