cycbot | 1ed95d7ca3ae50c4b3c1ca5e898dd6e3200aef61600e90d50fb664e995c30410

General

Target

JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe
Size

172KB
MD5

46f38d9351f86672f187dae19f8d9c05
SHA1

c94071bc1fb4dea1359c37afd654f6b03575dfca
SHA256

1ed95d7ca3ae50c4b3c1ca5e898dd6e3200aef61600e90d50fb664e995c30410
SHA512

9cb18bfbe88cfc47d58404b366a320b0e2fee1cf35aa556cfd24ad27211e4fde50e55a71337f880a217c68784e6a630769f175db57e4391eb180640e04d25609
SSDEEP

3072:V2R5YlLBjudfOoszM4Db1BS4rrqGxvtlFfSUxuZMqCGAFWf9Dr6v/RCn17mjF:V2vKBatOowb5rqYFnhiMXFKk/R876

Score

10^/10

cycbot backdoor discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 7 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2632-14-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/1652-15-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/1652-16-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/3008-93-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/1652-94-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/1652-200-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/1652-203-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EB5.exe = "C:\\Program Files (x86)\\LP\\9A60\\EB5.exe"	JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1652-2-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2632-13-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2632-14-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1652-15-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/1652-16-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/3008-91-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/3008-93-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1652-94-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1652-200-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1652-203-0x0000000000400000-0x0000000000452000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LP\9A60\EB5.exe	JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe
File opened for modification	C:\Program Files (x86)\LP\9A60\2701.tmp	JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe
File opened for modification	C:\Program Files (x86)\LP\9A60\EB5.exe	JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1652	JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe
1652	JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe
1652	JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe
1652	JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe
1652	JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe
1652	JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe
1652	JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe
1652	JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe
1652	JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe
1652	JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe
1652	JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe
1652	JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe
1652	JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe
1652	JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1456	explorer.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeRestorePrivilege	3032	msiexec.exe
Token: SeTakeOwnershipPrivilege	3032	msiexec.exe
Token: SeSecurityPrivilege	3032	msiexec.exe
Token: SeShutdownPrivilege	1456	explorer.exe
Token: SeShutdownPrivilege	1456	explorer.exe
Token: SeShutdownPrivilege	1456	explorer.exe
Token: SeShutdownPrivilege	1456	explorer.exe
Token: SeShutdownPrivilege	1456	explorer.exe
Token: SeShutdownPrivilege	1456	explorer.exe
Token: SeShutdownPrivilege	1456	explorer.exe
Token: SeShutdownPrivilege	1456	explorer.exe
Token: SeShutdownPrivilege	1456	explorer.exe
Token: SeShutdownPrivilege	1456	explorer.exe
Token: SeShutdownPrivilege	1456	explorer.exe
Token: SeShutdownPrivilege	1456	explorer.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 2632	1652	JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe	31
PID 1652 wrote to memory of 2632	1652	JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe	31
PID 1652 wrote to memory of 2632	1652	JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe	31
PID 1652 wrote to memory of 2632	1652	JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe	31
PID 1652 wrote to memory of 3008	1652	JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe	34
PID 1652 wrote to memory of 3008	1652	JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe	34
PID 1652 wrote to memory of 3008	1652	JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe	34
PID 1652 wrote to memory of 3008	1652	JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe	34

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe"
1⤵
- Modifies security service
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1652
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe startC:\Users\Admin\AppData\Roaming\0D4F4\37C9A.exe%C:\Users\Admin\AppData\Roaming\0D4F4
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2632
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_46f38d9351f86672f187dae19f8d9c05.exe startC:\Program Files (x86)\F4658\lvvm.exe%C:\Program Files (x86)\F4658
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3008

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

4

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\0D4F4\4658.D4F

Filesize
1KB

MD5
3a9ef3d1bdbb543d3cb4707afec9632a

SHA1
bbe9fbf35185001e635ce39f350acaa88cd4563e

SHA256
608e098312de5d071bef3ba2937b5cc43d753407d62dc4ea58376da72e8cb778

SHA512
66261f5cceac4974e8425b77a48c598e9dea7f7278278b39c746d39809ad50c518f9b2adeb84094a394030485ec7620c2e218f0da252c3ca1e5bd59263e0c93d

Download Submit
C:\Users\Admin\AppData\Roaming\0D4F4\4658.D4F

Filesize
600B

MD5
e1cd3cc785d9b23b3005b963d5cd7330

SHA1
7cf30fbc7cf3e0aec7282696cc906052f24ac3a2

SHA256
e7a05e75a4165178cbef3f990f927c607a2130e7d6347ca72216ebc08bcc360c

SHA512
a253f90655bef3225db97b9513cdba4543826b4407782605d21fa673c79299a8c0288247d3161b66c394c53aa02d09d74bd8578ddb378a2cd956c4eaf733722a

Download Submit
C:\Users\Admin\AppData\Roaming\0D4F4\4658.D4F

Filesize
996B

MD5
4717008942832b0f2cefdfbcbb109a94

SHA1
76fd45ef2268d9877f68a62bf3ad612305e63919

SHA256
e0dbeed7c5e9877eb862435b150526e58e4ced2c9b53fbe149a11ae9ef267a18

SHA512
9fb4456d26be0fdae8e1bda86c5f4e0af0371eaef747feae32dd921b1eed6a5487f430720af44e1de2ee5e9d9f447653980445770a82793e420ea9ae6dadc1bc

Download Submit
memory/1652-94-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1652-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1652-203-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1652-1-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1652-200-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1652-15-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1652-16-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2632-12-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2632-14-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2632-13-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3008-93-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3008-91-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads