cycbot | a3b65e93c36bce079acc6bee3b8a17a86cf71e12b6dee5eea5c83995f2f67348

General

Target

JaffaCakes118_af1eb05955695b7ae48159ebfe7bedcf.exe
Size

185KB
MD5

af1eb05955695b7ae48159ebfe7bedcf
SHA1

1633c9285340104a15c263d3af421f1234588011
SHA256

a3b65e93c36bce079acc6bee3b8a17a86cf71e12b6dee5eea5c83995f2f67348
SHA512

3da8f8c4bbe833af36fa9b10304cef47eed146901c627b74e16f137e4cc2cf7b234b606ab33985414a2d452309305bdbda60b2e8a8d9a0e99d613f3b4e83563f
SSDEEP

3072:hy0arkKVRRdMp9q7kAtLs3C1BM56I4YAJmMwzhHhx58zorhVpc+2KIET+CIA9B:ja3HdMpA7koLWwBMH47WB30oFVpcAx+i

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2704-19-0x0000000000400000-0x000000000048C000-memory.dmp	family_cycbot
behavioral1/memory/1876-20-0x0000000000400000-0x000000000048C000-memory.dmp	family_cycbot
behavioral1/memory/1876-75-0x0000000000400000-0x000000000048C000-memory.dmp	family_cycbot
behavioral1/memory/2152-79-0x0000000000400000-0x000000000048C000-memory.dmp	family_cycbot
behavioral1/memory/2152-78-0x0000000000400000-0x000000000048C000-memory.dmp	family_cycbot
behavioral1/memory/1876-185-0x0000000000400000-0x000000000048C000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_af1eb05955695b7ae48159ebfe7bedcf.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1876-2-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2704-19-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2704-17-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/1876-20-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/1876-75-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2152-79-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2152-78-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/1876-185-0x0000000000400000-0x000000000048C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_af1eb05955695b7ae48159ebfe7bedcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_af1eb05955695b7ae48159ebfe7bedcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_af1eb05955695b7ae48159ebfe7bedcf.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 2704	1876	JaffaCakes118_af1eb05955695b7ae48159ebfe7bedcf.exe	30
PID 1876 wrote to memory of 2704	1876	JaffaCakes118_af1eb05955695b7ae48159ebfe7bedcf.exe	30
PID 1876 wrote to memory of 2704	1876	JaffaCakes118_af1eb05955695b7ae48159ebfe7bedcf.exe	30
PID 1876 wrote to memory of 2704	1876	JaffaCakes118_af1eb05955695b7ae48159ebfe7bedcf.exe	30
PID 1876 wrote to memory of 2152	1876	JaffaCakes118_af1eb05955695b7ae48159ebfe7bedcf.exe	32
PID 1876 wrote to memory of 2152	1876	JaffaCakes118_af1eb05955695b7ae48159ebfe7bedcf.exe	32
PID 1876 wrote to memory of 2152	1876	JaffaCakes118_af1eb05955695b7ae48159ebfe7bedcf.exe	32
PID 1876 wrote to memory of 2152	1876	JaffaCakes118_af1eb05955695b7ae48159ebfe7bedcf.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_af1eb05955695b7ae48159ebfe7bedcf.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_af1eb05955695b7ae48159ebfe7bedcf.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_af1eb05955695b7ae48159ebfe7bedcf.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_af1eb05955695b7ae48159ebfe7bedcf.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2704
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_af1eb05955695b7ae48159ebfe7bedcf.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_af1eb05955695b7ae48159ebfe7bedcf.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\FB8C.2F8

Filesize
1KB

MD5
0ec41700e31670b1a0bb85dc7b85e5a5

SHA1
1806670e4bc5e61e6e2cb2e2f0eeb36b0f501a77

SHA256
7c16ae08fcbba751a95cf7e83da786f933ecb93f70346fe66bb83c3a63be0fb7

SHA512
f745794ad0b7b8708fc43d53c866e8feb473c99be836c0067654a7847bb0977b5f0b0605df98691fa0d122fef5806ccdeb78541e339c53eb76e9d8efcdb4e0f4

Download Submit
C:\Users\Admin\AppData\Roaming\FB8C.2F8

Filesize
897B

MD5
59bcf717cd2914d3fa98c9bc546a60dc

SHA1
d6435e20a998445848bb360b7d3881fae5dcaec3

SHA256
d33d4e928a75eebdbbbffcb480b421753e41235e2971e4a4aa8cbe993a30b195

SHA512
be5a8cfa825547f6bbae3e77e70ee7ff9d3b93593718ebe4ca0d98867f661fe07cc74fde376cbe15aa8324b4c74308ee940b1cd6834efbd08fa8a6e6f598b13f

Download Submit
C:\Users\Admin\AppData\Roaming\FB8C.2F8

Filesize
1KB

MD5
b100452a5e0d757067b5d1f50ce57337

SHA1
b6750b24029ca78a75c0856b381632a7c55e6c72

SHA256
5c7a5232ace046da415075977bedbd96df9e796b1b6a5dd3ce36313e98b641da

SHA512
449e5573cfe92a37817aa0bd1a10e70ed697cead962f194e45d822b1eb107aa543974ced1eff79f196939535de20279ebedd8e31300617077e062a9d99209854

Download Submit
C:\Users\Admin\AppData\Roaming\FB8C.2F8

Filesize
597B

MD5
b3076abf7b20dffc75588170b5fa7193

SHA1
928ca8c7a8d746c0fa68752d30f8e2b33fcab471

SHA256
ff10f452747c1347bf2f13d30277c71581fc894a3923d196912d8c4d49c1d43f

SHA512
0513342b4a7dbd55b64c3fcb3d41a540180a0f55d13d903e153dac3c330da91f8b3c353b7204bafc898cf723ce744260f2aabbe58003367b9b8977eacf980693

Download Submit
memory/1876-1-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1876-2-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1876-185-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1876-20-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1876-75-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2152-79-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2152-78-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2152-77-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2704-17-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2704-19-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads