cycbot | 76fc724e365bddd20b08ddee0cf667bf386f2cb60d10921429a43154dbe8cfa8

General

Target

JaffaCakes118_a6a9e97f51fcaa07a1d082d789d703dc.exe
Size

179KB
MD5

a6a9e97f51fcaa07a1d082d789d703dc
SHA1

39f4db12da76ab3460f398b8e535a0e7ea473919
SHA256

76fc724e365bddd20b08ddee0cf667bf386f2cb60d10921429a43154dbe8cfa8
SHA512

a118194ba960d9ec16aea0d60445cd3a1fe16a1ac8e95a41067ef73d9c42a124d093b5f7286f4055a2cd4011061547cfd1484c86804c34e55da3becd92fa0c23
SSDEEP

3072:j4ZoAy2OXdAVi/yqP+9Yap5dzRE5QtRrzh2y/Gbr9Fkms9eX6:MittAVo7m93dz+QtRgkG2

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2688-8-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral1/memory/2688-7-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral1/memory/1972-16-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral1/memory/1972-67-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral1/memory/1192-71-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral1/memory/1972-173-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_a6a9e97f51fcaa07a1d082d789d703dc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1972-2-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2688-5-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2688-8-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2688-7-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1972-16-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1972-67-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1192-71-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1192-70-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1972-173-0x0000000000400000-0x000000000046E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a6a9e97f51fcaa07a1d082d789d703dc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a6a9e97f51fcaa07a1d082d789d703dc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a6a9e97f51fcaa07a1d082d789d703dc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2688	1972	JaffaCakes118_a6a9e97f51fcaa07a1d082d789d703dc.exe	30
PID 1972 wrote to memory of 2688	1972	JaffaCakes118_a6a9e97f51fcaa07a1d082d789d703dc.exe	30
PID 1972 wrote to memory of 2688	1972	JaffaCakes118_a6a9e97f51fcaa07a1d082d789d703dc.exe	30
PID 1972 wrote to memory of 2688	1972	JaffaCakes118_a6a9e97f51fcaa07a1d082d789d703dc.exe	30
PID 1972 wrote to memory of 1192	1972	JaffaCakes118_a6a9e97f51fcaa07a1d082d789d703dc.exe	33
PID 1972 wrote to memory of 1192	1972	JaffaCakes118_a6a9e97f51fcaa07a1d082d789d703dc.exe	33
PID 1972 wrote to memory of 1192	1972	JaffaCakes118_a6a9e97f51fcaa07a1d082d789d703dc.exe	33
PID 1972 wrote to memory of 1192	1972	JaffaCakes118_a6a9e97f51fcaa07a1d082d789d703dc.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a6a9e97f51fcaa07a1d082d789d703dc.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a6a9e97f51fcaa07a1d082d789d703dc.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a6a9e97f51fcaa07a1d082d789d703dc.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a6a9e97f51fcaa07a1d082d789d703dc.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2688
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a6a9e97f51fcaa07a1d082d789d703dc.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a6a9e97f51fcaa07a1d082d789d703dc.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\4FCD.C44

Filesize
1KB

MD5
69f42b26bfeffcc8ba3298a98ae3ff34

SHA1
b8860a516add05dae047cdac13e74d3856e29e3c

SHA256
102e479ef92f60c16e4dfb4b7bab636826707a93a3aca43c51c6fa4d8a4affc7

SHA512
7d84c9019c3bb63e5931a37413f353daba003312ec9ea49d06443e43afa7653d008560d1353b608e2129de20bf5fab28bfdf13dd3b1380e1c10df6c370e69237

Download Submit
C:\Users\Admin\AppData\Roaming\4FCD.C44

Filesize
600B

MD5
15dc9f0f1bf4e4c8eb0576172217fe1f

SHA1
2002352f7b082e95d4c99e452fd131271b6ebf3d

SHA256
b39148b5dc325c6e5ddbec86407daf5c7ca05de96a8e15467bc76570cd31d9fd

SHA512
a5c0fb70926167a9d02e8fea8dc8e6ef6f36b3d48a54630dac9eaf6a8b58809bfdcadacce66052d5614181336d4f5739761c845d3825665885613ad10722de81

Download Submit
C:\Users\Admin\AppData\Roaming\4FCD.C44

Filesize
996B

MD5
00a2cd5377139eb32425e1c92cde5534

SHA1
31450b53b7f44f1730cbb1109407603264aea7d6

SHA256
e9004420cf13b6da39d8b18b67b5e59d7da91f0c460dbfba656aa45b8415d516

SHA512
3fa6e2b9cf3d9ec464df700293f9c75bc7b227c69bd8aedfd188b575cbb4fec8048f281d202fe8448ba89686bed75264bc9e20e076aa4521493819f199a607cd

Download Submit
memory/1192-70-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1192-71-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1972-16-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1972-67-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1972-1-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1972-2-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1972-173-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2688-7-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2688-8-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2688-5-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads