cycbot | 19049d1449268f54ba0b168b2a34bf85e42ec9f348cca8c7f68d4ffae5c036d5

General

Target

JaffaCakes118_94f779ece253d16527cfe0c19b38da44.exe
Size

169KB
MD5

94f779ece253d16527cfe0c19b38da44
SHA1

37ac208a182607742bd30fd1928c6850dcbadd46
SHA256

19049d1449268f54ba0b168b2a34bf85e42ec9f348cca8c7f68d4ffae5c036d5
SHA512

e9c20ff322e38a8546fc9552c4fe494c8efea85e66f1038b70382050304beed28f94aad9eb29041170978d7bc262ed26d5374763a4b4f76b73474419f677de5c
SSDEEP

3072:zvb3LmAF9cNgIDhvLGtzBxx2u0mqBI1WGVovBzJ9MrkZMaC:3Ug6vLGPurzBI4tpF9Mv9

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 7 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2800-14-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2632-15-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2632-16-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral1/memory/2800-74-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2828-79-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2632-80-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2632-176-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\2A559\\AC432.exe"	JaffaCakes118_94f779ece253d16527cfe0c19b38da44.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2632-2-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2800-14-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2632-15-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2632-16-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2800-74-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2828-77-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2828-79-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2632-80-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2632-176-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_94f779ece253d16527cfe0c19b38da44.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_94f779ece253d16527cfe0c19b38da44.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_94f779ece253d16527cfe0c19b38da44.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2800	2632	JaffaCakes118_94f779ece253d16527cfe0c19b38da44.exe	30
PID 2632 wrote to memory of 2800	2632	JaffaCakes118_94f779ece253d16527cfe0c19b38da44.exe	30
PID 2632 wrote to memory of 2800	2632	JaffaCakes118_94f779ece253d16527cfe0c19b38da44.exe	30
PID 2632 wrote to memory of 2800	2632	JaffaCakes118_94f779ece253d16527cfe0c19b38da44.exe	30
PID 2632 wrote to memory of 2828	2632	JaffaCakes118_94f779ece253d16527cfe0c19b38da44.exe	32
PID 2632 wrote to memory of 2828	2632	JaffaCakes118_94f779ece253d16527cfe0c19b38da44.exe	32
PID 2632 wrote to memory of 2828	2632	JaffaCakes118_94f779ece253d16527cfe0c19b38da44.exe	32
PID 2632 wrote to memory of 2828	2632	JaffaCakes118_94f779ece253d16527cfe0c19b38da44.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_94f779ece253d16527cfe0c19b38da44.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_94f779ece253d16527cfe0c19b38da44.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_94f779ece253d16527cfe0c19b38da44.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_94f779ece253d16527cfe0c19b38da44.exe startC:\Program Files (x86)\LP\32F2\5C6.exe%C:\Program Files (x86)\LP\32F2
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2800
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_94f779ece253d16527cfe0c19b38da44.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_94f779ece253d16527cfe0c19b38da44.exe startC:\Program Files (x86)\595AE\lvvm.exe%C:\Program Files (x86)\595AE
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\2A559\95AE.A55

Filesize
1KB

MD5
3b7d342567ac5ee3db0a2c68dbc4dc36

SHA1
7459c93f514f5e797d8aa3e0762b6bc5727bf84d

SHA256
ac9d6be9cabad0482d83978b3b490402660d31209624d5a08d439ab2415313a5

SHA512
5024e7ac39a6bb0dea9237dc4460a35c0edd3f106529f4c0631c626788827eae8928443060651bdc5f03179caf152531333f4963a1f331cf8d71c721c7e78ee0

Download Submit
C:\Users\Admin\AppData\Roaming\2A559\95AE.A55

Filesize
600B

MD5
422f3716c8b3dad17c5e31ac249faed9

SHA1
959b447b226929ea8e0c452512bfd824d131e0d2

SHA256
d0107b466e4e848b1cb26175b032bc239d35bb17aa4a9dffb1f1f4ee2f38cf1e

SHA512
ce12ffd0a7907a0e026e49e5409669b6189a3646ccb931cb8c3e43cfd699e2de89da4857d036d27c12f040740223a15d66844a873a7cf446a230ce8af5f2abaf

Download Submit
C:\Users\Admin\AppData\Roaming\2A559\95AE.A55

Filesize
996B

MD5
07e3147f966b32dbcb2ed5e726336d31

SHA1
0f936a1659d4694f78fa07657e7aa39f3da210cb

SHA256
355c54777785a5551a65f7d383aaf402930c776a307878b654d0d007674dba93

SHA512
1d63b561f8f02a9491ac6c3a04fff8fae2d6be991fae61d5578127019ea33905609231a57393ce3881aa3740b5923be673b4ed5d0f1153ef4fd18f004a87d4ec

Download Submit
memory/2632-80-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2632-2-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2632-176-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2632-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2632-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2632-16-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2800-12-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2800-74-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2800-14-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2828-79-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2828-77-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2828-76-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads