cycbot | 4c102f72cf215c188ed4000a47eb09e8edf82c054a36e0eb3d95093f2adba2e1

General

Target

JaffaCakes118_f3b5c71429882508a16b171bfd6e3d50.exe
Size

174KB
MD5

f3b5c71429882508a16b171bfd6e3d50
SHA1

5ba90d177031465c2b8d9f94090884d882ec3d17
SHA256

4c102f72cf215c188ed4000a47eb09e8edf82c054a36e0eb3d95093f2adba2e1
SHA512

d9a64d326b031cc3f400b7134bc39a2d99f57a7590fdcbcc5be794b95b2554947a6d527e4d25540e945a3480fee853e533018b6d51d7d3a0f795f44d587c6073
SSDEEP

3072:2vW+2IUadlM4GD8hzSyM6kb5G1zIRObix0AoMBiOKoYkEI52Ap+hlmlzeHh4/T8I:2vW+Br6epkb5G1MRN0cBiroYI2Qlzb8I

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2156-8-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/2904-16-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/2904-81-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/2572-86-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/2904-147-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_f3b5c71429882508a16b171bfd6e3d50.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2904-2-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2156-5-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2156-6-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2156-8-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2904-16-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2904-81-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2572-84-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2572-86-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2904-147-0x0000000000400000-0x000000000048D000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f3b5c71429882508a16b171bfd6e3d50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f3b5c71429882508a16b171bfd6e3d50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f3b5c71429882508a16b171bfd6e3d50.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2156	2904	JaffaCakes118_f3b5c71429882508a16b171bfd6e3d50.exe	28
PID 2904 wrote to memory of 2156	2904	JaffaCakes118_f3b5c71429882508a16b171bfd6e3d50.exe	28
PID 2904 wrote to memory of 2156	2904	JaffaCakes118_f3b5c71429882508a16b171bfd6e3d50.exe	28
PID 2904 wrote to memory of 2156	2904	JaffaCakes118_f3b5c71429882508a16b171bfd6e3d50.exe	28
PID 2904 wrote to memory of 2572	2904	JaffaCakes118_f3b5c71429882508a16b171bfd6e3d50.exe	30
PID 2904 wrote to memory of 2572	2904	JaffaCakes118_f3b5c71429882508a16b171bfd6e3d50.exe	30
PID 2904 wrote to memory of 2572	2904	JaffaCakes118_f3b5c71429882508a16b171bfd6e3d50.exe	30
PID 2904 wrote to memory of 2572	2904	JaffaCakes118_f3b5c71429882508a16b171bfd6e3d50.exe	30

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f3b5c71429882508a16b171bfd6e3d50.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f3b5c71429882508a16b171bfd6e3d50.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f3b5c71429882508a16b171bfd6e3d50.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f3b5c71429882508a16b171bfd6e3d50.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2156
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f3b5c71429882508a16b171bfd6e3d50.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f3b5c71429882508a16b171bfd6e3d50.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\E65A.4C5

Filesize
1KB

MD5
b689392d842d93cc0ac8d786626bf990

SHA1
4d818abb9c10a71337306f9e60aa652b21ac404e

SHA256
8e85c01565947cf6211dc7e350f951d1a232434e21d7820114bbbbdb31c0e5f1

SHA512
cd0dc02e97e096b17caec94731b4b073c7ae7615e5858575e32aebf38be5d12e03e040a1b0829afc13a9aa2409a03ba3c830df00d75f5a35aee1f8028f0dcbf7

Download Submit
C:\Users\Admin\AppData\Roaming\E65A.4C5

Filesize
600B

MD5
848262b0b4d04d96c9b044d24a25ed06

SHA1
a0c7309647462fbe5616cc78147ee54031ed87be

SHA256
63894ac803a5df6a68af7521a72be3f7ac40e80edeb4f532442dbbabeb5c74d2

SHA512
1984233fd9baa2ac68a4c1f56561b6a8d8ff93bff367e2f7b540210399b35dcf7f08fe5ae2efb1dd67dfcf6cb9490be277bc40473fa1e4609c3e9a0a74fba104

Download Submit
C:\Users\Admin\AppData\Roaming\E65A.4C5

Filesize
996B

MD5
95d4d1bd64d7f6fd70089436e2b18a5b

SHA1
24752141ad6917bb8f43e9aa3c4205ba9418045d

SHA256
f25bb6030a7ee0bba064d8b52873eaa45dabb16bbd055caebe0ec3032a1bf80e

SHA512
4529cf589d90c061ae170a2a64228bec6c70f24165bd66c6869eacf9455feab5399c0be85b70bea16d96056001935576f8c34183d4075d01858bf10a3e81af67

Download Submit
memory/2156-6-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2156-8-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2156-5-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2572-83-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2572-84-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2572-86-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2904-16-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2904-1-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2904-81-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2904-147-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2904-2-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads