cycbot | 4f3a48c538c358f8f260695c255b977a779455fd4fe719bd369ce0e2d1222308

General

Target

JaffaCakes118_55ae852b24e523abdd4745db06c4a838.exe
Size

169KB
MD5

55ae852b24e523abdd4745db06c4a838
SHA1

87927f006150347e5aacb2f47d53defecd27f0da
SHA256

4f3a48c538c358f8f260695c255b977a779455fd4fe719bd369ce0e2d1222308
SHA512

871d750792cc9e2309dcb7ca466183f250f0056d2c6051f588e8029b5e93bd849e039b9517ac5cf8d2d1261791ed7cc0e6cbbbd497e39e60431e5d14177a3c69
SSDEEP

3072:3AQUpw/CpFQxIZ/ycf9pozBMd9yqM9Kg3IDXnDWTJU7Kd2bm6pr:3ARfpiO71/DLMAg3uXnqQKdmm6pr

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2744-5-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2848-14-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2496-76-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2496-78-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2848-79-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2848-183-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_55ae852b24e523abdd4745db06c4a838.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2848-1-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2744-5-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2744-4-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2848-14-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2496-76-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2496-78-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2848-79-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2848-183-0x0000000000400000-0x000000000046A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_55ae852b24e523abdd4745db06c4a838.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_55ae852b24e523abdd4745db06c4a838.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_55ae852b24e523abdd4745db06c4a838.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2744	2848	JaffaCakes118_55ae852b24e523abdd4745db06c4a838.exe	30
PID 2848 wrote to memory of 2744	2848	JaffaCakes118_55ae852b24e523abdd4745db06c4a838.exe	30
PID 2848 wrote to memory of 2744	2848	JaffaCakes118_55ae852b24e523abdd4745db06c4a838.exe	30
PID 2848 wrote to memory of 2744	2848	JaffaCakes118_55ae852b24e523abdd4745db06c4a838.exe	30
PID 2848 wrote to memory of 2496	2848	JaffaCakes118_55ae852b24e523abdd4745db06c4a838.exe	32
PID 2848 wrote to memory of 2496	2848	JaffaCakes118_55ae852b24e523abdd4745db06c4a838.exe	32
PID 2848 wrote to memory of 2496	2848	JaffaCakes118_55ae852b24e523abdd4745db06c4a838.exe	32
PID 2848 wrote to memory of 2496	2848	JaffaCakes118_55ae852b24e523abdd4745db06c4a838.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55ae852b24e523abdd4745db06c4a838.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55ae852b24e523abdd4745db06c4a838.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55ae852b24e523abdd4745db06c4a838.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55ae852b24e523abdd4745db06c4a838.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2744
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55ae852b24e523abdd4745db06c4a838.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55ae852b24e523abdd4745db06c4a838.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\D88F.890

Filesize
1KB

MD5
a5d8afe0eeb0c01ec1b6f30ea0382332

SHA1
dea4207496f7e3622699f587eec9df73c5e24ed1

SHA256
24d647770232110cf7dbdfce2f009f4cf67a7a361e913f93cb0ea6b90b95fb9a

SHA512
8f1a349eb861e77bc2042f66ee2d52b0e2b73db789f7ccdcd99cd4f043f217c6d95e1c899c35e374e783c237dedf5e475105cce6ec6574e6c3e11134b9a31153

Download Submit
C:\Users\Admin\AppData\Roaming\D88F.890

Filesize
1KB

MD5
8b009f75d135f67f8e49b8dc40880d5f

SHA1
37d280ec3276784afbcd34ed704382fc866570ce

SHA256
c055131b8b082870757e1b59c45ba3c5cbce0217557054eb10098d7fc7e4c245

SHA512
841171f22d583a105def5d5128944ed4600a872a7c6ec3cff772143f5a968eb945e4d3f4c24695280156ab8b8321e2a58bc2a9ca6c6ec205f4a2a23449aa3799

Download Submit
C:\Users\Admin\AppData\Roaming\D88F.890

Filesize
600B

MD5
36ad5caf408aa1e6d0aac060389201de

SHA1
8c66fc62ff0d012711468671dcaef88b0f6b166e

SHA256
8cf96df3b6d070f6220e40da1cd39deea592187a74e31d62623e7476f76b751b

SHA512
df0a8b79c836e8af400b6368a25d98bead58f661b9f04a5d849f06790eb6d6f3066d33abcb5dc15b78492af79a01793d24cb13aa3e560c2abcb13dcc1781281f

Download Submit
C:\Users\Admin\AppData\Roaming\D88F.890

Filesize
996B

MD5
434e2a70f14e8f669001bd0656a47d88

SHA1
e4a0f9d6468c95be9452ab022a809a65b444fbc4

SHA256
4b3501112e1a5a1b78092b171b74e3cd26e252cdebcb728f45d398881c2b416a

SHA512
454914d2893b0176535d8025c90f273dc7fc0c39c9b13fe3701389eb8ce46ca46427f15aefc4fe0343f3eb216cc759284f4b49e02f2ec0c1d8f467343187d847

Download Submit
memory/2496-75-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2496-76-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2496-78-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2744-4-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2744-5-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2848-1-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2848-79-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2848-14-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2848-183-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads