cycbot | 2d58034aa7885c956b4d460b59979ecb74e0e4b3f4690b8b2dbb5dfa5c855293

General

Target

JaffaCakes118_b6d64cb1447b5c2c221bf6aa3cb61d24.exe
Size

165KB
MD5

b6d64cb1447b5c2c221bf6aa3cb61d24
SHA1

5658f8596baa65cfc2dff4a942e3b3928f09ee00
SHA256

2d58034aa7885c956b4d460b59979ecb74e0e4b3f4690b8b2dbb5dfa5c855293
SHA512

0cc1939441e298aae4f4bd2daa2c992223e2d69a7889304c7dc3fb81423826917b5e01a759034bb337c11ef94ceb2fab1ec543acf4405cc0f0c53ad5bfbb170f
SSDEEP

3072:rDSbSLmyts3JgpAOV2E/RhNpgULX8LHodser6D8g8tFlr7pJa8ihWIpRq5M:nkSLmytGJ+VX/lpgUILIdX6P8J5Ja8I1

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2176-17-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/300-18-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2384-132-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/300-133-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/300-283-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\12AAB\\B0E53.exe"	JaffaCakes118_b6d64cb1447b5c2c221bf6aa3cb61d24.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2176-17-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/300-18-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2384-132-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/300-133-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/300-283-0x0000000000400000-0x0000000000490000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b6d64cb1447b5c2c221bf6aa3cb61d24.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b6d64cb1447b5c2c221bf6aa3cb61d24.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b6d64cb1447b5c2c221bf6aa3cb61d24.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 300 wrote to memory of 2176	300	JaffaCakes118_b6d64cb1447b5c2c221bf6aa3cb61d24.exe	31
PID 300 wrote to memory of 2176	300	JaffaCakes118_b6d64cb1447b5c2c221bf6aa3cb61d24.exe	31
PID 300 wrote to memory of 2176	300	JaffaCakes118_b6d64cb1447b5c2c221bf6aa3cb61d24.exe	31
PID 300 wrote to memory of 2176	300	JaffaCakes118_b6d64cb1447b5c2c221bf6aa3cb61d24.exe	31
PID 300 wrote to memory of 2384	300	JaffaCakes118_b6d64cb1447b5c2c221bf6aa3cb61d24.exe	33
PID 300 wrote to memory of 2384	300	JaffaCakes118_b6d64cb1447b5c2c221bf6aa3cb61d24.exe	33
PID 300 wrote to memory of 2384	300	JaffaCakes118_b6d64cb1447b5c2c221bf6aa3cb61d24.exe	33
PID 300 wrote to memory of 2384	300	JaffaCakes118_b6d64cb1447b5c2c221bf6aa3cb61d24.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b6d64cb1447b5c2c221bf6aa3cb61d24.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b6d64cb1447b5c2c221bf6aa3cb61d24.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:300
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b6d64cb1447b5c2c221bf6aa3cb61d24.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b6d64cb1447b5c2c221bf6aa3cb61d24.exe startC:\Program Files (x86)\LP\5361\A95.exe%C:\Program Files (x86)\LP\5361
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2176
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b6d64cb1447b5c2c221bf6aa3cb61d24.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b6d64cb1447b5c2c221bf6aa3cb61d24.exe startC:\Program Files (x86)\AB7CC\lvvm.exe%C:\Program Files (x86)\AB7CC
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\12AAB\B7CC.2AA

Filesize
1KB

MD5
ba2a2934b0ae359e103af4760cb423bd

SHA1
3c4b6bde0e38f5182fcf718f01903f79122be7a4

SHA256
39d7fc6d3a345fb49840960cb90d4992103ca52ac1ee85c9f419e2fde45037e3

SHA512
3a562e2a30db679108f76fdab75ba018811b967085a7fdf4ecdb88cadf943f2132fd3ae049f1c45acd454b9567f79b506116476eb544c18532d033e2e7148d99

Download Submit
C:\Users\Admin\AppData\Roaming\12AAB\B7CC.2AA

Filesize
897B

MD5
d3f443a25418c1672fdf559e47c4ce39

SHA1
23cc70f2b907007c6a5a0700d3087ea8bb5f7085

SHA256
f53ec70bd74486b917162c42803397ec3ad29261b985887580d87aaa1eeae21f

SHA512
71f923f395aa11f272d1bf8f181658528994d0a54d255fd98dc8003a968d0d5f09f369bb06d7aa761c7f1bea14401d733b12ed4b5d157dd8986eabf5e58e953a

Download Submit
C:\Users\Admin\AppData\Roaming\12AAB\B7CC.2AA

Filesize
1KB

MD5
e83463ef517b34e1bac7eac60fa1047a

SHA1
aeb218f4b53dca117e2d6d0fe3e4c163e41afc65

SHA256
cd5b85c590cd54f0116c0243b5dd3c272baf8409919a22d1a1feb3effff563e7

SHA512
913941853b5f468b1304aebb319a427f4be380cdc69e6b4cd5dc1317ba32d7adc6a2c72a9b7ba09b029c40b44a276c1350a2ec99b25aaec71492d608ca292f03

Download Submit
C:\Users\Admin\AppData\Roaming\12AAB\B7CC.2AA

Filesize
597B

MD5
9f5401d2a1ecfd2cb12e9a0ba99bda03

SHA1
9067e9996d70f28fa3d4a5967ea899fe96de82b7

SHA256
8ef436f47b57a4027aecc9e8b9130caba9c76d97badae25e340f7b1cbceeca36

SHA512
ce2b02fa0401703ddf4ab7f5132a32cf9669588333d9960f26b2a1c945ab5705a55c909980c330da24f650e220b61098a045f97e6b1d76c299f4b9585171580d

Download Submit
memory/300-0-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/300-18-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/300-133-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/300-283-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2176-17-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2384-132-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads