cycbot | 647bb3bf7de867d5b9d0fbcb36bbff529a15b926943704702f1d1a6507151982

General

Target

JaffaCakes118_e3ca70f39d7d4f5acb5dbb5f6acc895b.exe
Size

168KB
MD5

e3ca70f39d7d4f5acb5dbb5f6acc895b
SHA1

4e037c9c624377ac3e247c5ad5fcc5e260f19b8f
SHA256

647bb3bf7de867d5b9d0fbcb36bbff529a15b926943704702f1d1a6507151982
SHA512

c0cfd06b24a88574759c3d884ce55e429b769b73601fbedc3330e983c2da37667243c146a5d4bfc331df7dc4d06ad780cea1819046197521d4917c0117e78666
SSDEEP

3072:ZlmZPoLm/8eMCDivRH4tER6bZF2KZRIP/aNfbGE:ZmPf/8eM2SYtE6bSKZKaN

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1224-10-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2944-21-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2848-83-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2944-84-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2944-183-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_e3ca70f39d7d4f5acb5dbb5f6acc895b.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2944-2-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1224-8-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1224-10-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2944-21-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2848-82-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2848-83-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2944-84-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2944-183-0x0000000000400000-0x000000000046A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e3ca70f39d7d4f5acb5dbb5f6acc895b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e3ca70f39d7d4f5acb5dbb5f6acc895b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e3ca70f39d7d4f5acb5dbb5f6acc895b.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 1224	2944	JaffaCakes118_e3ca70f39d7d4f5acb5dbb5f6acc895b.exe	31
PID 2944 wrote to memory of 1224	2944	JaffaCakes118_e3ca70f39d7d4f5acb5dbb5f6acc895b.exe	31
PID 2944 wrote to memory of 1224	2944	JaffaCakes118_e3ca70f39d7d4f5acb5dbb5f6acc895b.exe	31
PID 2944 wrote to memory of 1224	2944	JaffaCakes118_e3ca70f39d7d4f5acb5dbb5f6acc895b.exe	31
PID 2944 wrote to memory of 2848	2944	JaffaCakes118_e3ca70f39d7d4f5acb5dbb5f6acc895b.exe	33
PID 2944 wrote to memory of 2848	2944	JaffaCakes118_e3ca70f39d7d4f5acb5dbb5f6acc895b.exe	33
PID 2944 wrote to memory of 2848	2944	JaffaCakes118_e3ca70f39d7d4f5acb5dbb5f6acc895b.exe	33
PID 2944 wrote to memory of 2848	2944	JaffaCakes118_e3ca70f39d7d4f5acb5dbb5f6acc895b.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e3ca70f39d7d4f5acb5dbb5f6acc895b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e3ca70f39d7d4f5acb5dbb5f6acc895b.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e3ca70f39d7d4f5acb5dbb5f6acc895b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e3ca70f39d7d4f5acb5dbb5f6acc895b.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1224
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e3ca70f39d7d4f5acb5dbb5f6acc895b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e3ca70f39d7d4f5acb5dbb5f6acc895b.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\B09A.562

Filesize
597B

MD5
663f8b3357b9ba8df15099156fa58d93

SHA1
9c5d27dc7b97c743ebc4706997025c2df047f7d0

SHA256
2d688a0abbca0266a9433253d460d98ef38ad03e8884f038dc72b34410fd2e04

SHA512
90f4e566c6871f24bd1bcda9df4c0ff966d9990a86d8a8b3218e0dec0d7fc65fe45e9768fa9a39a6ce71219e101c32425c0829cce3c9fc89c4543a44ab6dbc62

Download Submit
C:\Users\Admin\AppData\Roaming\B09A.562

Filesize
1KB

MD5
667eca3f0d8c84d58438fa85b9a9b3bc

SHA1
c35c332afe2cb4c54e56f690a76df50c36e3b1e2

SHA256
ed6dd34698907cc78d73c5e30a425100ec6c6d57bafb07891dc3e39775231030

SHA512
e07e5f5816dfc192497fdf54e7b5815267214264ba740a13526e5001fab76268abbca328f0ef8dbc31671171bc0e298dcc0f648ec23ebabcb518b761035bf7c3

Download Submit
C:\Users\Admin\AppData\Roaming\B09A.562

Filesize
897B

MD5
721d4abfa3ebf646edd505618ed5709b

SHA1
1bb5810f54517415d16567d7dd3eb4cc05421bb8

SHA256
85d25e15cc06e550f04b491af2e0b9d0f3c136a4f1c0f9d6872f78e48ece91b9

SHA512
8fd3e1086d1c0546cb77e372b92ae4f701d2e79a152a1f37ecefd4fa6702f17e3da62a5a98ab12f4013ccc77933190eb7bc6ae0e207ceef766b57facb16bed31

Download Submit
C:\Users\Admin\AppData\Roaming\B09A.562

Filesize
1KB

MD5
fc8827964a9f828101421028e1880da6

SHA1
76ec9a89ff769c6bb62222e2ebf2b2267031412a

SHA256
67f8d2566f935f3dcf9f687320e0c1adf60335089298250ec27d3009b4160678

SHA512
2384056ef45e6633434845f89bd8ffb343f90e66950e82fa5ae2fbf417bdc958229159247345a6c02644e979caaf09a63daff299e183e91152bfb360737389fb

Download Submit
memory/1224-8-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1224-10-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1224-7-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2848-82-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2848-83-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2944-21-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2944-1-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2944-84-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2944-2-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2944-183-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads