cycbot | 4ca9d12e46b0f6c02aeca689eb943179e4a7b461cd643b535de1aa79abe799ee

General

Target

JaffaCakes118_7817a43cf7f7350b05344ec4cce3183b.exe
Size

163KB
MD5

7817a43cf7f7350b05344ec4cce3183b
SHA1

d7f6eaee04a9589b6e85fbd384390f46d75df400
SHA256

4ca9d12e46b0f6c02aeca689eb943179e4a7b461cd643b535de1aa79abe799ee
SHA512

4ead437b3f7f284cac582f1f5ddf9fe0493d1961280ff438884f6df54a7dcf87e95019bcbc7cd6a60381dfa02e34d2239060062a1d65657ca277517bdc64801c
SSDEEP

3072:CgR9Vjfy6pdySxR9gbHhtGNlz0y5qj3wakjlLQBr8nhnH22KaYO4FHxqNmb9:Cg1yt2700OBAnhnH2xaYO43Qmb

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2968-7-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2296-15-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/1876-89-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2296-90-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2296-197-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_7817a43cf7f7350b05344ec4cce3183b.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2296-2-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2968-5-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2968-7-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2296-15-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/1876-88-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/1876-89-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2296-90-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2296-197-0x0000000000400000-0x000000000048A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7817a43cf7f7350b05344ec4cce3183b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7817a43cf7f7350b05344ec4cce3183b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7817a43cf7f7350b05344ec4cce3183b.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2968	2296	JaffaCakes118_7817a43cf7f7350b05344ec4cce3183b.exe	31
PID 2296 wrote to memory of 2968	2296	JaffaCakes118_7817a43cf7f7350b05344ec4cce3183b.exe	31
PID 2296 wrote to memory of 2968	2296	JaffaCakes118_7817a43cf7f7350b05344ec4cce3183b.exe	31
PID 2296 wrote to memory of 2968	2296	JaffaCakes118_7817a43cf7f7350b05344ec4cce3183b.exe	31
PID 2296 wrote to memory of 1876	2296	JaffaCakes118_7817a43cf7f7350b05344ec4cce3183b.exe	33
PID 2296 wrote to memory of 1876	2296	JaffaCakes118_7817a43cf7f7350b05344ec4cce3183b.exe	33
PID 2296 wrote to memory of 1876	2296	JaffaCakes118_7817a43cf7f7350b05344ec4cce3183b.exe	33
PID 2296 wrote to memory of 1876	2296	JaffaCakes118_7817a43cf7f7350b05344ec4cce3183b.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7817a43cf7f7350b05344ec4cce3183b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7817a43cf7f7350b05344ec4cce3183b.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7817a43cf7f7350b05344ec4cce3183b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7817a43cf7f7350b05344ec4cce3183b.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2968
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7817a43cf7f7350b05344ec4cce3183b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7817a43cf7f7350b05344ec4cce3183b.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\FD53.762

Filesize
1KB

MD5
743e404b05cef14acaa57883495fef3f

SHA1
05451c3a354f2646296acf171735b2fca0788062

SHA256
9f0255c355bbf9c7e47939b24bf6d37075ee57bfb6c71c9659ad117678e4f9e0

SHA512
0cb3fee6d009481363df6234eda474c7d0b902130d78e52f49aee35a112919d40b5136e4eecdd258171cd2f51bbeb6405f44b7ae9cb9005454eaca6b576dabfa

Download Submit
C:\Users\Admin\AppData\Roaming\FD53.762

Filesize
600B

MD5
9e13e7bcc5c73fca734b6f94f3d26b51

SHA1
f3b7f34263b0a6c6033edf0fbaeee8d4a4428d30

SHA256
bd3b7006d9d0bdc6fa5abbfd9188558b4feed7b789464c9b544e941e481ed336

SHA512
4ee6c0670e128f3fe99da0bbc577b95ecf6977046aa6b16af15c097e7bb7c1a7328848ee9a790d244aa605a226878c5aaf046e33218c6840d0cd3d12d446141f

Download Submit
C:\Users\Admin\AppData\Roaming\FD53.762

Filesize
996B

MD5
f034402eb711575a994d5db47e274429

SHA1
8fcdf9e464e3dfac64070866a11b7beda1c2b750

SHA256
71ee686192ab970b068d91f3ef19875d3e9fbd8e89d8ab758549ce75e2cf459b

SHA512
a75d5e346dec962084b0ba112d90eae242bcf1bf5baf3cfc7f6ef6938d2d7fd1aaf7e6e6f87c87fd7bf2263875f7aa3e57d836ce9a5f42f25d589238a3ac4dee

Download Submit
memory/1876-88-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1876-89-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2296-1-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2296-2-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2296-15-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2296-90-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2296-197-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2968-5-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2968-7-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads