cycbot | 18436fdba2f902818c3da3e6bf648860796eb08ca3e1690e44a426d69783ba9c

General

Target

JaffaCakes118_25ad4b2d733bceb409c94f35c6b48c72.exe
Size

182KB
MD5

25ad4b2d733bceb409c94f35c6b48c72
SHA1

1606ad922b658bf208670543b2661be3c478846e
SHA256

18436fdba2f902818c3da3e6bf648860796eb08ca3e1690e44a426d69783ba9c
SHA512

7dc3ff3d1051f7a5024748347d76cc832412fe2a59b85a57effc64a9eea289efe474117d44c2b2f3e22e2e78a873b1290fb27744ab75ad1616bd0ea33964b56c
SSDEEP

3072:Alo0bauokAb0msostHXjcWW5z1UlHcOsGkdC1itfpkSzPXHdm7:10baugWtHzVYO8OfGd8Y

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1068-10-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/1068-8-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2396-15-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2396-76-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/812-80-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2396-181-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_25ad4b2d733bceb409c94f35c6b48c72.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2396-2-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1068-10-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1068-8-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2396-15-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2396-76-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/812-80-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/812-78-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2396-181-0x0000000000400000-0x0000000000490000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_25ad4b2d733bceb409c94f35c6b48c72.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_25ad4b2d733bceb409c94f35c6b48c72.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_25ad4b2d733bceb409c94f35c6b48c72.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 1068	2396	JaffaCakes118_25ad4b2d733bceb409c94f35c6b48c72.exe	30
PID 2396 wrote to memory of 1068	2396	JaffaCakes118_25ad4b2d733bceb409c94f35c6b48c72.exe	30
PID 2396 wrote to memory of 1068	2396	JaffaCakes118_25ad4b2d733bceb409c94f35c6b48c72.exe	30
PID 2396 wrote to memory of 1068	2396	JaffaCakes118_25ad4b2d733bceb409c94f35c6b48c72.exe	30
PID 2396 wrote to memory of 812	2396	JaffaCakes118_25ad4b2d733bceb409c94f35c6b48c72.exe	33
PID 2396 wrote to memory of 812	2396	JaffaCakes118_25ad4b2d733bceb409c94f35c6b48c72.exe	33
PID 2396 wrote to memory of 812	2396	JaffaCakes118_25ad4b2d733bceb409c94f35c6b48c72.exe	33
PID 2396 wrote to memory of 812	2396	JaffaCakes118_25ad4b2d733bceb409c94f35c6b48c72.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_25ad4b2d733bceb409c94f35c6b48c72.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_25ad4b2d733bceb409c94f35c6b48c72.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_25ad4b2d733bceb409c94f35c6b48c72.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_25ad4b2d733bceb409c94f35c6b48c72.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1068
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_25ad4b2d733bceb409c94f35c6b48c72.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_25ad4b2d733bceb409c94f35c6b48c72.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\72F4.E21

Filesize
1KB

MD5
c4765559734a421e1801ddb2566fff98

SHA1
b462b45f9e300c1c79cf44cdf9ecc61071e57e24

SHA256
f8e489fc8b729c36fe7da37132a9c47095c20a365b816d428b1ebcd424d24ab8

SHA512
dbfc4c5afec2c85fb24192c18ec02e07c1879467638c18edf143c443dc4a6d5ad8a6e8ae867faa0ccc899495d96a47e431c66259b1e950404ab483c2c6a0633e

Download Submit
C:\Users\Admin\AppData\Roaming\72F4.E21

Filesize
600B

MD5
1a7f8b5e9b9a496612f7b68293f7cd7c

SHA1
01128fcbd8fa217f97d19278ed3d915bdd500921

SHA256
f3945cd5af68e9f457f4818e8ff34beb246ed1dd36459bc6d0249f62ba0fa023

SHA512
fb9310a3275e783fb2467d22186f1fc41018513928ac600bcf5225199c7ca995fc9f75d7905bdd60f67bf7ba87d26d2a76b1ec305353af6565809bd357ba3cd1

Download Submit
C:\Users\Admin\AppData\Roaming\72F4.E21

Filesize
996B

MD5
afc50fb0e104cc289f388b794a83813a

SHA1
ebd3c36913b6c38a49a319da9fc9f0bce7864c25

SHA256
2ebc68c49ac3eb46df75b38f8dd41c90c608cd18a9477df96df50191e896f0f0

SHA512
db55812bb8270ce5443a3f51aebe14af4137dafdfefe0c9215e44b2d2870a87e775d513617430e8fe0cf474643c08d1ed7bfdef986d880b2ef5ad253bf61fc0a

Download Submit
memory/812-80-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/812-78-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1068-10-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1068-8-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2396-1-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2396-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2396-15-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2396-76-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2396-181-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads