cycbot | 17130b19c4f253fc868435a307feacc17ca163a23f5624243fb627b19ba544a0

General

Target

JaffaCakes118_7ac3fe0174fde0e9d7cf160feccd7d36.exe
Size

163KB
MD5

7ac3fe0174fde0e9d7cf160feccd7d36
SHA1

d8164e8b9785fc64e8f6dab6007420cecf731291
SHA256

17130b19c4f253fc868435a307feacc17ca163a23f5624243fb627b19ba544a0
SHA512

6e273ac47b862f8c9de33695010f9755ce48af3d9a8c75234735b60c953acd68ad3de80580cf5fb7fdfa80dafe8f9c122f88ea984feabb24f5d45a37abc0a872
SSDEEP

3072:Za3Oc7/KTefrrHMqvw7kIKuj1hZWzRj1qKwx5+c2BHj9ivA:ZFc7/AeJvw7XLjdWB19RxHM

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2668-13-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2968-14-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral1/memory/2968-15-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/1444-129-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2968-130-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2968-304-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\EAEA0\\93024.exe"	JaffaCakes118_7ac3fe0174fde0e9d7cf160feccd7d36.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2968-2-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2668-12-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2668-13-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2968-14-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2968-15-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1444-129-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2968-130-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2968-304-0x0000000000400000-0x0000000000490000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7ac3fe0174fde0e9d7cf160feccd7d36.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7ac3fe0174fde0e9d7cf160feccd7d36.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7ac3fe0174fde0e9d7cf160feccd7d36.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2668	2968	JaffaCakes118_7ac3fe0174fde0e9d7cf160feccd7d36.exe	29
PID 2968 wrote to memory of 2668	2968	JaffaCakes118_7ac3fe0174fde0e9d7cf160feccd7d36.exe	29
PID 2968 wrote to memory of 2668	2968	JaffaCakes118_7ac3fe0174fde0e9d7cf160feccd7d36.exe	29
PID 2968 wrote to memory of 2668	2968	JaffaCakes118_7ac3fe0174fde0e9d7cf160feccd7d36.exe	29
PID 2968 wrote to memory of 1444	2968	JaffaCakes118_7ac3fe0174fde0e9d7cf160feccd7d36.exe	31
PID 2968 wrote to memory of 1444	2968	JaffaCakes118_7ac3fe0174fde0e9d7cf160feccd7d36.exe	31
PID 2968 wrote to memory of 1444	2968	JaffaCakes118_7ac3fe0174fde0e9d7cf160feccd7d36.exe	31
PID 2968 wrote to memory of 1444	2968	JaffaCakes118_7ac3fe0174fde0e9d7cf160feccd7d36.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ac3fe0174fde0e9d7cf160feccd7d36.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ac3fe0174fde0e9d7cf160feccd7d36.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ac3fe0174fde0e9d7cf160feccd7d36.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ac3fe0174fde0e9d7cf160feccd7d36.exe startC:\Program Files (x86)\LP\24FE\9F7.exe%C:\Program Files (x86)\LP\24FE
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2668
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ac3fe0174fde0e9d7cf160feccd7d36.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ac3fe0174fde0e9d7cf160feccd7d36.exe startC:\Program Files (x86)\A07E7\lvvm.exe%C:\Program Files (x86)\A07E7
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\EAEA0\07E7.AEA

Filesize
996B

MD5
1a992ec48327c3973d6d7c4bcb244405

SHA1
8cdbcbe57f1245c66010006c719f78e4e3f63e31

SHA256
b08082a47516c20db1c00d6a57afd86ed9ec10fdc65083a3afc1030b77223fcb

SHA512
96dd3bf30d4a72de1281fb09824d1c54112a93ba061043bd11631bd75bbf96fe003be5722fc7ad987dd42643eec1cba5a4eca850f12c9f78fd03c853a0a7feb9

Download Submit
C:\Users\Admin\AppData\Roaming\EAEA0\07E7.AEA

Filesize
600B

MD5
f780c91af779f55e1c6e5490475a4d7e

SHA1
63edc48e4e724989f76c0e04a2d889a01793a72c

SHA256
b9674f65f23532753af4f4bbe7a8195052046b85c1af479dae4f7253d3dd4e68

SHA512
25b2feff1ac216a5de6909f04214c83ea86a23cce1a33feb1659bfa4a819c768690bab0d5e163ea89ad9ffd0abe406182a3bf2766560bc41cf3d26df522434be

Download Submit
C:\Users\Admin\AppData\Roaming\EAEA0\07E7.AEA

Filesize
1KB

MD5
6b7b590f00771a523f9c7045c11776a3

SHA1
a6a284cdff237b55beddb0315b65295abcbfb882

SHA256
e58038867ab62e899e0110c54eaf023336a31de414570ae270fa23e9c7ead161

SHA512
9e54b0296e31257ce4d505efe40c6577d8a305080eb48091b149f84d9633912b8804ac1e6de4021f9459f8f663600286eb4e9075d1ba9411261423171bd9efe2

Download Submit
memory/1444-129-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1444-128-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2668-13-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2668-12-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2968-15-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2968-14-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2968-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2968-130-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2968-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2968-304-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads