cycbot | 1a591be854fb461c5eeaf424bf50c370dd547a35e0e63f6b70ce1e49021f2d00

General

Target

JaffaCakes118_7dae07bd36ee342c0cb8eb165721fcbc.exe
Size

173KB
MD5

7dae07bd36ee342c0cb8eb165721fcbc
SHA1

3dce070abde87455b42cbf7b30461da42f99d2ea
SHA256

1a591be854fb461c5eeaf424bf50c370dd547a35e0e63f6b70ce1e49021f2d00
SHA512

ebfeaf939edf39d6bcbf2f1911d91508351670a825e4c849c11e4c0ed1e20ecb9f44f42071e986c8234280d3bb30161536d0096901cf0334ffa7223b44ca0000
SSDEEP

3072:mlzKHalGCntghiP+q2xmQQQ75RvDabe20LtO+Pfwl/e/+dHXTkbqHV+yLLmO0jEJ:AKHphiC1zGbWzXwl/vVjkOHVNX0jEk

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 7 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2944-15-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2944-14-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2420-16-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2420-17-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral1/memory/2744-141-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2420-142-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2420-292-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\5BA3E\\AC432.exe"	JaffaCakes118_7dae07bd36ee342c0cb8eb165721fcbc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2420-2-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2944-15-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2944-14-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2420-16-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2420-17-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2744-139-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2744-141-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2420-142-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2420-292-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7dae07bd36ee342c0cb8eb165721fcbc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2944	2420	JaffaCakes118_7dae07bd36ee342c0cb8eb165721fcbc.exe	28
PID 2420 wrote to memory of 2944	2420	JaffaCakes118_7dae07bd36ee342c0cb8eb165721fcbc.exe	28
PID 2420 wrote to memory of 2944	2420	JaffaCakes118_7dae07bd36ee342c0cb8eb165721fcbc.exe	28
PID 2420 wrote to memory of 2944	2420	JaffaCakes118_7dae07bd36ee342c0cb8eb165721fcbc.exe	28
PID 2420 wrote to memory of 2744	2420	JaffaCakes118_7dae07bd36ee342c0cb8eb165721fcbc.exe	32
PID 2420 wrote to memory of 2744	2420	JaffaCakes118_7dae07bd36ee342c0cb8eb165721fcbc.exe	32
PID 2420 wrote to memory of 2744	2420	JaffaCakes118_7dae07bd36ee342c0cb8eb165721fcbc.exe	32
PID 2420 wrote to memory of 2744	2420	JaffaCakes118_7dae07bd36ee342c0cb8eb165721fcbc.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7dae07bd36ee342c0cb8eb165721fcbc.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7dae07bd36ee342c0cb8eb165721fcbc.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7dae07bd36ee342c0cb8eb165721fcbc.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7dae07bd36ee342c0cb8eb165721fcbc.exe startC:\Program Files (x86)\LP\32F5\5C6.exe%C:\Program Files (x86)\LP\32F5
  2⤵
  PID:2944
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7dae07bd36ee342c0cb8eb165721fcbc.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7dae07bd36ee342c0cb8eb165721fcbc.exe startC:\Program Files (x86)\3EA96\lvvm.exe%C:\Program Files (x86)\3EA96
  2⤵
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5BA3E\EA96.BA3

Filesize
996B

MD5
8dabe0716eca104e2efbd6812fcecf9e

SHA1
738e53db99f5ee797bb2d89cc7f657168e93bf22

SHA256
ca91a6c18c7a51d60104946d2de14c43361078eb432b50193d7a9360e94eb84a

SHA512
6e1870e465d51e3362facaa647a22d69357b51fe068d871f839d0ffe993688c0c62b1246436210cf2bdcc7ef747a80ab6c12170fea23d5d06c839e4bb1b08614

Download Submit
C:\Users\Admin\AppData\Roaming\5BA3E\EA96.BA3

Filesize
600B

MD5
5eb40e2d43e10c285c90e80051384fae

SHA1
386dafdfbeaaf3402b687b667b86388919d43bb5

SHA256
71bd65a204a595372f04ceb87c3c13aa3c4326b2197a0ade2a99107611d3e227

SHA512
aa7680305622e27c490d1b0c7cd4ccca30ee6b819b3925c1802975faa718f2741ac62c77e8980e626fb73ec3e39dafa3c5685f8a24a776e78bcfa8f421808124

Download Submit
C:\Users\Admin\AppData\Roaming\5BA3E\EA96.BA3

Filesize
1KB

MD5
f6847792e28407d7156bedeb4d145027

SHA1
fe2b2acd8593b748c2738ddcd917766984ee96c5

SHA256
93030ad21fbfeca94fbcb5918d2b89751d870b7872e46f1d8065b472a58663ff

SHA512
969a61975494c4315817299201e777fd911085199986b95eccb3ec176e78281b81f3948887b947f1babed5bc4e980a058ad5da01e97bbd6ccddf6db325a221d7

Download Submit
memory/2420-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2420-2-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2420-292-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2420-16-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2420-17-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2420-142-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2744-139-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2744-141-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2744-138-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2944-12-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2944-14-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2944-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads