cycbot | 9dfbd6c6bbf15031c1d572ac2007057268def2b4d5d016b0637cafc6eddc7491

General

Target

JaffaCakes118_5932ee0424d80f3fcb692f59d0db2f9b.exe
Size

169KB
MD5

5932ee0424d80f3fcb692f59d0db2f9b
SHA1

0eebb9cacd13a8635c5a921b23d698f5983a71c2
SHA256

9dfbd6c6bbf15031c1d572ac2007057268def2b4d5d016b0637cafc6eddc7491
SHA512

1771572bb5d66baec9168e6ec70fa28db4fb1fafaf09189250b485c73d96ac5d7307f354a24906e3ce6b24b65fb6f014056c828de5cd4ed1e1138b9519a40e11
SSDEEP

3072:AoFpS/l7ibWLcjhkznEgascJBt4R62ltC5QRUY94GDycGwJBt89Iw1a+VzzVN8:AKaAbWLcjrt4R6kA5QaY8i0j1NY

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2792-9-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2792-8-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2676-20-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/1612-93-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2676-94-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2676-200-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_5932ee0424d80f3fcb692f59d0db2f9b.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2676-2-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2792-9-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2792-8-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2676-20-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/1612-91-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/1612-93-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2676-94-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2676-200-0x0000000000400000-0x000000000048A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5932ee0424d80f3fcb692f59d0db2f9b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5932ee0424d80f3fcb692f59d0db2f9b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5932ee0424d80f3fcb692f59d0db2f9b.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2792	2676	JaffaCakes118_5932ee0424d80f3fcb692f59d0db2f9b.exe	30
PID 2676 wrote to memory of 2792	2676	JaffaCakes118_5932ee0424d80f3fcb692f59d0db2f9b.exe	30
PID 2676 wrote to memory of 2792	2676	JaffaCakes118_5932ee0424d80f3fcb692f59d0db2f9b.exe	30
PID 2676 wrote to memory of 2792	2676	JaffaCakes118_5932ee0424d80f3fcb692f59d0db2f9b.exe	30
PID 2676 wrote to memory of 1612	2676	JaffaCakes118_5932ee0424d80f3fcb692f59d0db2f9b.exe	32
PID 2676 wrote to memory of 1612	2676	JaffaCakes118_5932ee0424d80f3fcb692f59d0db2f9b.exe	32
PID 2676 wrote to memory of 1612	2676	JaffaCakes118_5932ee0424d80f3fcb692f59d0db2f9b.exe	32
PID 2676 wrote to memory of 1612	2676	JaffaCakes118_5932ee0424d80f3fcb692f59d0db2f9b.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5932ee0424d80f3fcb692f59d0db2f9b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5932ee0424d80f3fcb692f59d0db2f9b.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5932ee0424d80f3fcb692f59d0db2f9b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5932ee0424d80f3fcb692f59d0db2f9b.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2792
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5932ee0424d80f3fcb692f59d0db2f9b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5932ee0424d80f3fcb692f59d0db2f9b.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\F477.F11

Filesize
297B

MD5
862523b7d3e2a822c74745fa5eb80619

SHA1
d77ee763a42b6fe36e77df86ce65c1326f397a82

SHA256
2be927b767e39616dc5fc799f2100df9a69a95a4ca2888cd6cc5470274d60fb4

SHA512
c04931a079ad3a2dbea431296d300303be94282006fdfbe9c845628abe475af8d578756b5cf5759edc71a8b9839857284042b624eb9ed0e86823087013e7e58b

Download Submit
C:\Users\Admin\AppData\Roaming\F477.F11

Filesize
1KB

MD5
3ccee026425fb3d3a6943e8e4d5568c4

SHA1
4b56ea3fb2d751ae09261388e8e4d5b52b96c5ea

SHA256
39b21a5414d9baf866c5d6d789a87846f2841426dfab15d1a273eb5a1880f082

SHA512
39d5ee23476c4488e13a15a6c8f3965cedef0e3caf6255465c39ddadcca95cf714d58971ef58e95c6fcdab91bf11b6c8d4d473f593bfe52866b8313818b1a6f8

Download Submit
C:\Users\Admin\AppData\Roaming\F477.F11

Filesize
897B

MD5
ad8787adf5e874b616173e99bb580845

SHA1
fa79cb4e4bdc242af90c5e03dce0e9f06eaea02b

SHA256
afb246848690f9da708d33a74ddb081c99639945af20808c7272f01e7715f13a

SHA512
1b6773a43462c65466fab0cc5ede80a3deed8d1fa8e475bc3954196f524decd09ac9199c3af772854e615815c35bc13c64fc7312a6cf29378101fc29718be7ba

Download Submit
C:\Users\Admin\AppData\Roaming\F477.F11

Filesize
1KB

MD5
882b5e979f5dee24f2c69d2a9daff52b

SHA1
6aa9f4e37f5b2481f542ed4129260b2c8b368788

SHA256
5724386b70b089d116958eab30724776b00341e032a1631bccd3b72b26c77f8d

SHA512
83d2b67ac748ec7096055470777d3783912cb9b609c0ff7d54205323307de609f1c4981dd2f59c1520d5e67aa4b69cfeb48955452fe25cc0dc4f737aa495a8f0

Download Submit
memory/1612-91-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1612-93-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2676-94-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2676-20-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2676-1-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2676-2-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2676-200-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2792-8-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2792-9-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads