cycbot | 0b6e19af308f09f906bc17cf6c8813e3b598eb664ca5705ea4711887f0290d56

General

Target

JaffaCakes118_251e0e0de95dad0b88e27e36d8672266.exe
Size

197KB
MD5

251e0e0de95dad0b88e27e36d8672266
SHA1

461a9fca4915945e671bcf6b0ed5c3b9a0c57f08
SHA256

0b6e19af308f09f906bc17cf6c8813e3b598eb664ca5705ea4711887f0290d56
SHA512

44a29393326fdfcd486d76c5a9a4a57d6dfd12ac2af83d2602d64198ddb8e1d2d5539cc17ce2e56a2ed5a992bcb55162c4dceec008e9def8465e1c42fbeb9644
SSDEEP

6144:Q+nc20y+pWqy2p4GtvEb3rBWcBYopZqtgMP:pchOk4cvEPB2rtr

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1384-7-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/2516-16-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/560-83-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/2516-84-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/2516-198-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_251e0e0de95dad0b88e27e36d8672266.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2516-2-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1384-5-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1384-7-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2516-16-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/560-81-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/560-83-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2516-84-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2516-198-0x0000000000400000-0x000000000046C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_251e0e0de95dad0b88e27e36d8672266.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_251e0e0de95dad0b88e27e36d8672266.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_251e0e0de95dad0b88e27e36d8672266.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 1384	2516	JaffaCakes118_251e0e0de95dad0b88e27e36d8672266.exe	30
PID 2516 wrote to memory of 1384	2516	JaffaCakes118_251e0e0de95dad0b88e27e36d8672266.exe	30
PID 2516 wrote to memory of 1384	2516	JaffaCakes118_251e0e0de95dad0b88e27e36d8672266.exe	30
PID 2516 wrote to memory of 1384	2516	JaffaCakes118_251e0e0de95dad0b88e27e36d8672266.exe	30
PID 2516 wrote to memory of 560	2516	JaffaCakes118_251e0e0de95dad0b88e27e36d8672266.exe	33
PID 2516 wrote to memory of 560	2516	JaffaCakes118_251e0e0de95dad0b88e27e36d8672266.exe	33
PID 2516 wrote to memory of 560	2516	JaffaCakes118_251e0e0de95dad0b88e27e36d8672266.exe	33
PID 2516 wrote to memory of 560	2516	JaffaCakes118_251e0e0de95dad0b88e27e36d8672266.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_251e0e0de95dad0b88e27e36d8672266.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_251e0e0de95dad0b88e27e36d8672266.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_251e0e0de95dad0b88e27e36d8672266.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_251e0e0de95dad0b88e27e36d8672266.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1384
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_251e0e0de95dad0b88e27e36d8672266.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_251e0e0de95dad0b88e27e36d8672266.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\8B54.899

Filesize
600B

MD5
e277fb46ee25092b0ecd8de48afda2c0

SHA1
fabe315d8db57746c6128ce50c7b9eda5a228b1a

SHA256
682389110cae63820d0c85de420877a1dff8862daf577853582b5b96e73d93c0

SHA512
bc9051128a5f3b3d3e6fea041371ea6980b037398b73c8df01846db537f4f185ee861ff187ac0f2fdc7a8c559edfcea8c6314bb87de7280b4f441fe9d84dc686

Download Submit
C:\Users\Admin\AppData\Roaming\8B54.899

Filesize
1KB

MD5
ee5fd1cdce848460c50c2b4e7db1690b

SHA1
001278e9bc45940df89bf88c252c9557436436bf

SHA256
0bd2bed33d968f5b02b2371e0770214c38e1afabcc0b22afa2526fe827c6056d

SHA512
457888c729fc518b34d1d3cfacdd61c7b326a0aa0446539a17efbb5f6b33df3211664b8693cfb22c40a1bffcf146eea6825ad7f5f366c99606ca9efc69f234e2

Download Submit
C:\Users\Admin\AppData\Roaming\8B54.899

Filesize
1KB

MD5
47ed03f99cabeea279b6ecb692b90821

SHA1
c7b957660c6ebfc17b2bad4f6585e0adce411a75

SHA256
b5913605ccef77205bd4663ea82a902ddce197006f5b8c5d5f87f680ded70c7c

SHA512
99e6e23c9e4ff24efea469503bcdd23e9a347a6351cd8c8975d0695fe6682c3c9fd181413d3a921322b620181503d6a31d3f39b9d2cceaa8e457680901fdc013

Download Submit
C:\Users\Admin\AppData\Roaming\8B54.899

Filesize
996B

MD5
3ff3dbb64a452c06e3ff6edd2f39e383

SHA1
f266532b31b842107ff470dee7d1a3ba8165257c

SHA256
8b66b3921cde45dea934edc776dfb30ceb02c6e0cfb43680531ceb3e5cd8431b

SHA512
a01de2fd1710ecf45782fa18acf5f83618f96ad12894c2e7551616db13ea41a2635e4c8fc354ebbdf203d9c4c8d32f13b4ce755a90d840c7d6bd759b979efd0b

Download Submit
memory/560-83-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/560-81-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1384-7-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1384-5-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2516-16-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2516-1-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2516-84-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2516-2-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2516-198-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads