cycbot | 4edb9b51034fc17d3d2ec81c55291fbd0d8b77ef65cb3ebda421d5240ea7ef92

General

Target

JaffaCakes118_2e4ba5fe3ff3c09b5049855e8318659b.exe
Size

190KB
MD5

2e4ba5fe3ff3c09b5049855e8318659b
SHA1

6b411b314c2ee902d85ee5991ba2d37d5c1b9334
SHA256

4edb9b51034fc17d3d2ec81c55291fbd0d8b77ef65cb3ebda421d5240ea7ef92
SHA512

81273ba5b2a66bd0e8932ee5d80110a286e340eff9cb48ca0d6b44683282b4dcbf7995ae3501d468c14358d373d62e2779887c8fc73389561e5dbfbea5a1bf8e
SSDEEP

3072:ehp6MQRMEJMxrYZCX2lx775d5NSpu6s2Wcy4rYnXZpMGPa4eRskmKgKWlPIE:ehpmFMdPX2lx77efs2WcyHnXZfax+KA

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2784-7-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/2128-14-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/1040-71-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/2128-72-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/2128-173-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/2128-206-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_2e4ba5fe3ff3c09b5049855e8318659b.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2128-2-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2784-5-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2784-7-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2128-14-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1040-71-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2128-72-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2128-173-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2128-206-0x0000000000400000-0x000000000046B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2e4ba5fe3ff3c09b5049855e8318659b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2e4ba5fe3ff3c09b5049855e8318659b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2e4ba5fe3ff3c09b5049855e8318659b.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2784	2128	JaffaCakes118_2e4ba5fe3ff3c09b5049855e8318659b.exe	30
PID 2128 wrote to memory of 2784	2128	JaffaCakes118_2e4ba5fe3ff3c09b5049855e8318659b.exe	30
PID 2128 wrote to memory of 2784	2128	JaffaCakes118_2e4ba5fe3ff3c09b5049855e8318659b.exe	30
PID 2128 wrote to memory of 2784	2128	JaffaCakes118_2e4ba5fe3ff3c09b5049855e8318659b.exe	30
PID 2128 wrote to memory of 1040	2128	JaffaCakes118_2e4ba5fe3ff3c09b5049855e8318659b.exe	32
PID 2128 wrote to memory of 1040	2128	JaffaCakes118_2e4ba5fe3ff3c09b5049855e8318659b.exe	32
PID 2128 wrote to memory of 1040	2128	JaffaCakes118_2e4ba5fe3ff3c09b5049855e8318659b.exe	32
PID 2128 wrote to memory of 1040	2128	JaffaCakes118_2e4ba5fe3ff3c09b5049855e8318659b.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2e4ba5fe3ff3c09b5049855e8318659b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2e4ba5fe3ff3c09b5049855e8318659b.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2e4ba5fe3ff3c09b5049855e8318659b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2e4ba5fe3ff3c09b5049855e8318659b.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2784
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2e4ba5fe3ff3c09b5049855e8318659b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2e4ba5fe3ff3c09b5049855e8318659b.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\E5A5.25C

Filesize
1KB

MD5
ca69b8982bb2a787d556eda8f3a77040

SHA1
b8c03c13f456038b3bd627818ba36a29d62b6349

SHA256
5ef9dfd6f4b12d736d190812d8445ec49c84473d02d9fe0f52d2b47d9ceab5de

SHA512
f0b07a8ff1f9630a9d7ace3b981042a98d7f85d025804a0fbecc5be1ca6fd3931f884d29cbf050eb74e98d48785facb2cd9c2098a656a3f505b3d4524af1d109

Download Submit
C:\Users\Admin\AppData\Roaming\E5A5.25C

Filesize
600B

MD5
6282c545b1ba0d12a4c70bef187e4101

SHA1
38bf400608f58c0197b21ea82e5b80aa5b79d25f

SHA256
f5c767dd5577ec57fb6efd159778736998532ecc39c0ffe67694dff1516f00e8

SHA512
4178d3203bc192bdee75d66698f5ee630af0ac0b9c1b9e7f0cdd3061a48a61b8cd610b725bee40fa3e94b760961fe14985a366f52ea9180acf01a04c2daedaca

Download Submit
C:\Users\Admin\AppData\Roaming\E5A5.25C

Filesize
996B

MD5
be84e043b85cf61c1ca105123dcb7311

SHA1
38144262886acbb95a370037bb7eff5b6265e35f

SHA256
49e239a634c73dd76203d548b00714550599055e03a917bb6e44dbafe2f1578f

SHA512
ce9aecc85b320b207f2949c72e2e6390b29109b8df23e65fb0d87225327aff5bdbc5ea34730a8b8782af21764e763d841fd66159040a77f8978c06dcbbc8ee48

Download Submit
memory/1040-71-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2128-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2128-2-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2128-14-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2128-72-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2128-173-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2128-206-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2784-5-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2784-7-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads