cycbot | 198bf94a578eb6a3403029983d49bfaec46c5faa07053de40168a6572e9ebf9c

General

Target

JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exe
Size

165KB
MD5

8701351287784126d2b6fc00a3f7215b
SHA1

1b8f28a02416d12e485f06b445994c17ecf89fff
SHA256

198bf94a578eb6a3403029983d49bfaec46c5faa07053de40168a6572e9ebf9c
SHA512

f9cd6aa7bc05611c1f2baf2f968be3dca989af33286d40132e3fb16f7c4fcc202ddb254dfe4d4e1b1103cdf20e11271df7f63760259cb745eddaaf02d74d35b2
SSDEEP

3072:snouwXqQPvUubHKBT3D8kH4/xA02cRHwneYifp5rMARkygyNbVGPzYtKrU:EouwXqQPvUuSDH4Jp2OaIRCJtHU

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 7 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2852-15-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2852-17-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2380-18-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2380-19-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral1/memory/2952-129-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2380-132-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2380-306-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\99C53\\FBEB6.exe"	JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2380-4-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2852-14-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2852-15-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2852-17-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2380-18-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2380-19-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2952-129-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2380-132-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2380-306-0x0000000000400000-0x0000000000490000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2852	2380	JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exe	29
PID 2380 wrote to memory of 2852	2380	JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exe	29
PID 2380 wrote to memory of 2852	2380	JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exe	29
PID 2380 wrote to memory of 2852	2380	JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exe	29
PID 2380 wrote to memory of 2952	2380	JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exe	31
PID 2380 wrote to memory of 2952	2380	JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exe	31
PID 2380 wrote to memory of 2952	2380	JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exe	31
PID 2380 wrote to memory of 2952	2380	JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exe startC:\Program Files (x86)\LP\B669\826.exe%C:\Program Files (x86)\LP\B669
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2852
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8701351287784126d2b6fc00a3f7215b.exe startC:\Program Files (x86)\53C6A\lvvm.exe%C:\Program Files (x86)\53C6A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\99C53\3C6A.9C5

Filesize
996B

MD5
92a5e8150ce76a1dad14320f96f36152

SHA1
674f21a853afb0c343174d776d074ef2b78da7ff

SHA256
4449fab1fc194d84e609f368083dddb9dc5ea3991a502880a5b894e2dbe4e8e4

SHA512
f12db5e6d0f9e849edc169f24d093fc24de15d373e7af21aebcdf20af6f2ebcb6d800d8ba1d13b6984c572116632b3b5eb7eefad6bca390b7544d320e310fca1

Download Submit
C:\Users\Admin\AppData\Roaming\99C53\3C6A.9C5

Filesize
600B

MD5
560fdfc457ce360bc183b95d072e24d0

SHA1
7fa6ad78e94c5fb96b99b3ae5435d0f3e4ae7c26

SHA256
27797dc2e45c8ec0f8b1dffd81a4e98ec5cd86619d1866ebf6cea7f0f1b64e84

SHA512
73876cc38142338cc96ddc9f48807e805d1a4eb844c213515dd2d91ede589b074f2c52531358ef49214ab91f81f537e644ef2865ad443e47a40d8ba8aa50a62b

Download Submit
C:\Users\Admin\AppData\Roaming\99C53\3C6A.9C5

Filesize
1KB

MD5
1bbdf1a3dccae515602154d87b3ad1ea

SHA1
5bebb8203c1f44b2e903f48fdd02f5c8ebe691b0

SHA256
c75f54130a40a65fe956a954109bd51f2bc7c6333ef4382f00891f22c2248c72

SHA512
ac1cbd16075ab9f591ca57b8dcbc39cd936165857dfa283a84bbf733d86a9a9a18a9ab69e9bc94c2f0a77c475c4688a985fbd5ddc2bbc8c8e0e932acd8ca2fab

Download Submit
memory/2380-132-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2380-18-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2380-19-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2380-0-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2380-4-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2380-2-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2380-306-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2852-15-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2852-17-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2852-14-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2952-130-0x0000000000337000-0x000000000034D000-memory.dmp

Filesize
88KB

Download
memory/2952-129-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2952-131-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads