cycbot | 4c614436b483e1eed06866f9b7c318e9e72b2fe450b7d09a5e6caa434179ab51

General

Target

JaffaCakes118_92cedf6f06764869cbdfe35e45e971cf.exe
Size

167KB
MD5

92cedf6f06764869cbdfe35e45e971cf
SHA1

c0e6a9511e13c90a9b220a10566405b5a29f77f9
SHA256

4c614436b483e1eed06866f9b7c318e9e72b2fe450b7d09a5e6caa434179ab51
SHA512

cbb1dee0e56b1f4cb2e27bd709189aad042266591c1237873cbc2cd0738c8138f42fb1df41ac99fa037d4bf12f6464ddd94169275e3f81e6208df90a083e463c
SSDEEP

3072:dCOWflR2j4H2YM2CJ8MU6NrNAx/ivJq/QfOE8pM7L+o7gMw:b1j4H2YmNVNBAQI/QfoO7LGt

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 7 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1440-10-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/1440-9-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2084-21-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2084-86-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/1196-89-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2084-155-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2084-190-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_92cedf6f06764869cbdfe35e45e971cf.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2084-2-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/1440-7-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/1440-10-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/1440-9-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2084-21-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2084-86-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/1196-88-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/1196-89-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2084-155-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2084-190-0x0000000000400000-0x000000000048A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_92cedf6f06764869cbdfe35e45e971cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_92cedf6f06764869cbdfe35e45e971cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_92cedf6f06764869cbdfe35e45e971cf.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 1440	2084	JaffaCakes118_92cedf6f06764869cbdfe35e45e971cf.exe	31
PID 2084 wrote to memory of 1440	2084	JaffaCakes118_92cedf6f06764869cbdfe35e45e971cf.exe	31
PID 2084 wrote to memory of 1440	2084	JaffaCakes118_92cedf6f06764869cbdfe35e45e971cf.exe	31
PID 2084 wrote to memory of 1440	2084	JaffaCakes118_92cedf6f06764869cbdfe35e45e971cf.exe	31
PID 2084 wrote to memory of 1196	2084	JaffaCakes118_92cedf6f06764869cbdfe35e45e971cf.exe	33
PID 2084 wrote to memory of 1196	2084	JaffaCakes118_92cedf6f06764869cbdfe35e45e971cf.exe	33
PID 2084 wrote to memory of 1196	2084	JaffaCakes118_92cedf6f06764869cbdfe35e45e971cf.exe	33
PID 2084 wrote to memory of 1196	2084	JaffaCakes118_92cedf6f06764869cbdfe35e45e971cf.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_92cedf6f06764869cbdfe35e45e971cf.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_92cedf6f06764869cbdfe35e45e971cf.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_92cedf6f06764869cbdfe35e45e971cf.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_92cedf6f06764869cbdfe35e45e971cf.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1440
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_92cedf6f06764869cbdfe35e45e971cf.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_92cedf6f06764869cbdfe35e45e971cf.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DCE5.91B

Filesize
597B

MD5
7726f4c00fc33c029fb89763ace1dc2c

SHA1
d6dae65aad09489a4a6f00979fec4a3ceef8b4bc

SHA256
3758f9319dd257a899e9b868c0ed9ed3a1ee3ce0430d30a7dc8dc183b5813102

SHA512
b53a3b00665f4e420922759706981454ac8243a94189e5c20fe45c5ae912e53ae5898bf9429c639fe0d9318e0bbe3171b2df08056954e331916255b9380b67ab

Download Submit
C:\Users\Admin\AppData\Roaming\DCE5.91B

Filesize
1KB

MD5
c1197f92cf10e6b62c662e3bad33ee8e

SHA1
868aba753b035392c5719e3eb468fb7ead797e3f

SHA256
f384b717a2f81de8e03ae8fa1ecf908a5ed4c16a9a65a26279f912c98eb3da72

SHA512
ac6ed497dd191c778f2b4b83e049a0f3844843fa03bab5f7fb967f6d4c06569e10cba80e1612d3347f28dd747b2a1540243b3ce6003cc3249aeec4bf227e1bfc

Download Submit
C:\Users\Admin\AppData\Roaming\DCE5.91B

Filesize
897B

MD5
03f6604b652ed108652dac8052972b17

SHA1
e933565a32581eee8e62f6c660be8fade378d9eb

SHA256
57260ff90ae30094e89c7ab7ad9bf41879b1b8ed0f5047057e6d886446fa82dc

SHA512
e1475fed785a82a1339738f03374e3668f3fd3f9a9e06e53105804b85ca6243b3932e8df0841b9492a21bb0d97e99ec16514a0877bc48f0711083c2ee8162144

Download Submit
C:\Users\Admin\AppData\Roaming\DCE5.91B

Filesize
1KB

MD5
74e75fe720f5bcac744a43dafd514762

SHA1
ec135fe8236b5f7906c3e75318205f98326428b9

SHA256
b061d06d12488c8f075973beb206ff1aaae40b4bc13ef59c9ae296bcbd33ba52

SHA512
26b4fee84da4f40a8ba63b1bfcaadaa60c889cba308436986ddcf6d2e8777cd447b265c87223214458a11c9be9ab8795ac3ed23a9b554cd3af00476470c18176

Download Submit
memory/1196-89-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1196-88-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1440-10-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1440-9-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1440-7-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2084-21-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2084-86-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2084-1-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2084-2-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2084-155-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2084-190-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads