cycbot | 4f44e138132a99385a0c26381412a06736d62be736cdbc062fe4dc4c6e3a847b

General

Target

JaffaCakes118_e47a0ac0a078d39c328722e1bb379c21.exe
Size

185KB
MD5

e47a0ac0a078d39c328722e1bb379c21
SHA1

8f3ebf1174136f75634b2e9b5a1728842d064390
SHA256

4f44e138132a99385a0c26381412a06736d62be736cdbc062fe4dc4c6e3a847b
SHA512

957161bb72ccbba8aa9250139c3b5e3e3a03c987055c991f15b616cbefc3d09c624361fb63f894cf84fad884049e3988ffa8c1921b0ef23c07151bbb9fe9e90c
SSDEEP

3072:pLNmKrY2wW7KultckLEael5a00ciGS6725W8ZRfCdzvFVK6/U8WRG5OXc:x1rN37KYtc1Nl5aYMi20SCNvn/iRAO

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2036-12-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/304-17-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/1100-84-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/304-85-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/304-155-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_e47a0ac0a078d39c328722e1bb379c21.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/304-2-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2036-10-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2036-12-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/304-17-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1100-84-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/304-85-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/304-155-0x0000000000400000-0x000000000046C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e47a0ac0a078d39c328722e1bb379c21.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e47a0ac0a078d39c328722e1bb379c21.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e47a0ac0a078d39c328722e1bb379c21.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 304 wrote to memory of 2036	304	JaffaCakes118_e47a0ac0a078d39c328722e1bb379c21.exe	31
PID 304 wrote to memory of 2036	304	JaffaCakes118_e47a0ac0a078d39c328722e1bb379c21.exe	31
PID 304 wrote to memory of 2036	304	JaffaCakes118_e47a0ac0a078d39c328722e1bb379c21.exe	31
PID 304 wrote to memory of 2036	304	JaffaCakes118_e47a0ac0a078d39c328722e1bb379c21.exe	31
PID 304 wrote to memory of 1100	304	JaffaCakes118_e47a0ac0a078d39c328722e1bb379c21.exe	33
PID 304 wrote to memory of 1100	304	JaffaCakes118_e47a0ac0a078d39c328722e1bb379c21.exe	33
PID 304 wrote to memory of 1100	304	JaffaCakes118_e47a0ac0a078d39c328722e1bb379c21.exe	33
PID 304 wrote to memory of 1100	304	JaffaCakes118_e47a0ac0a078d39c328722e1bb379c21.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e47a0ac0a078d39c328722e1bb379c21.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e47a0ac0a078d39c328722e1bb379c21.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:304
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e47a0ac0a078d39c328722e1bb379c21.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e47a0ac0a078d39c328722e1bb379c21.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2036
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e47a0ac0a078d39c328722e1bb379c21.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e47a0ac0a078d39c328722e1bb379c21.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\D249.3BB

Filesize
1KB

MD5
7f90b83f42f53c5d22f095fa430fbc75

SHA1
c8d1898a6b1d914b0b8b3a12f33f0adbddf25d4a

SHA256
9303a0bea148933aa2a5f57913f93988ad1120156fe792271ba984650303896d

SHA512
e335380fa3a83722a664fc2df37d7f08bcfd2f86e0f0e0e8e8575b41680051fd94a47eb250e2aef9944b441efb642a86e9f5ab4dcaeb5e076a7fb4e05e47b69b

Download Submit
C:\Users\Admin\AppData\Roaming\D249.3BB

Filesize
597B

MD5
09e482c2d2835e5cdd3545581fdd6835

SHA1
4cf3f524907bee2a213ad60c26fc76f123e5a07c

SHA256
aa7061b2cf3d2162d32cb49fa22032eaa424d5f09e87d2d8935b0b33e12c0b6f

SHA512
8348fa2be485576d9072c3e08835439fbe07ffb7005ee60f3ea5bb2869a5f14c601d13fd844e9491c85212ef2e247e845701b04b228cd6eea4012a7b1f1db63f

Download Submit
C:\Users\Admin\AppData\Roaming\D249.3BB

Filesize
297B

MD5
7ea4aeafbbaec53371f39b0fc19845a0

SHA1
ebe2799b69b112f2e829891db980c07d16513297

SHA256
a7eb9436c82410af98161dd7df58c30b72ce64d134d18c053ac50c0ed76e9c2b

SHA512
b1ac95e8abd012ac70bb4ce6da17abcd5813a4a45c817301e6daaef8c0cf13869ce12e05d9299ef14d15597e4cdc2899a76c176b92320cb67e04a42ff7568dc5

Download Submit
C:\Users\Admin\AppData\Roaming\D249.3BB

Filesize
993B

MD5
7d41bb3435014dfc5d1f4cf07c5c787c

SHA1
565fe1f1cf662abbf455a3395a5b150e5be07b0f

SHA256
62c10a3f568e0a47b89c97721e326d12891b48df175281ac8c8b7664a8245e69

SHA512
3ce5042e5a3bf66e4e09822002fe94f86d89ba6237f2c0034eb4c039c10297cf9b21b4ac0c520df84bd7d9b43a82e659255cddffe8e3778331c08bc8f0beae8b

Download Submit
memory/304-1-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/304-2-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/304-17-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/304-85-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/304-155-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1100-84-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2036-10-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2036-12-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads