cycbot | 21c1f4911cfda2b312d548a050dc4270cb9e764115746eacfa2e3d8f87daea09

General

Target

JaffaCakes118_b5e0270d0b80dbfa5576d55e1d762c08.exe
Size

165KB
MD5

b5e0270d0b80dbfa5576d55e1d762c08
SHA1

1477b9677e5b2f4a8f786dc3968e87c51ab3d141
SHA256

21c1f4911cfda2b312d548a050dc4270cb9e764115746eacfa2e3d8f87daea09
SHA512

6d20a9278fb1a1276ab30debaf7282ed627fed461666797a6c66e9452a5f289ce3ad9d002dd195da889ccf626194b02a0eaaaa8f3f7d87d873c97af52997645f
SSDEEP

3072:Hiw0IZJ1/pFFPySAip8OfKAYwcOeZ1It+cz4dT/BazCjklBwIIyM:HKIr1hFFPbpRKEcLm+cz4YCglU

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2856-21-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2192-22-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral1/memory/2192-23-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/1800-135-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2192-136-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2192-322-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\EF340\\EC9AF.exe"	JaffaCakes118_b5e0270d0b80dbfa5576d55e1d762c08.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2192-3-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2856-20-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2856-19-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2856-21-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2192-22-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2192-23-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/1800-135-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/1800-134-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2192-136-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2192-322-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b5e0270d0b80dbfa5576d55e1d762c08.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b5e0270d0b80dbfa5576d55e1d762c08.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b5e0270d0b80dbfa5576d55e1d762c08.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2856	2192	JaffaCakes118_b5e0270d0b80dbfa5576d55e1d762c08.exe	28
PID 2192 wrote to memory of 2856	2192	JaffaCakes118_b5e0270d0b80dbfa5576d55e1d762c08.exe	28
PID 2192 wrote to memory of 2856	2192	JaffaCakes118_b5e0270d0b80dbfa5576d55e1d762c08.exe	28
PID 2192 wrote to memory of 2856	2192	JaffaCakes118_b5e0270d0b80dbfa5576d55e1d762c08.exe	28
PID 2192 wrote to memory of 1800	2192	JaffaCakes118_b5e0270d0b80dbfa5576d55e1d762c08.exe	30
PID 2192 wrote to memory of 1800	2192	JaffaCakes118_b5e0270d0b80dbfa5576d55e1d762c08.exe	30
PID 2192 wrote to memory of 1800	2192	JaffaCakes118_b5e0270d0b80dbfa5576d55e1d762c08.exe	30
PID 2192 wrote to memory of 1800	2192	JaffaCakes118_b5e0270d0b80dbfa5576d55e1d762c08.exe	30

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b5e0270d0b80dbfa5576d55e1d762c08.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b5e0270d0b80dbfa5576d55e1d762c08.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b5e0270d0b80dbfa5576d55e1d762c08.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b5e0270d0b80dbfa5576d55e1d762c08.exe startC:\Program Files (x86)\LP\AF0E\82B.exe%C:\Program Files (x86)\LP\AF0E
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2856
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b5e0270d0b80dbfa5576d55e1d762c08.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b5e0270d0b80dbfa5576d55e1d762c08.exe startC:\Program Files (x86)\402A1\lvvm.exe%C:\Program Files (x86)\402A1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\EF340\02A1.F34

Filesize
597B

MD5
064645ee32a954c4eaabef62c1bc2cb3

SHA1
18989a6d21942c06986e0dd9657a995a2c0a7509

SHA256
9e1873799571904c6bc7af99f880f5670260edb348cd6b310079493720d8e786

SHA512
e10f85bc7424f4ea49125abd7f36856ff8715f4276e978ea9542caa4aadcefe6720b986d7757910872d02d6e4223b98c23db20ad281659404936643a1400e3dc

Download Submit
C:\Users\Admin\AppData\Roaming\EF340\02A1.F34

Filesize
1KB

MD5
d115c2e15a6d2b7f0c791819b31ecdf2

SHA1
e1bd52670b4faab65d80e3210d27788c07b88944

SHA256
f77d368e22f8fa937189ad4be8b1feee34abb6b87ab54a758a42637d6f49fe4e

SHA512
8a30b3f1eadbcbcf925cfc2d32927497ef24ce58a039d2fa527b38f5f388e71ce3abf3117f25bce096ad88db8b1daa35f80d04e6f5a82ca4919d5050bf0a65a7

Download Submit
C:\Users\Admin\AppData\Roaming\EF340\02A1.F34

Filesize
897B

MD5
341cde703b716ff77324b558987b88d3

SHA1
9123a6c8684609110944de48ce6596db824efc7e

SHA256
a90640a66988bbf3011dd17a50fa487d1a94dd4c0823a74a218a865e8a367844

SHA512
80017458845d5d21aa330f0dfed0e2d410c107a60fed669b717da2e90b44a45b283276b5acd800b0eb00912f9ad71d9649ab1408f56dd7c17aa6b56d9084a238

Download Submit
C:\Users\Admin\AppData\Roaming\EF340\02A1.F34

Filesize
1KB

MD5
8b47ad5c9ff8e2d3cf7b626b476b7bf7

SHA1
2698855f7554ab87829a4928a2e00cd004a5230a

SHA256
d070342e363ea918524c1bcc2a6dc342e83f056fa2e1a7dcdf1642a30c32a807

SHA512
8c2a8c032aab582b775dc2145ef56ade82bc6ac2c1661d9cb655b9b782c48119c23c31120ea6d1eae73cece1f1f2e2bc61f264558cd03c4a9c91a26605758149

Download Submit
memory/1800-134-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1800-135-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2192-136-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2192-22-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2192-23-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2192-0-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2192-3-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2192-2-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2192-322-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2856-21-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2856-19-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2856-20-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads