cycbot | 1d2eb7fcf146e5a44450a0bcabd9d236cab78e3f68b4d835447ccc3d492a9b2d

General

Target

JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe
Size

173KB
MD5

975e4eb479cee6e64db95f92ba16b09f
SHA1

454ed006f79e3fcd5c7cbc6990804f577e21f770
SHA256

1d2eb7fcf146e5a44450a0bcabd9d236cab78e3f68b4d835447ccc3d492a9b2d
SHA512

b4c3e0fe8cd2411e0b158bb99933bf1028fceabbde38de1008f9a4fc9534e441ce160bf2081b64f3901b6038ca53974d2358d431373c7b3406ec58b90cdeae1b
SSDEEP

3072:mWaxnaAF8CFG+a8oaLbkTukdxNPvuOffLL9NAt412s0gWzCEwSX7fXyr:/axaU4+aHTuqvuOffLhNAS2s0dCE/LfK

Score

10^/10

cycbot backdoor discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 7 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2880-15-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/2848-16-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/2848-17-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/2172-84-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/2848-85-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/2848-164-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/2848-202-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AC3.exe = "C:\\Program Files (x86)\\LP\\1A98\\AC3.exe"	JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2848-2-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2880-13-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2880-15-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2848-16-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2848-17-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2172-82-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2172-84-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2848-85-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2848-164-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2848-202-0x0000000000400000-0x0000000000452000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LP\1A98\AC3.exe	JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe
File opened for modification	C:\Program Files (x86)\LP\1A98\DA29.tmp	JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe
File opened for modification	C:\Program Files (x86)\LP\1A98\AC3.exe	JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2848	JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe
2848	JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe
2848	JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe
2848	JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe
2848	JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe
2848	JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe
2848	JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe
2848	JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe
2848	JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe
2848	JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe
2848	JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe
2848	JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe
2848	JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe
2848	JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2564	explorer.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeRestorePrivilege	2236	msiexec.exe
Token: SeTakeOwnershipPrivilege	2236	msiexec.exe
Token: SeSecurityPrivilege	2236	msiexec.exe
Token: SeShutdownPrivilege	2564	explorer.exe
Token: SeShutdownPrivilege	2564	explorer.exe
Token: SeShutdownPrivilege	2564	explorer.exe
Token: SeShutdownPrivilege	2564	explorer.exe
Token: SeShutdownPrivilege	2564	explorer.exe
Token: SeShutdownPrivilege	2564	explorer.exe
Token: SeShutdownPrivilege	2564	explorer.exe
Token: SeShutdownPrivilege	2564	explorer.exe
Token: SeShutdownPrivilege	2564	explorer.exe
Token: SeShutdownPrivilege	2564	explorer.exe
Token: SeShutdownPrivilege	2564	explorer.exe
Token: SeShutdownPrivilege	2564	explorer.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2880	2848	JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe	31
PID 2848 wrote to memory of 2880	2848	JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe	31
PID 2848 wrote to memory of 2880	2848	JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe	31
PID 2848 wrote to memory of 2880	2848	JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe	31
PID 2848 wrote to memory of 2172	2848	JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe	33
PID 2848 wrote to memory of 2172	2848	JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe	33
PID 2848 wrote to memory of 2172	2848	JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe	33
PID 2848 wrote to memory of 2172	2848	JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe	33

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe"
1⤵
- Modifies security service
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2848
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe startC:\Users\Admin\AppData\Roaming\85477\6041A.exe%C:\Users\Admin\AppData\Roaming\85477
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2880
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_975e4eb479cee6e64db95f92ba16b09f.exe startC:\Program Files (x86)\7738A\lvvm.exe%C:\Program Files (x86)\7738A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2172

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

4

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\85477\738A.547

Filesize
1KB

MD5
35a89f51ea778b1fc7c781f50b38b265

SHA1
86984eaef75fc6abef396e16ce769c594382759d

SHA256
2f5889d3063fc25b557387a351d899940acd32d294b2a558a3a3ad186aeb31dd

SHA512
af6dcffc2f62aa1f42e9e5a25ab08c1b1edba8116afee21fe553adf40547d0918c3a330c6c89c1e1a64dea19c76015252b773fb73fdef1b4ab0ff07bee54f871

Download Submit
C:\Users\Admin\AppData\Roaming\85477\738A.547

Filesize
1KB

MD5
8dea00ce3eff9eed0275642832ac77be

SHA1
05f8ed294ec8039d1cfa0bcba7b2803f9516e905

SHA256
f23b62ce399fb4ce55bca58f2ab78a4ce5e99e5c1ef655923851fb835e6ed28e

SHA512
849931624364b7e9952281d72e0696c6305e3b75fc030d6c1e5ddeba04273d11df1c3cd1d4ff6ebf9bcb97c47ce0cb400243f9590666b0969245a7d0088295a0

Download Submit
C:\Users\Admin\AppData\Roaming\85477\738A.547

Filesize
600B

MD5
84f21424366281ffdd6815d74bd5dc07

SHA1
3c544f0f9e8d323816e0ec1c4e885daf2fe79da4

SHA256
e1ab9a1c04dfb7cf0c57f3988770d171276d2ee1a527fbb085ff997c1d92400d

SHA512
56dd9fb8c9b6e7fce8d0bd959ef437e7830a122d0a09c53eb84b410312aee4dd53e7e95253a3ec6b51b165b1df6590afa2851a51d71a7585f7998054ef32ed30

Download Submit
C:\Users\Admin\AppData\Roaming\85477\738A.547

Filesize
996B

MD5
d0f12e3e63cb37c78119637feb40ac0c

SHA1
e0e4e645cb9a5e60cd16e57c7865b3c6f3ff5d9d

SHA256
a8cf1d341d78ceeb911703b99dd70345d17514b9062d0eced824bacf3885a3eb

SHA512
6a8745d89778878f5b659ee4843185f1913ac5a5ee017d782153f42e67e8471249b2528b4dae7ce232a528ebe79ab1f154e0324fdbeb432525019bad7e31ccd7

Download Submit
memory/2172-82-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2172-84-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2848-16-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2848-17-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2848-1-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2848-85-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2848-164-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2848-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2848-202-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2880-15-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2880-13-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2880-12-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads