cycbot | 4ee7cb952b7396e0fd01fc527a5dea022f317bb3cda345b35359ab30eecfd26d

General

Target

JaffaCakes118_a75ecec99eefedafc5495f08fd76d8e0.exe
Size

170KB
MD5

a75ecec99eefedafc5495f08fd76d8e0
SHA1

12b1691814aa74167b1c13347ea7da92cf3b025d
SHA256

4ee7cb952b7396e0fd01fc527a5dea022f317bb3cda345b35359ab30eecfd26d
SHA512

a25ddabde80299aaef256c60ae9038c4be5a7e0635ec8cb77f7a9ec5db63b019049f2ac566ee37d015262ad827b7945a22d3239931343b12973a634a5b4de065
SSDEEP

3072:LFwH8H+r2qNUAzXzilT9Wx5upQfsonYQElzeFVs2CdpzPLDcjeh2sNAuJA:LFwce7NUAz2lxu5upRxQy8+ddJLDkeh

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1872-10-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1632-21-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1632-87-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1396-91-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1632-190-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_a75ecec99eefedafc5495f08fd76d8e0.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1632-2-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1872-7-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1872-8-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1872-10-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1632-21-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1632-87-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1396-89-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1396-91-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1632-190-0x0000000000400000-0x000000000046A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a75ecec99eefedafc5495f08fd76d8e0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a75ecec99eefedafc5495f08fd76d8e0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a75ecec99eefedafc5495f08fd76d8e0.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 1872	1632	JaffaCakes118_a75ecec99eefedafc5495f08fd76d8e0.exe	30
PID 1632 wrote to memory of 1872	1632	JaffaCakes118_a75ecec99eefedafc5495f08fd76d8e0.exe	30
PID 1632 wrote to memory of 1872	1632	JaffaCakes118_a75ecec99eefedafc5495f08fd76d8e0.exe	30
PID 1632 wrote to memory of 1872	1632	JaffaCakes118_a75ecec99eefedafc5495f08fd76d8e0.exe	30
PID 1632 wrote to memory of 1396	1632	JaffaCakes118_a75ecec99eefedafc5495f08fd76d8e0.exe	33
PID 1632 wrote to memory of 1396	1632	JaffaCakes118_a75ecec99eefedafc5495f08fd76d8e0.exe	33
PID 1632 wrote to memory of 1396	1632	JaffaCakes118_a75ecec99eefedafc5495f08fd76d8e0.exe	33
PID 1632 wrote to memory of 1396	1632	JaffaCakes118_a75ecec99eefedafc5495f08fd76d8e0.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a75ecec99eefedafc5495f08fd76d8e0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a75ecec99eefedafc5495f08fd76d8e0.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a75ecec99eefedafc5495f08fd76d8e0.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a75ecec99eefedafc5495f08fd76d8e0.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1872
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a75ecec99eefedafc5495f08fd76d8e0.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a75ecec99eefedafc5495f08fd76d8e0.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\F98B.7A2

Filesize
597B

MD5
9523133fff88bfe7cd2a24b84a9f83b1

SHA1
8e1d2dc984c14aba1b6e49f7c8e071c04f2c63f1

SHA256
002011ca9cbef537c675c54835cf2068f37db99b4b8e96312b9c2cf97d5377d1

SHA512
8c18553b08ff45a8ac53945d6020ffb9d048df6a6cdc753945ae42acd55657d3803c357bd23ca8a290d29169c85d8d5ee11f01ebd2835664d210aed5f84b2645

Download Submit
C:\Users\Admin\AppData\Roaming\F98B.7A2

Filesize
1KB

MD5
5dcf222fb832fb1e7f9b24c178a5e1bc

SHA1
4d4cd4e6fa69b02f2b18d7dfc0e3d36d562f3e37

SHA256
dbf3a8ffc10f1dbaa61d695c69f9536341efbd3a3ce8f0e806362c1134ea5360

SHA512
ffc74fda9a73db4ae4c99c06d100bb88cb48b79036e20e21997a4cb78175d0d5b9724af860f5b9f27e71f7a13464f8e7d608e110c64d4e66b289f70cbb4b6bc6

Download Submit
C:\Users\Admin\AppData\Roaming\F98B.7A2

Filesize
897B

MD5
92b8bc55c7327383e8349d21443ed96e

SHA1
7fb42fc776ada84891f6157925a0ece9af66b865

SHA256
cc520a87a6eb62beb3a84b02560d63b508be1ddf9ae3e71d01e8a0e1db44da11

SHA512
842bbb19d70dc77cc7cfdfbf68648e932d5f46c34c137359b8f904cc634e91f98bef64bcb19fb0a7cdf3f8067dccc65020662ba6a0d716f0cd1ee34bf7f0310a

Download Submit
C:\Users\Admin\AppData\Roaming\F98B.7A2

Filesize
1KB

MD5
61d8cc1a2c488ece3c6275d2f8ab328e

SHA1
590c8625e6f4d55a296b2afad4245775db911db5

SHA256
bb39b615b1c4a5a4cf95e9668c2d7bfcb0136e7258fc8c16423d284f76d9464c

SHA512
17cce7f1ee30300652fa06cf7101e1ddc038fbca50750c9a5943e64957f480ec03af324929bd843911ac8255f201e5cdfa2325c070e00d5395d5f3ae40446529

Download Submit
memory/1396-91-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1396-89-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1632-21-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1632-1-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1632-87-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1632-2-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1632-190-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1872-10-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1872-8-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1872-7-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads