cycbot | 15b6b76d2c629f52df262f07fc3c32eed160356e9f52793cb7816324ac555694

General

Target

JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe
Size

276KB
MD5

59c5b37c788d77f77b5927ef8f6fdb7b
SHA1

73c0b21725f817d410d3a69c5313f6cc48c0ac99
SHA256

15b6b76d2c629f52df262f07fc3c32eed160356e9f52793cb7816324ac555694
SHA512

7db66afed6abc6d605ecdb73d2c9a25908cfadbb2677e4896b5672c64f1e74cac14fd63e9f29fa3e263f3fa6427c13913b51b31069bddd8c225bb5abcc14f0dc
SSDEEP

6144:PCtp6BmQHO+RyQvemdoAx76y7wBRwSwLMtUvh:oxMO+RRvem3xZ+wDvh

Score

10^/10

cycbot backdoor discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 10 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2796-4-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2796-5-0x0000000000400000-0x0000000000467000-memory.dmp	family_cycbot
behavioral1/memory/2796-15-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1784-18-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1784-19-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2796-161-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1672-182-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2796-187-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2796-296-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2796-299-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
2960	D8A3.tmp

Loads dropped DLL 5 IoCs

pid	Process
2796	JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe
2796	JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe
1188	WerFault.exe
1188	WerFault.exe
1188	WerFault.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\D3A.exe = "C:\\Program Files (x86)\\LP\\2CDB\\D3A.exe"	JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2796-3-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2796-4-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2796-5-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/2796-15-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1784-18-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1784-19-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2796-161-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1672-182-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2796-187-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2796-296-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2796-299-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LP\2CDB\D3A.exe	JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe
File opened for modification	C:\Program Files (x86)\LP\2CDB\D8A3.tmp	JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe
File opened for modification	C:\Program Files (x86)\LP\2CDB\D3A.exe	JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1188	2960	WerFault.exe	36

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	D8A3.tmp

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2796	JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe
2796	JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe
2796	JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe
2796	JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe
2796	JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe
2796	JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe
2796	JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe
2796	JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe
2796	JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe
2796	JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe
2796	JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe
2796	JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe
2796	JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe
2796	JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1748	explorer.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeRestorePrivilege	2704	msiexec.exe
Token: SeTakeOwnershipPrivilege	2704	msiexec.exe
Token: SeSecurityPrivilege	2704	msiexec.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe

Suspicious use of SendNotifyMessage 19 IoCs

pid	Process
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 1784	2796	JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe	31
PID 2796 wrote to memory of 1784	2796	JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe	31
PID 2796 wrote to memory of 1784	2796	JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe	31
PID 2796 wrote to memory of 1784	2796	JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe	31
PID 2796 wrote to memory of 1672	2796	JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe	35
PID 2796 wrote to memory of 1672	2796	JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe	35
PID 2796 wrote to memory of 1672	2796	JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe	35
PID 2796 wrote to memory of 1672	2796	JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe	35
PID 2796 wrote to memory of 2960	2796	JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe	36
PID 2796 wrote to memory of 2960	2796	JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe	36
PID 2796 wrote to memory of 2960	2796	JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe	36
PID 2796 wrote to memory of 2960	2796	JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe	36
PID 2960 wrote to memory of 1188	2960	D8A3.tmp	37
PID 2960 wrote to memory of 1188	2960	D8A3.tmp	37
PID 2960 wrote to memory of 1188	2960	D8A3.tmp	37
PID 2960 wrote to memory of 1188	2960	D8A3.tmp	37

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe"
1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2796
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe startC:\Users\Admin\AppData\Roaming\B7D87\2062C.exe%C:\Users\Admin\AppData\Roaming\B7D87
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1784
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_59c5b37c788d77f77b5927ef8f6fdb7b.exe startC:\Program Files (x86)\8724F\lvvm.exe%C:\Program Files (x86)\8724F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1672
- C:\Program Files (x86)\LP\2CDB\D8A3.tmp
  "C:\Program Files (x86)\LP\2CDB\D8A3.tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 176
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1188

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

4

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\B7D87\724F.7D8

Filesize
996B

MD5
c0ebbd7e057819b4a2f1c8c7799ab07c

SHA1
3cbb783d042b182a7a4002680d16469663a42854

SHA256
0dc22324e3915c32f4a69deda91b0f1ac2e0d92c8ad98ab5f29d30f07a3236a6

SHA512
3a55664ae02776428ba83f2d19e067e7c6425c2f13ee66eaab340f45577e6339d9024a0dc00727c3975ba80da668b2fa55811f30e5b7b86a8fbb6c0b6410eb3c

Download Submit
C:\Users\Admin\AppData\Roaming\B7D87\724F.7D8

Filesize
1KB

MD5
d3fd455fab5738a20e0a9029176b20bb

SHA1
da2e44c28e003c7e2548f844d547175a6c073820

SHA256
34c3db9619d045a84ca11a154afd3a3de1c1e057564d20fe23330f468b2331d6

SHA512
8b982498b1d886e8320f139822b316dc33e6206e20f87e470d7a7e4477d7f82dc2c50e5a6f3662108796bf0db7fc67942cca31ea83c84c6fc59efe9f948a2ba0

Download Submit
C:\Users\Admin\AppData\Roaming\B7D87\724F.7D8

Filesize
600B

MD5
092fdb6fd5713ec3fe9115a41792bcfc

SHA1
affebeb071e8d6cb8a9c8df109280ac2e416f047

SHA256
005377b6307f9549d1696f5bb034309d3c99dd671c371bdbc093b67731857272

SHA512
439641f42a2aa8ec35652887dbc42ec5c2820d88a7e1a8b83c9d3038a9439edaf21d2bbac2048327920ec80e8ca3c151485e13fc2f6ace538978813eff2735a7

Download Submit
C:\Users\Admin\AppData\Roaming\B7D87\724F.7D8

Filesize
1KB

MD5
75dd6fbe28b87c50ffec81e77d668e00

SHA1
6a97b29fe677f4cf3c8338376b6272ac34edcdd9

SHA256
85309da5971b3ad11d16982affa802fc2fef4957f18f3869ae1d17d9343e4a71

SHA512
2559ac321cd40cd868b88ee809485d8c4ca994ad1270589f2659f1a094bb7b36ff3657982b953a2bf920981ca168a4030796da786da68c5a126e15b18274c533

Download Submit
\Program Files (x86)\LP\2CDB\D8A3.tmp

Filesize
97KB

MD5
6b5ac6578a6569bd04a0cd84361d62a4

SHA1
47a4e0e5d0dba0cfa49e7714eb1132c1e124fec9

SHA256
fcf0d2693cdf1581388d1ea096f38af087f8fda24a0394bad49c6f33d6e1d0d2

SHA512
e95ae3ac6e37697ff2e967c5c08359c5425c288039e586d89009e1ed2bd58786ea5ae23c1425389e5ff46f31d3129b617d6a1e5f3eb92ba1955f91a183b0b87c

Download Submit
memory/1672-182-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1784-18-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1784-19-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2796-15-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2796-161-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2796-5-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2796-4-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2796-0-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2796-187-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2796-2-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2796-3-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2796-296-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2796-299-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads