cycbot | a7e8a020f033172279c5febafa95cbf7534ab4410ece9e4d361c7b4de6134590

General

Target

JaffaCakes118_99a841432b22ac1af0ea0d77454fa7f6.exe
Size

169KB
MD5

99a841432b22ac1af0ea0d77454fa7f6
SHA1

c5aa8cadaa83f71b214231a521580c8c0883c4a0
SHA256

a7e8a020f033172279c5febafa95cbf7534ab4410ece9e4d361c7b4de6134590
SHA512

74c460a47e7c666013c0dbfa0a6ff6ef9173a4a7a9935f70775da37e0e97659d34590270896390d4458035d48a21eec67c7c347892207a580742e57d691e64ec
SSDEEP

3072:R7x+w0QB9eePACXeAd90OFgeHWJmCzyYTxtur791cMkrezy:R7MQPDX70OFg/yY9QjkC

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 7 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/380-15-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/380-14-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2072-16-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral1/memory/2072-17-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2072-78-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/872-82-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2072-189-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\79394\\3C43D.exe"	JaffaCakes118_99a841432b22ac1af0ea0d77454fa7f6.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2072-2-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/380-15-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/380-14-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2072-16-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2072-17-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2072-78-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/872-80-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/872-82-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2072-189-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_99a841432b22ac1af0ea0d77454fa7f6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_99a841432b22ac1af0ea0d77454fa7f6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_99a841432b22ac1af0ea0d77454fa7f6.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 380	2072	JaffaCakes118_99a841432b22ac1af0ea0d77454fa7f6.exe	31
PID 2072 wrote to memory of 380	2072	JaffaCakes118_99a841432b22ac1af0ea0d77454fa7f6.exe	31
PID 2072 wrote to memory of 380	2072	JaffaCakes118_99a841432b22ac1af0ea0d77454fa7f6.exe	31
PID 2072 wrote to memory of 380	2072	JaffaCakes118_99a841432b22ac1af0ea0d77454fa7f6.exe	31
PID 2072 wrote to memory of 872	2072	JaffaCakes118_99a841432b22ac1af0ea0d77454fa7f6.exe	33
PID 2072 wrote to memory of 872	2072	JaffaCakes118_99a841432b22ac1af0ea0d77454fa7f6.exe	33
PID 2072 wrote to memory of 872	2072	JaffaCakes118_99a841432b22ac1af0ea0d77454fa7f6.exe	33
PID 2072 wrote to memory of 872	2072	JaffaCakes118_99a841432b22ac1af0ea0d77454fa7f6.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_99a841432b22ac1af0ea0d77454fa7f6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_99a841432b22ac1af0ea0d77454fa7f6.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_99a841432b22ac1af0ea0d77454fa7f6.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_99a841432b22ac1af0ea0d77454fa7f6.exe startC:\Program Files (x86)\LP\B3E7\C55.exe%C:\Program Files (x86)\LP\B3E7
  2⤵
  - System Location Discovery: System Language Discovery
  PID:380
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_99a841432b22ac1af0ea0d77454fa7f6.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_99a841432b22ac1af0ea0d77454fa7f6.exe startC:\Program Files (x86)\94034\lvvm.exe%C:\Program Files (x86)\94034
  2⤵
  - System Location Discovery: System Language Discovery
  PID:872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\79394\4034.939

Filesize
1KB

MD5
c470ede6d3839ddd700ae7f423110cc5

SHA1
126ca17745ab621497584a3020853046eb09a2f6

SHA256
a8e655c31a570423c30f769ddc7d457c8cabff3d4cf3b5864d9c2949b5651646

SHA512
0507a5a281af7b9bb969e7264435984c602f1db0b1eec39e941de6c691e79da9858957fadc8cf5c59d9a13b96699e1712df624663106a6635aad84990d557271

Download Submit
C:\Users\Admin\AppData\Roaming\79394\4034.939

Filesize
600B

MD5
51261da4a1c721fac5501351024537db

SHA1
fbde5d7ad63e026a763b17889f96ba7ef6bcbefc

SHA256
aa4bc4992a6b5cb3415bb8f92c9aba38c9c30bb13d3356201be2e1c2dde471d9

SHA512
f0eda4bd62844599bd7418e710f32741b37994e5135a08bf5995d2a4704b30f39c73e19376e635390e6787373d239c46b16df0e011283b72e63d5b600276341c

Download Submit
C:\Users\Admin\AppData\Roaming\79394\4034.939

Filesize
996B

MD5
b6ee33dd7feb2f8dc596f6d4c83ac797

SHA1
6684e042d96dab92b960733515beba86489bd1b0

SHA256
2220f9ed81f35739e0e946a8f102003aaac7dd453f986e2366921f0286dc0e20

SHA512
63a18536a2a0b6e7059aa040d5f33de9b4cfdbd1d1185b8f8526f30ce9c4106be35d31c52c8eb362100b1c29485ca3d92e6be9f77d8fa0d081e8b623b32fb9cf

Download Submit
memory/380-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/380-14-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/380-13-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/872-80-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/872-82-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2072-17-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2072-78-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2072-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2072-16-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2072-2-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2072-189-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads