cycbot | 2125a1e00be1bd129634cdd69d9540a4c49ae1864702547ada32ec70da42c95c

General

Target

JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe
Size

177KB
MD5

3be07720d75271452be60d7ea80d508a
SHA1

ce8685fbc1a0ef90eab3911b64e3cfebd60238c2
SHA256

2125a1e00be1bd129634cdd69d9540a4c49ae1864702547ada32ec70da42c95c
SHA512

375a01be852e44e3025b06f6cc58902fd12f465c028cdbe28e537218b27e00ce81fa6c038c13aae49632a1e3aea1229086dade40721f509c9f022794113af897
SSDEEP

3072:AWdbPR3RVFNvm8L8ds89HNnXbIygHVP3txJDnWUUXK6sAkqOjwPp1ipLitl9:XhPRH/vfL8dV9HNMygHVPrVWUUXK8kqt

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 7 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1200-14-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/1740-15-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/1740-16-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral1/memory/2992-134-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/1740-135-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2992-255-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/1740-322-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\E7577\\279AF.exe"	JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1740-2-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/1200-14-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/1740-15-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/1740-16-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2992-134-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/1740-135-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2992-255-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/1740-322-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 1200	1740	JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe	30
PID 1740 wrote to memory of 1200	1740	JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe	30
PID 1740 wrote to memory of 1200	1740	JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe	30
PID 1740 wrote to memory of 1200	1740	JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe	30
PID 1740 wrote to memory of 2992	1740	JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe	32
PID 1740 wrote to memory of 2992	1740	JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe	32
PID 1740 wrote to memory of 2992	1740	JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe	32
PID 1740 wrote to memory of 2992	1740	JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe startC:\Program Files (x86)\LP\AF6E\88C.exe%C:\Program Files (x86)\LP\AF6E
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1200
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3be07720d75271452be60d7ea80d508a.exe startC:\Program Files (x86)\77917\lvvm.exe%C:\Program Files (x86)\77917
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\E7577\7917.757

Filesize
996B

MD5
34f41583139f3705d90b950dcf1bc327

SHA1
b8e69c9a4b1ae8c459d69619b111cc7b881ed43e

SHA256
7a433ba29e745d1316f70c4406eb4922432c46c5c20cec80440c96eaee6ebc30

SHA512
4ac1a74cb84602d0103de7522677c647b9c8eef7d068cd2c9a7af73c985fbca1593346b76be7a4a726fc105911ed8131b093f72f0e10611edb6734a027c2f473

Download Submit
C:\Users\Admin\AppData\Roaming\E7577\7917.757

Filesize
1KB

MD5
53425eb93ad5016d948cfaf813914ab4

SHA1
ae26c0988d016e9790ddd9755ce18874aacb90ee

SHA256
aaa100b04eba8709c9377430d9de6d0db02756128d34741a7fb5cc87b1cea2c8

SHA512
da352d356ff7562b42533f0719fab0c205cb5b62a21d33f4b08198969743e39e759018475a321ddd2818a96f7f0c43c0579d66a4ccfd9c62773d992fe493de7d

Download Submit
C:\Users\Admin\AppData\Roaming\E7577\7917.757

Filesize
600B

MD5
d8e87e071dfef8cdeb7e2cdd88d6e1d4

SHA1
ea606d4e23a343bf6cad535a02464f3cf27839fc

SHA256
b428febcaee9be23632754a2231dca412e05dac88dd11599beaa6e30a33c6921

SHA512
f55ae41d7838ad4d880e176bd72b7fd55971cfb9dc3b456b578d5e54c1423805771c3feec3e37ea9792a6d241696fb953b39d11ff174cf3a74fab82d7c6ab247

Download Submit
memory/1200-12-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1200-14-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1740-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1740-16-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1740-135-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1740-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1740-2-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1740-322-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2992-134-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2992-255-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads