cycbot | 69cccd923fe291d146e1907b8b582fbef9bb815b74a1e8cee8dbfd3faf535e00

General

Target

JaffaCakes118_ca4e3112dcfe4a1676b3e0481373bc3a.exe
Size

186KB
MD5

ca4e3112dcfe4a1676b3e0481373bc3a
SHA1

74fdbb8ac02c95f34eba13836e500ff3d5a22bdf
SHA256

69cccd923fe291d146e1907b8b582fbef9bb815b74a1e8cee8dbfd3faf535e00
SHA512

0659093f48075a8e6f7c67d5db71b71577b5c6fbe7fcb5aefd57701730a6e299208dacc4d7f946686d47f98f19a9e1a171cde700ee784627fd9b8605e0dae6db
SSDEEP

3072:ScFOlegDlRzCJnKOewmoFMyJAlAxUV8zxmXwZW5+9OULXGDTGgDSNRWzgA1ml:ScFOlpr4DeNoFfgViWM8UqGX

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2992-18-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/2376-19-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/2376-82-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/3036-84-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/3036-86-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/2376-199-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_ca4e3112dcfe4a1676b3e0481373bc3a.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2376-2-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2992-18-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2376-19-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2376-82-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/3036-84-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/3036-86-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2376-199-0x0000000000400000-0x000000000046C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ca4e3112dcfe4a1676b3e0481373bc3a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ca4e3112dcfe4a1676b3e0481373bc3a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ca4e3112dcfe4a1676b3e0481373bc3a.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2992	2376	JaffaCakes118_ca4e3112dcfe4a1676b3e0481373bc3a.exe	30
PID 2376 wrote to memory of 2992	2376	JaffaCakes118_ca4e3112dcfe4a1676b3e0481373bc3a.exe	30
PID 2376 wrote to memory of 2992	2376	JaffaCakes118_ca4e3112dcfe4a1676b3e0481373bc3a.exe	30
PID 2376 wrote to memory of 2992	2376	JaffaCakes118_ca4e3112dcfe4a1676b3e0481373bc3a.exe	30
PID 2376 wrote to memory of 3036	2376	JaffaCakes118_ca4e3112dcfe4a1676b3e0481373bc3a.exe	33
PID 2376 wrote to memory of 3036	2376	JaffaCakes118_ca4e3112dcfe4a1676b3e0481373bc3a.exe	33
PID 2376 wrote to memory of 3036	2376	JaffaCakes118_ca4e3112dcfe4a1676b3e0481373bc3a.exe	33
PID 2376 wrote to memory of 3036	2376	JaffaCakes118_ca4e3112dcfe4a1676b3e0481373bc3a.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ca4e3112dcfe4a1676b3e0481373bc3a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ca4e3112dcfe4a1676b3e0481373bc3a.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ca4e3112dcfe4a1676b3e0481373bc3a.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ca4e3112dcfe4a1676b3e0481373bc3a.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2992
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ca4e3112dcfe4a1676b3e0481373bc3a.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ca4e3112dcfe4a1676b3e0481373bc3a.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\B323.CB1

Filesize
597B

MD5
fba5137990419005e76f868041fcae6a

SHA1
b1b0dd85b1aef797811520094aee82488fcf8a98

SHA256
cfa005826c238d8406d243cf492a8473f68428cc6267d9b61d7ad8eeb10c127c

SHA512
5a9241327b2a99c11ee11ffe7b5c28fc6a320d4490b5eb14d37e51193472141eef44dab40dd75407c5d6f677f5934952390aef8825b6ce5874ce8c0cf1b438e6

Download Submit
C:\Users\Admin\AppData\Roaming\B323.CB1

Filesize
897B

MD5
839aae91bdbbb84170153e90e5fdc056

SHA1
4ac96213e1e1ef6ee9b2d4c4d8ad31226de28458

SHA256
7c809160b8c1540a6466fc36ca7ff882c4295387422e7578bf95869f5c26ba90

SHA512
fe30f0d033961d583b3464c61cfdd96b11e7390ad5e4aafa94b1c7140bc3534de037aec313ed1e0ec6c77ed2eb356aed66edca797f4bb8448f10f5854ab2e269

Download Submit
C:\Users\Admin\AppData\Roaming\B323.CB1

Filesize
1KB

MD5
1806c4c5e8d9d86d14a0610e362c9175

SHA1
95b2211411348354ebcd71c5017e3f4f0d65992e

SHA256
17325c56c0acb30739a14fc990c135a3bf12083f9a34d29735405d247d8c3815

SHA512
2deefa3cacb0f6618b1fd14af21e915941365a68eeac8c58ffb4f53201b4cba04e0354aab5c99166a3fb975e8c66b59402c827f32893078b049913319ab2825d

Download Submit
memory/2376-1-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2376-2-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2376-19-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2376-82-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2376-199-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2992-18-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3036-84-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3036-86-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads