cycbot | 672e0b51f10c39a7ea11648ceb1021f0029d6043107a080ee230165b16afa6f5

General

Target

JaffaCakes118_2f31dde56f29afee636fd32b20a0736b.exe
Size

201KB
MD5

2f31dde56f29afee636fd32b20a0736b
SHA1

682cc264764a083883f79258bb9baca1ba41e51f
SHA256

672e0b51f10c39a7ea11648ceb1021f0029d6043107a080ee230165b16afa6f5
SHA512

fa3d0b9acb2f8374db1ca85f61b3cac3970d04ff8843c0f2c54b094cecb68fbef4a41b1f7448ba9bd9734069728ba9212c4f8022632b70ecea5e44e662b3e868
SSDEEP

6144:r5VGHD1WEItzn+W8fbWtJghxEJhcHqjci1:WHD1tTWTghUhcKjc

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 7 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2536-14-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/2536-16-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/1952-17-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/1936-91-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/1936-92-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/1952-93-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/1952-201-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_2f31dde56f29afee636fd32b20a0736b.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1952-2-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2536-14-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2536-16-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1952-17-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1936-91-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1936-92-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1952-93-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1952-201-0x0000000000400000-0x000000000046C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2f31dde56f29afee636fd32b20a0736b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2f31dde56f29afee636fd32b20a0736b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2f31dde56f29afee636fd32b20a0736b.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 2536	1952	JaffaCakes118_2f31dde56f29afee636fd32b20a0736b.exe	31
PID 1952 wrote to memory of 2536	1952	JaffaCakes118_2f31dde56f29afee636fd32b20a0736b.exe	31
PID 1952 wrote to memory of 2536	1952	JaffaCakes118_2f31dde56f29afee636fd32b20a0736b.exe	31
PID 1952 wrote to memory of 2536	1952	JaffaCakes118_2f31dde56f29afee636fd32b20a0736b.exe	31
PID 1952 wrote to memory of 1936	1952	JaffaCakes118_2f31dde56f29afee636fd32b20a0736b.exe	33
PID 1952 wrote to memory of 1936	1952	JaffaCakes118_2f31dde56f29afee636fd32b20a0736b.exe	33
PID 1952 wrote to memory of 1936	1952	JaffaCakes118_2f31dde56f29afee636fd32b20a0736b.exe	33
PID 1952 wrote to memory of 1936	1952	JaffaCakes118_2f31dde56f29afee636fd32b20a0736b.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2f31dde56f29afee636fd32b20a0736b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2f31dde56f29afee636fd32b20a0736b.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2f31dde56f29afee636fd32b20a0736b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2f31dde56f29afee636fd32b20a0736b.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2536
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2f31dde56f29afee636fd32b20a0736b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2f31dde56f29afee636fd32b20a0736b.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\6755.CCB

Filesize
1KB

MD5
d3acbe5014dbfadd635b300f325b2f6e

SHA1
efe34e61c54bab0a883b3a660669ef032212bc7d

SHA256
a92f1fe706782930498055bcec0881fcb9958d2519974ccf0332723e980a1231

SHA512
614085c75d0238414ded3b62d28163b01b1b0b39e17947d5917047ec778a13e9a64ef83446d304adc3c08f200f38438055e478fd1a99003a23dfb7f256f0f40a

Download Submit
C:\Users\Admin\AppData\Roaming\6755.CCB

Filesize
600B

MD5
75b53901c5219d587eca61a92a5e1510

SHA1
7092cc2297b4ecef6f0fbf1c2af82c5daf7fc216

SHA256
b1a3d46ffa70120318357cd9febca5b299d0a4fa4f8b351219abd0f89cbd92c5

SHA512
730170042704e4057bf935982172c286b77ec8c58744710e6643ef52e8bf74a093e0b304fadd9d587207a8d0a3ede63851e8ab179a988d9957c14aa0512ddd04

Download Submit
C:\Users\Admin\AppData\Roaming\6755.CCB

Filesize
996B

MD5
4f1e51df4e31578b82ccc6bf5d795951

SHA1
dec4cbaf507a8ddda474ff4e872e08d23608a50f

SHA256
4abf329ec37c7e5810b54bb822bfd4b70b80ca9c1fd574d24ed6d395145467d8

SHA512
efd5a059d11bae20355c2118248618cb20d73fd01bd7936dbd1fb02f697af8f27f2708068656e853b27cc4d641d6c2a63d9bef88522cedc431d8e03c38c710fe

Download Submit
memory/1936-92-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1936-90-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1936-91-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1952-17-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1952-1-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1952-93-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1952-2-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1952-201-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2536-16-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2536-13-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2536-14-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads