cycbot | 1cf16901d4b1c5771c9106bb40ff5363fac71e04bf953b6dbd318c99549f763b

General

Target

JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe
Size

194KB
MD5

acd48f9e8580371de9bd5c4f766abcd6
SHA1

f7fe934fc644c7d7476bbde7aed3589ac1d36e63
SHA256

1cf16901d4b1c5771c9106bb40ff5363fac71e04bf953b6dbd318c99549f763b
SHA512

d4f741c6ca217da107a23c10dcfb7dee3af592f255dba55ae800018682e64fcde7cdf1376f45963f7d7de7b4db4db26ca54e309d64f00c3756624cd7e41e6059
SSDEEP

6144:Twz8li9ir/ur/qodUb2YY0aSYK+QG3GZx/v:TSUrmrCodunYON+QOGTv

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 8 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/2708-116-0x0000000000400000-0x000000000049D000-memory.dmp	family_cycbot
behavioral2/memory/3636-165-0x0000000000400000-0x000000000049D000-memory.dmp	family_cycbot
behavioral2/memory/3636-166-0x0000000000400000-0x000000000049A000-memory.dmp	family_cycbot
behavioral2/memory/3080-278-0x0000000000400000-0x000000000049D000-memory.dmp	family_cycbot
behavioral2/memory/3636-279-0x0000000000400000-0x000000000049D000-memory.dmp	family_cycbot
behavioral2/memory/3636-434-0x0000000000400000-0x000000000049D000-memory.dmp	family_cycbot
behavioral2/memory/3636-445-0x0000000000400000-0x000000000049D000-memory.dmp	family_cycbot
behavioral2/memory/3636-447-0x0000000000400000-0x000000000049D000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\903F0\\B38F9.exe"	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3636-2-0x0000000000400000-0x000000000049D000-memory.dmp	upx
behavioral2/memory/2708-114-0x0000000000400000-0x000000000049D000-memory.dmp	upx
behavioral2/memory/2708-116-0x0000000000400000-0x000000000049D000-memory.dmp	upx
behavioral2/memory/3636-165-0x0000000000400000-0x000000000049D000-memory.dmp	upx
behavioral2/memory/3636-166-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral2/memory/3080-278-0x0000000000400000-0x000000000049D000-memory.dmp	upx
behavioral2/memory/3636-279-0x0000000000400000-0x000000000049D000-memory.dmp	upx
behavioral2/memory/3636-434-0x0000000000400000-0x000000000049D000-memory.dmp	upx
behavioral2/memory/3636-445-0x0000000000400000-0x000000000049D000-memory.dmp	upx
behavioral2/memory/3636-447-0x0000000000400000-0x000000000049D000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ielowutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ForegroundLockTimeout = "52687172"	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ForegroundLockTimeout = "0"	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe

Modifies Internet Explorer Automatic Crash Recovery 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AutoRecover = "2"	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AutoRecover = "2"	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156665"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 001d5d12b969db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no"	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004f9d33a67f15e44283e043cbe2ec2aa700000000020000000000106600000001000020000000dba508cf3cc422db78bd0f8fda6ae437c13c3858ba58b059eeb8911586d9e669000000000e80000000020000200000006fba7180ca256bc35666196fb95434ce7e29a8434b011c7541f59e914ca44286200000007cee793027301c746730270ba9ed07cf656245dfd2c61c5a30972f0db7d55a5540000000082aac08a181446e112e9281c9978d4c278833ce442db1b2939e8d525cb4dd9317cb3502e2abf064ae7008e0b75646dfc179e6b05fdc6aa9daa4845a9269c396	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "444815938"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{461C32B6-D5AC-11EF-B9D5-5EA348B38F9D} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "about:blank"	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4764	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4764	iexplore.exe
4764	iexplore.exe
4456	IEXPLORE.EXE
4456	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 2708	3636	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe	82
PID 3636 wrote to memory of 2708	3636	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe	82
PID 3636 wrote to memory of 2708	3636	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe	82
PID 4764 wrote to memory of 4456	4764	iexplore.exe	85
PID 4764 wrote to memory of 4456	4764	iexplore.exe	85
PID 4764 wrote to memory of 4456	4764	iexplore.exe	85
PID 3636 wrote to memory of 3080	3636	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe	89
PID 3636 wrote to memory of 3080	3636	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe	89
PID 3636 wrote to memory of 3080	3636	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe	89

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer Automatic Crash Recovery
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe startC:\Program Files (x86)\LP\F9D9\348.exe%C:\Program Files (x86)\LP\F9D9
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2708
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe startC:\Program Files (x86)\F0647\lvvm.exe%C:\Program Files (x86)\F0647
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3080

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:2676

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4764 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

6

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\903F0\0647.03F

Filesize
600B

MD5
05c41b6eba7e53a36a06139e67b92e91

SHA1
a663c27dc9c9ca33f9c8fb2b9059fe0c97ae9556

SHA256
19d3be5283a0d35745f59fc9d6e0f21ee48b1c942829291885c68bc7b6865fb6

SHA512
4b1c2d1027c05fdbec0b880d5a039d68353569f6a2d707d16a6c65c096263ae3d24a7aaab5418019a10ca7e3e544a18950ebb29b2d58c6b1eefbb6b1f010c4fd

Download Submit
C:\Users\Admin\AppData\Roaming\903F0\0647.03F

Filesize
996B

MD5
383b8c5acc9d8ab49f9ebbe2aec8e846

SHA1
7d3a4e635cf224ac76a5cc61df561469bfdd28a1

SHA256
61394e6df7553cfa86f0e3c5e2121f7ec255526c93ec7e197eb340e852cb7b79

SHA512
18757ea6ddd785e9e615351d45b5026ab348431d32b979e348a1463a4f13c214d57eea3d426ae642506a7de6699edfcda0cc23fb57cdb8cc332ba6b9e7dd5b14

Download Submit
C:\Users\Admin\AppData\Roaming\903F0\0647.03F

Filesize
1KB

MD5
8bd5df4ca4e7cf42ab0afe8c7fd885bd

SHA1
d5c193b5dbefc85bb61b748f1338304aa06699ee

SHA256
9dcfadb6e80cbfe8c51a78a9f2d09914baaeb352deac99e2706d75f46cd6a1ee

SHA512
258a0a0babbc31d91e7e19fedd6099ef3424d4324101a8bcbe7af6e17f4eb894dba29e333c27d74171d7350c7dd53f2ac4411b5d266551d811ec9389c24a8243

Download Submit
C:\Users\Admin\AppData\Roaming\903F0\0647.03F

Filesize
300B

MD5
9075500c25fbc8297942e2e4fd9fdb6f

SHA1
42815de878c4d170e5381332a1ee2e1885e86d8b

SHA256
7b65f22edd280d3aeb0aa03fddcac980203a8529bf3a840db4c1cba3960a6a1a

SHA512
e74e3ea488d42fbfd49387f9af31da3cdd9002d00e8e372271652652e35f42a16c27043590f7edde6b5b99de19cfbc7269186f6c10843bc0b04583cefc018ffc

Download Submit
memory/2708-113-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2708-116-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2708-114-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3080-278-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3636-1-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3636-165-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3636-166-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3636-279-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3636-2-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3636-434-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3636-445-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3636-447-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads