cycbot | 12c2ef3e3dd062923135bb03f7487f8429811cb748f98822d303a1a87fb13592

General

Target

JaffaCakes118_1e8a3386fd870d5d76dd7b06fe9786b7.exe
Size

168KB
MD5

1e8a3386fd870d5d76dd7b06fe9786b7
SHA1

74cde0a331633a99b3549a8edc1b006360da67d9
SHA256

12c2ef3e3dd062923135bb03f7487f8429811cb748f98822d303a1a87fb13592
SHA512

578e22867cb9ee907f3236d8e52a43a53f276cf664cb7ed7a5b6ef0deb2961a0045d2597d65243970daa580919d87e45bb05f43392fdccfe992ff524318e175f
SSDEEP

3072:AqU/dvWKBwW3dU1iJhl45OoaVGjNjGT4k8PLV1q5dSqtF6V8a8ORnC0:QVvj33kiJhlNNVGjATULVQ3SYMd82Z

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2464-15-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/1660-16-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/1660-17-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/1660-82-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/1604-85-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/1660-188-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\F4086\\BE40F.exe"	JaffaCakes118_1e8a3386fd870d5d76dd7b06fe9786b7.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1660-2-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2464-15-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2464-14-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1660-16-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/1660-17-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1660-82-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1604-84-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1604-85-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1660-188-0x0000000000400000-0x0000000000490000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1e8a3386fd870d5d76dd7b06fe9786b7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1e8a3386fd870d5d76dd7b06fe9786b7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1e8a3386fd870d5d76dd7b06fe9786b7.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 2464	1660	JaffaCakes118_1e8a3386fd870d5d76dd7b06fe9786b7.exe	31
PID 1660 wrote to memory of 2464	1660	JaffaCakes118_1e8a3386fd870d5d76dd7b06fe9786b7.exe	31
PID 1660 wrote to memory of 2464	1660	JaffaCakes118_1e8a3386fd870d5d76dd7b06fe9786b7.exe	31
PID 1660 wrote to memory of 2464	1660	JaffaCakes118_1e8a3386fd870d5d76dd7b06fe9786b7.exe	31
PID 1660 wrote to memory of 1604	1660	JaffaCakes118_1e8a3386fd870d5d76dd7b06fe9786b7.exe	33
PID 1660 wrote to memory of 1604	1660	JaffaCakes118_1e8a3386fd870d5d76dd7b06fe9786b7.exe	33
PID 1660 wrote to memory of 1604	1660	JaffaCakes118_1e8a3386fd870d5d76dd7b06fe9786b7.exe	33
PID 1660 wrote to memory of 1604	1660	JaffaCakes118_1e8a3386fd870d5d76dd7b06fe9786b7.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1e8a3386fd870d5d76dd7b06fe9786b7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1e8a3386fd870d5d76dd7b06fe9786b7.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1e8a3386fd870d5d76dd7b06fe9786b7.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1e8a3386fd870d5d76dd7b06fe9786b7.exe startC:\Program Files (x86)\LP\0FDF\B11.exe%C:\Program Files (x86)\LP\0FDF
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2464
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1e8a3386fd870d5d76dd7b06fe9786b7.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1e8a3386fd870d5d76dd7b06fe9786b7.exe startC:\Program Files (x86)\866BA\lvvm.exe%C:\Program Files (x86)\866BA
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\F4086\66BA.408

Filesize
1KB

MD5
2094a359f89108d77fe5a01e23780866

SHA1
1eadf780e1729c1b038da95ba2f240614d9af8db

SHA256
5398951c6464f5a555ed0c18692ea7304a1c4b80b847d772436f10a237ec5ab1

SHA512
8276d6616e40d0e7d8131800cd6f3383b42cbf6831f65292d67d0ad466ba9dc692098481bf11118142b676198130473b32a6d8c4c8a091313efa106a459232b5

Download Submit
C:\Users\Admin\AppData\Roaming\F4086\66BA.408

Filesize
600B

MD5
06fe8cbe8606611eedf6e4d284fdab2a

SHA1
caca509a19e918b18e473483e76516c2a5aef8ef

SHA256
53dfa4eab8b687f23dea6917cd0d33c65c04f3c071ddb976eb8caa314bf58464

SHA512
9e071ba75206a0302e954db17d61d1a5fe1fea2deb39ab0132233915b63e61dfdd9606cc3b9dc7002fa81f37076ff5675080fb64d9d6e4e54dea81696543c306

Download Submit
C:\Users\Admin\AppData\Roaming\F4086\66BA.408

Filesize
996B

MD5
ceaf57ce317a9dcfcd9737677842c9fa

SHA1
40d48c2fe08c501c7285b8ca701ff14a78f583c7

SHA256
ab84f1290b523084dd863333f59423c71395bcc233b78767173420046fe5aba7

SHA512
d6197da528a81441f0503e5901fbc2b8e32f505a62c951d612a959be70e26e626b705e1c02fa4f93c446e5e3a34adc0d01d81311e39ce8eb5fdd4d1af222c6d3

Download Submit
memory/1604-85-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1604-84-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1660-17-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1660-1-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1660-16-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1660-82-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1660-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1660-188-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2464-14-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2464-15-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2464-12-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads