cycbot | a7b6266473caeb3ee6d14544e377f7b64d4f4a73af321007e364cbbaa236f3e3

General

Target

JaffaCakes118_37ec94000992b758b0f93205e78011dc.exe
Size

175KB
MD5

37ec94000992b758b0f93205e78011dc
SHA1

097cac9b22caa1a1113d42b4d4a03a991179fef0
SHA256

a7b6266473caeb3ee6d14544e377f7b64d4f4a73af321007e364cbbaa236f3e3
SHA512

f449feee364ee883fca03fb9554d5ab89e8a66eb3110e0e5be3aeb3a93e570169433bf51b50cffc8c36f7807de6b1fdfec0eb8685c233b0c788953b3913b6074
SSDEEP

3072:ajeJvTHjs3ypJ7ib5tf5wExuijs1n4oCku7CgveTXs1E7/cjo:keJvTY3EiVEaXjs1n4oCkumgGAjo

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2324-7-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2980-15-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/3000-88-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2980-143-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2980-198-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_37ec94000992b758b0f93205e78011dc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2980-2-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2324-5-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2324-7-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2980-15-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/3000-88-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2980-143-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2980-198-0x0000000000400000-0x000000000048A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_37ec94000992b758b0f93205e78011dc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_37ec94000992b758b0f93205e78011dc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_37ec94000992b758b0f93205e78011dc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2324	2980	JaffaCakes118_37ec94000992b758b0f93205e78011dc.exe	30
PID 2980 wrote to memory of 2324	2980	JaffaCakes118_37ec94000992b758b0f93205e78011dc.exe	30
PID 2980 wrote to memory of 2324	2980	JaffaCakes118_37ec94000992b758b0f93205e78011dc.exe	30
PID 2980 wrote to memory of 2324	2980	JaffaCakes118_37ec94000992b758b0f93205e78011dc.exe	30
PID 2980 wrote to memory of 3000	2980	JaffaCakes118_37ec94000992b758b0f93205e78011dc.exe	33
PID 2980 wrote to memory of 3000	2980	JaffaCakes118_37ec94000992b758b0f93205e78011dc.exe	33
PID 2980 wrote to memory of 3000	2980	JaffaCakes118_37ec94000992b758b0f93205e78011dc.exe	33
PID 2980 wrote to memory of 3000	2980	JaffaCakes118_37ec94000992b758b0f93205e78011dc.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37ec94000992b758b0f93205e78011dc.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37ec94000992b758b0f93205e78011dc.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37ec94000992b758b0f93205e78011dc.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37ec94000992b758b0f93205e78011dc.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2324
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37ec94000992b758b0f93205e78011dc.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37ec94000992b758b0f93205e78011dc.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\8DF2.6DC

Filesize
1KB

MD5
152709aa7042026be5ead15843b5518c

SHA1
15e01c4f66515fb8fc96ed6fc9dae114271ab0d1

SHA256
a5f76ce3002b0ff06cdc05da2f17f24974a02368bf662281ad5ff6d8ab6f03da

SHA512
7cad05ac17223fa0c8afa889ddbfdf74779154ce4569ffe126ee9ee61e43e9deabf0000f257408f4da3b717076f4c4cbe5f2b0afae7b1fc54dd732562d08a741

Download Submit
C:\Users\Admin\AppData\Roaming\8DF2.6DC

Filesize
600B

MD5
f877cfda5197fae43e02ed954542c5fd

SHA1
b9f630431544cbefff07587b1bdf6f2b2f6bb279

SHA256
1dec6d1de59c2f502b7096eb5e06cbb6f4feb19b485c66ff349e63b6abde4d5d

SHA512
424b68a42ab29017777b63edc0f97d0a42047a37a3f5d3111e6d3f421709d8fde1d24a1ad6a283c7f3fbc0980fbddb3b472b2442642824d1936cdf796ab6265a

Download Submit
C:\Users\Admin\AppData\Roaming\8DF2.6DC

Filesize
996B

MD5
efaee03e4dd616933d63fe9fcaf78c31

SHA1
e05b633e80809c40f4efa46511d5c490f440b2cd

SHA256
b5d4de9c9f67f6ea519af88521394196551c054266e2394a53ccfd8588c529de

SHA512
480db694327ab9ab20e9369c5ec29f8c590d9abbbc281c2feda4da824db299aa3f4c2b12e52732291aa1c43c73b0341096ea56acfcb59ffcb1d43f02f468735d

Download Submit
memory/2324-5-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2324-7-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2980-2-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2980-1-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2980-15-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2980-143-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2980-198-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3000-86-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3000-88-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads