cycbot | 2a69e825716c460c1b0fa82f66a746863837fb928ba1677be1b4d9c39ea79fad

General

Target

JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe
Size

275KB
MD5

4cd6b2868ebf513c1e0772e756c60f39
SHA1

8b62235c13d3ae655b9dcc7f5f04973224150683
SHA256

2a69e825716c460c1b0fa82f66a746863837fb928ba1677be1b4d9c39ea79fad
SHA512

d3fa5f8e9183d3dc62baeaece94b92349b976b946312f13d06e873e213cd171112be10e3de2e1202888f895d81ad8efa14168362deb94148620f698b03f1fc0f
SSDEEP

6144:CMsjCYf4Nk1RsU8xzGCbBIZoZD0vLHsetTmZJTFj3tc0tM:CMWCYf9axzGsIZo50vLHXaZJ5jq

Score

10^/10

cycbot backdoor discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 8 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1860-65-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1860-68-0x0000000000400000-0x0000000000467000-memory.dmp	family_cycbot
behavioral1/memory/1524-71-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1524-70-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1860-180-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2232-183-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1860-361-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1860-364-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
2944	257B.tmp

Loads dropped DLL 5 IoCs

pid	Process
1860	JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe
1860	JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\424.exe = "C:\\Program Files (x86)\\LP\\5E13\\424.exe"	JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1860-3-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1860-65-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1860-68-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/1524-71-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1524-70-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1860-180-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2232-182-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2232-183-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1860-361-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1860-364-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LP\5E13\424.exe	JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe
File opened for modification	C:\Program Files (x86)\LP\5E13\424.exe	JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe
File opened for modification	C:\Program Files (x86)\LP\5E13\257B.tmp	JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2700	2944	WerFault.exe	36

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	257B.tmp

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1860	JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe
1860	JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe
1860	JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe
1860	JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe
1860	JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe
1860	JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe
1860	JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe
1860	JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe
1860	JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe
1860	JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe
1860	JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe
1860	JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe
1860	JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe
1860	JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1888	explorer.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeRestorePrivilege	2892	msiexec.exe
Token: SeTakeOwnershipPrivilege	2892	msiexec.exe
Token: SeSecurityPrivilege	2892	msiexec.exe
Token: SeShutdownPrivilege	1888	explorer.exe
Token: SeShutdownPrivilege	1888	explorer.exe
Token: SeShutdownPrivilege	1888	explorer.exe
Token: SeShutdownPrivilege	1888	explorer.exe
Token: SeShutdownPrivilege	1888	explorer.exe
Token: SeShutdownPrivilege	1888	explorer.exe
Token: SeShutdownPrivilege	1888	explorer.exe
Token: SeShutdownPrivilege	1888	explorer.exe
Token: SeShutdownPrivilege	1888	explorer.exe
Token: SeShutdownPrivilege	1888	explorer.exe
Token: SeShutdownPrivilege	1888	explorer.exe
Token: SeShutdownPrivilege	1888	explorer.exe
Token: SeShutdownPrivilege	1888	explorer.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe

Suspicious use of SendNotifyMessage 17 IoCs

pid	Process
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 1524	1860	JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe	30
PID 1860 wrote to memory of 1524	1860	JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe	30
PID 1860 wrote to memory of 1524	1860	JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe	30
PID 1860 wrote to memory of 1524	1860	JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe	30
PID 1860 wrote to memory of 2232	1860	JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe	33
PID 1860 wrote to memory of 2232	1860	JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe	33
PID 1860 wrote to memory of 2232	1860	JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe	33
PID 1860 wrote to memory of 2232	1860	JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe	33
PID 1860 wrote to memory of 2944	1860	JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe	36
PID 1860 wrote to memory of 2944	1860	JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe	36
PID 1860 wrote to memory of 2944	1860	JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe	36
PID 1860 wrote to memory of 2944	1860	JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe	36
PID 2944 wrote to memory of 2700	2944	257B.tmp	37
PID 2944 wrote to memory of 2700	2944	257B.tmp	37
PID 2944 wrote to memory of 2700	2944	257B.tmp	37
PID 2944 wrote to memory of 2700	2944	257B.tmp	37

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe"
1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1860
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe startC:\Users\Admin\AppData\Roaming\35C7B\AAF5E.exe%C:\Users\Admin\AppData\Roaming\35C7B
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1524
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4cd6b2868ebf513c1e0772e756c60f39.exe startC:\Program Files (x86)\7BA5B\lvvm.exe%C:\Program Files (x86)\7BA5B
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2232
- C:\Program Files (x86)\LP\5E13\257B.tmp
  "C:\Program Files (x86)\LP\5E13\257B.tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 176
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2700

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

4

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\35C7B\BA5B.5C7

Filesize
996B

MD5
046e7e8aac1902f8fb2e5496d20eaeba

SHA1
35d6bc0d441f1e1ab1234dac42e01b866792dfaf

SHA256
27e9d7d0b1b3861da3bd8b99f01f104ac3ba8bab9a633c4ef506dfe27a5105a3

SHA512
bf480a0724ed6ad814806538929f574cbe086c14803294ffa78fe61b94830abe2da485578f60c9cab7691d6f6d51d2035b48b9f9da1a97339e8011a9d1d34552

Download Submit
C:\Users\Admin\AppData\Roaming\35C7B\BA5B.5C7

Filesize
1KB

MD5
575a8e72ba82c0c9450871fc97c92870

SHA1
54e45a20facae66f4f42f38b9c20f3c03459f218

SHA256
c34f54f42b1016043fe31278123000b044e442f3c5191f7a14fff28f0dc2bc65

SHA512
7af9e8c6a966f210f40adf91fbbd7a9d0bb42efd2500b4ba64999d1b0074721ccc0365e51c1e77fc774bf81a13a78225215f7fefac188439dcd30590517664d2

Download Submit
C:\Users\Admin\AppData\Roaming\35C7B\BA5B.5C7

Filesize
600B

MD5
51b1a0c188a3c234f74bf281492cc997

SHA1
747268496e7866c656544c9feb6b60b18ee31da6

SHA256
eaae1d79387aa53062ce61debefec96263c6ff5e8f43105736c1817e99bc9918

SHA512
043dbc6363cb5800c0139c10fae5ead371406533b4ce209da31812147c96dfd0df617b8ac60f15c22d2b5e8d0a257502d4a0049fc9d3ebb19218c56fc1def297

Download Submit
C:\Users\Admin\AppData\Roaming\35C7B\BA5B.5C7

Filesize
300B

MD5
6f76c3384575a4c71e62f54b19a01708

SHA1
dbcdf2bde6d1564cbc317a87ad1db628f98ce648

SHA256
bbf62a9637abba5cdedb3b89553cf15eb4070c899fbdda42bbd7436458e2ea22

SHA512
31994f4bff697956e0aa1521a0359bfb756d46206624a31e32dd2de3b170fbe5b5dca30a8f4dd32b218439392f1799323235bdb14b7b1804fd6d063bc1a7e9fb

Download Submit
\Program Files (x86)\LP\5E13\257B.tmp

Filesize
97KB

MD5
6b5ac6578a6569bd04a0cd84361d62a4

SHA1
47a4e0e5d0dba0cfa49e7714eb1132c1e124fec9

SHA256
fcf0d2693cdf1581388d1ea096f38af087f8fda24a0394bad49c6f33d6e1d0d2

SHA512
e95ae3ac6e37697ff2e967c5c08359c5425c288039e586d89009e1ed2bd58786ea5ae23c1425389e5ff46f31d3129b617d6a1e5f3eb92ba1955f91a183b0b87c

Download Submit
memory/1524-70-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1524-67-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1524-71-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1860-65-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1860-68-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1860-180-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1860-0-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1860-3-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1860-2-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1860-361-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1860-364-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2232-182-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2232-183-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads