cycbot | 4e8a25a81a35fd1db81abd379a3230301540fff1f7fb856199cb7be9a6733a75

General

Target

JaffaCakes118_a898e3fa3c2223f50db5d5e8188cfcac.exe
Size

190KB
MD5

a898e3fa3c2223f50db5d5e8188cfcac
SHA1

eda122796fd556240473fa4ea04e64242700664e
SHA256

4e8a25a81a35fd1db81abd379a3230301540fff1f7fb856199cb7be9a6733a75
SHA512

426c7ec7aa23f50a5670cb8b4fcd79b4bf63c8cd7a4e8ce105bfea67367834dd70f66f117085ad389e72dd0019db5099685e0e91ada4a4a8d2ea8944be32d09c
SSDEEP

3072:NRRbG0T2diTHlFzfVybKDT1wfbh2R/OQmcFSn8zfgYe4GBsdhVPrD4NcpSLk+GpI:NR/BDlFzvqNo2PcF7etsdhRHhkGSAC

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 7 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2044-7-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2012-14-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/1948-82-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/1948-81-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2012-83-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2012-174-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2012-213-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_a898e3fa3c2223f50db5d5e8188cfcac.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2012-2-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2044-5-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2044-7-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2012-14-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2044-73-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/1948-82-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/1948-81-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2012-83-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2012-174-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2012-213-0x0000000000400000-0x000000000048A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a898e3fa3c2223f50db5d5e8188cfcac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a898e3fa3c2223f50db5d5e8188cfcac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a898e3fa3c2223f50db5d5e8188cfcac.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2044	2012	JaffaCakes118_a898e3fa3c2223f50db5d5e8188cfcac.exe	30
PID 2012 wrote to memory of 2044	2012	JaffaCakes118_a898e3fa3c2223f50db5d5e8188cfcac.exe	30
PID 2012 wrote to memory of 2044	2012	JaffaCakes118_a898e3fa3c2223f50db5d5e8188cfcac.exe	30
PID 2012 wrote to memory of 2044	2012	JaffaCakes118_a898e3fa3c2223f50db5d5e8188cfcac.exe	30
PID 2012 wrote to memory of 1948	2012	JaffaCakes118_a898e3fa3c2223f50db5d5e8188cfcac.exe	33
PID 2012 wrote to memory of 1948	2012	JaffaCakes118_a898e3fa3c2223f50db5d5e8188cfcac.exe	33
PID 2012 wrote to memory of 1948	2012	JaffaCakes118_a898e3fa3c2223f50db5d5e8188cfcac.exe	33
PID 2012 wrote to memory of 1948	2012	JaffaCakes118_a898e3fa3c2223f50db5d5e8188cfcac.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a898e3fa3c2223f50db5d5e8188cfcac.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a898e3fa3c2223f50db5d5e8188cfcac.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a898e3fa3c2223f50db5d5e8188cfcac.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a898e3fa3c2223f50db5d5e8188cfcac.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2044
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a898e3fa3c2223f50db5d5e8188cfcac.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a898e3fa3c2223f50db5d5e8188cfcac.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\684F.032

Filesize
1KB

MD5
0ebdb156bf6937b3ebff114fb50ab29a

SHA1
4eb4c52158242e641c8c7a353bf3d72acba4ca20

SHA256
4cdba37914952672762756471a67cfd85d6f339d9cddc9bc12884d7c9abede64

SHA512
b902c0e0bc0590159d1be1a5f6dc26e8ae9eaaf76b8abeb0ae0f73a2c05ce4d775bba6f7588582f56a86e810637030e4aa2c44cfbc2e2e4a26d43566eabc1503

Download Submit
C:\Users\Admin\AppData\Roaming\684F.032

Filesize
600B

MD5
8342c5bab85d313f8e26cf22d82fa00e

SHA1
2221917edc89c650c2bf1dee8d2f02e602ee64a1

SHA256
b93d780cf837bcad087c4fad4ca1058a2d25d31916ed8b5178b7bfff89431836

SHA512
9b0a98cceb59421800600a22cbe663e0568871631ac45a818b7a5696c8774c0ff0d9ab8021a767c971dc157a78aca807d9cec35c9942cbf1428dee75a8a0f3d8

Download Submit
C:\Users\Admin\AppData\Roaming\684F.032

Filesize
996B

MD5
d7f880a2cbffe63d10841fff566211df

SHA1
1101efe5ef6bc63cd8839ca5f93508fa93b9d673

SHA256
7a2722e700e632572333642d90a80480ec38cbc3a96cdd9a7c2faca2b1914197

SHA512
bca40fba9fc17b26229f61f4c76ee6e6d7642110ad8662c6bf4f9afa64058f45e21dd02443f6308e7ea098dd401cc6d4284448e4e1f1a41ede438472fed0296d

Download Submit
memory/1948-79-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1948-82-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1948-81-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2012-2-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2012-213-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2012-1-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2012-14-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2012-174-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2012-83-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2044-7-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2044-73-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2044-5-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads