cycbot | 21674e0f4de558ce837cd05c8975665fbc06e2c5e725747730ae7e7dd23768f4

General

Target

JaffaCakes118_b76adc037fb8ca13d301f546b360662a.exe
Size

178KB
MD5

b76adc037fb8ca13d301f546b360662a
SHA1

ccdb54ed0c83dc9a22247a8e66af007ec841e8ca
SHA256

21674e0f4de558ce837cd05c8975665fbc06e2c5e725747730ae7e7dd23768f4
SHA512

6ab2c86ecd6a74a52addabcbefa915adb1e07e4fe6e25c99f77e7da2877c5972717ba786b3008cb2536adac33fedd72e95345cc51bc82605adf28782129e3dc6
SSDEEP

3072:Tnluj8N5fVY9+2W1qvGTYk6/YbbQ9RVBzEER/WKtKknrtawk/Y5ouErEhjueO:TnltPtY9SYk6/Y/IVEEwKMURawk/Y5of

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2340-15-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/1680-16-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/1680-17-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral1/memory/2948-123-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/1680-124-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/1680-290-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\5A2A7\\6041A.exe"	JaffaCakes118_b76adc037fb8ca13d301f546b360662a.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1680-2-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2340-15-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2340-14-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/1680-16-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/1680-17-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2948-123-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2948-122-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/1680-124-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/1680-290-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b76adc037fb8ca13d301f546b360662a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b76adc037fb8ca13d301f546b360662a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b76adc037fb8ca13d301f546b360662a.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2340	1680	JaffaCakes118_b76adc037fb8ca13d301f546b360662a.exe	30
PID 1680 wrote to memory of 2340	1680	JaffaCakes118_b76adc037fb8ca13d301f546b360662a.exe	30
PID 1680 wrote to memory of 2340	1680	JaffaCakes118_b76adc037fb8ca13d301f546b360662a.exe	30
PID 1680 wrote to memory of 2340	1680	JaffaCakes118_b76adc037fb8ca13d301f546b360662a.exe	30
PID 1680 wrote to memory of 2948	1680	JaffaCakes118_b76adc037fb8ca13d301f546b360662a.exe	33
PID 1680 wrote to memory of 2948	1680	JaffaCakes118_b76adc037fb8ca13d301f546b360662a.exe	33
PID 1680 wrote to memory of 2948	1680	JaffaCakes118_b76adc037fb8ca13d301f546b360662a.exe	33
PID 1680 wrote to memory of 2948	1680	JaffaCakes118_b76adc037fb8ca13d301f546b360662a.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b76adc037fb8ca13d301f546b360662a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b76adc037fb8ca13d301f546b360662a.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b76adc037fb8ca13d301f546b360662a.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b76adc037fb8ca13d301f546b360662a.exe startC:\Program Files (x86)\LP\1A95\AC3.exe%C:\Program Files (x86)\LP\1A95
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2340
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b76adc037fb8ca13d301f546b360662a.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b76adc037fb8ca13d301f546b360662a.exe startC:\Program Files (x86)\A730C\lvvm.exe%C:\Program Files (x86)\A730C
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5A2A7\730C.A2A

Filesize
996B

MD5
d81848e04c3630b979e7eba2c0a603a3

SHA1
4ebc126a55bfcb92f8f2a5910d284f81aeb9074e

SHA256
64ba47f0a01362b71af95af59fa29a77c330ac3536e65cc3fd4bd362acf2d410

SHA512
3a120cc7e143f2ec8b7ae57dd20636713c76d4570f3e964f18267bd9ee9ad7a7d6492bef4e9910101d439a3c4e2b9857843bc22e6e589c3ffa937173faf0512a

Download Submit
C:\Users\Admin\AppData\Roaming\5A2A7\730C.A2A

Filesize
600B

MD5
f086a57c7b8d2d2d79b0604e3a347d6d

SHA1
7422bc702db5eaa4831d58dcff6bb850a330c015

SHA256
a190e2809e276f16e4037327fa002aff6f9502f6df2ff4d25976f482ff55928e

SHA512
fee5b17c48175ea41d12db1fd84b92cf594392680a87e49ac06ea1d19a46b888cfa6e48224c53226c2a281a3746af4463ff93fc661945d2482458da5669bfab7

Download Submit
C:\Users\Admin\AppData\Roaming\5A2A7\730C.A2A

Filesize
1KB

MD5
a984532d3c705eff38bc03dfdb2d5cd6

SHA1
e4e6e1c2b19f14a59f04204e90e6b6e2ce783502

SHA256
7db6c4d61814e234ab79a19175d631992fbe18357e370744b70db9b4185f8100

SHA512
573239e51f7514652978a32317ccaa88b99e204781d638f28a65cbec11b2a1ddaf1a877c9181011e7ed4d7cf060c929b021124ad20a13e187f69fcaa18c46656

Download Submit
memory/1680-124-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1680-2-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1680-290-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1680-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1680-16-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1680-17-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2340-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2340-14-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2340-12-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2948-122-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2948-123-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads