cycbot | 4e9a85a50de1c4d5a8cee8e5aebbc451971cb3558222cc1f5aa66691a656ea69

General

Target

JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe
Size

168KB
MD5

bfbae6e4f9471a56861ee583ebbf41e4
SHA1

7f7963f4db6b16c508264f68e8f318b1b5927506
SHA256

4e9a85a50de1c4d5a8cee8e5aebbc451971cb3558222cc1f5aa66691a656ea69
SHA512

7806a8a755af678fffa6ebd1e872902b246e5c1cd5b7b6d1c7a9f7dd997d7412d34c3d655d251388302fc96fa66533d9001f45719460a18c7357d015925c1a6c
SSDEEP

3072:LCnlARdtmxC06aYl+5ir6Vl0Cs8IJJ1CMPI3Y6XkY6x/pH7:OebmxCpB+5ir6QOIJJ1CMPI3ZXk5xBH7

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2540-5-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2100-14-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2100-83-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1244-87-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2100-146-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2100-185-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2540-6-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2540-5-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2100-2-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2100-14-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2100-83-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1244-85-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1244-87-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2100-146-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2100-185-0x0000000000400000-0x000000000046A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2540	2100	JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe	30
PID 2100 wrote to memory of 2540	2100	JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe	30
PID 2100 wrote to memory of 2540	2100	JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe	30
PID 2100 wrote to memory of 2540	2100	JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe	30
PID 2100 wrote to memory of 1244	2100	JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe	32
PID 2100 wrote to memory of 1244	2100	JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe	32
PID 2100 wrote to memory of 1244	2100	JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe	32
PID 2100 wrote to memory of 1244	2100	JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2540
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfbae6e4f9471a56861ee583ebbf41e4.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\2B18.3A6

Filesize
1KB

MD5
61fa83c67f653e612f05eb82be3e758f

SHA1
c5f2d87d1a818f7600aa90cf79bf139b23758606

SHA256
6d5d0be53dba19cb4a49419987bb18b9bbd27f765c2d7ef1df8c7d9789234bcb

SHA512
337d39f9386e4551976c2f96f16afe57aef464aaca1337d88c56a820a0ef585725cbd7b0ec14bea28a81d5a82d5f35cfe21c36b08b2c98348ffcf7ace23f9775

Download Submit
C:\Users\Admin\AppData\Roaming\2B18.3A6

Filesize
600B

MD5
e786035e340b174f44771a7cdd682026

SHA1
6c07844f2f4e0741c263832d5c30d63fd0aaf4d6

SHA256
21d03c526de75c140358ce049d1022fdb183dbcc2e8571ca99e4bdfe9ab59a5a

SHA512
f7ff098bb54951ca215faedc8467ba12c217328cb093897368ae1ac29e2c2926a7d729b97c8167750bf5e586addd89d6fcd9faeebfed0c5e03ac1e24d0d9bfd8

Download Submit
C:\Users\Admin\AppData\Roaming\2B18.3A6

Filesize
996B

MD5
cf59a23d6680064af2defa4fbd0e7b88

SHA1
29e650334d0549a9261c2ea3075aad6b3dae552d

SHA256
05acb7a986c5ee445468352cf9e9a9f7e4f2b83b336c5d8ccbf6ba5459815ec6

SHA512
fa9a2e2e4935dcf1760c9f022ad227b5073a61bbe47ba13cb47fc5dc8a00db32b0b64ef8a17d695ca4cc2d809d7d51f0de81d4f764e01ed336f1d2baf0cd044c

Download Submit
memory/1244-87-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1244-85-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2100-14-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2100-1-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2100-2-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2100-83-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2100-146-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2100-185-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2540-6-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2540-5-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads