cycbot | ae34fea5247fe689763b6eb5eb0fc3aee05a15348909b91a3542fc29e00a36e8

General

Target

JaffaCakes118_2bb127e45de96ce682cae534141d3d3b.exe
Size

185KB
MD5

2bb127e45de96ce682cae534141d3d3b
SHA1

723dd1ee9039d9202d2fca881159b3b833c0a151
SHA256

ae34fea5247fe689763b6eb5eb0fc3aee05a15348909b91a3542fc29e00a36e8
SHA512

6241d374f566f2fab26012b7af84b6e9fffa1ceda355e3cd2872889d9fb75edae6e567eec817f366aa5addc6626bcc3bebedb3a2accbbe9a045a791552f7c04a
SSDEEP

3072:hecqeN58VLH7UmN/vxRHOeScx4fLA5l0vkcEocHCUm+WoVxRThEJDtCYXW7C:UtqUbU0nxlOKCA7C+oYCHOxRTc5r

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1628-8-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral1/memory/1628-6-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral1/memory/2736-16-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral1/memory/968-83-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral1/memory/2736-84-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral1/memory/2736-182-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_2bb127e45de96ce682cae534141d3d3b.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2736-2-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1628-5-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1628-8-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1628-6-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2736-16-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/968-82-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/968-83-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2736-84-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2736-182-0x0000000000400000-0x000000000046E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2bb127e45de96ce682cae534141d3d3b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2bb127e45de96ce682cae534141d3d3b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2bb127e45de96ce682cae534141d3d3b.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 1628	2736	JaffaCakes118_2bb127e45de96ce682cae534141d3d3b.exe	30
PID 2736 wrote to memory of 1628	2736	JaffaCakes118_2bb127e45de96ce682cae534141d3d3b.exe	30
PID 2736 wrote to memory of 1628	2736	JaffaCakes118_2bb127e45de96ce682cae534141d3d3b.exe	30
PID 2736 wrote to memory of 1628	2736	JaffaCakes118_2bb127e45de96ce682cae534141d3d3b.exe	30
PID 2736 wrote to memory of 968	2736	JaffaCakes118_2bb127e45de96ce682cae534141d3d3b.exe	32
PID 2736 wrote to memory of 968	2736	JaffaCakes118_2bb127e45de96ce682cae534141d3d3b.exe	32
PID 2736 wrote to memory of 968	2736	JaffaCakes118_2bb127e45de96ce682cae534141d3d3b.exe	32
PID 2736 wrote to memory of 968	2736	JaffaCakes118_2bb127e45de96ce682cae534141d3d3b.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2bb127e45de96ce682cae534141d3d3b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2bb127e45de96ce682cae534141d3d3b.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2bb127e45de96ce682cae534141d3d3b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2bb127e45de96ce682cae534141d3d3b.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1628
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2bb127e45de96ce682cae534141d3d3b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2bb127e45de96ce682cae534141d3d3b.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\D664.7EB

Filesize
1KB

MD5
c48e22bb792c08aa1748b8502e3f590f

SHA1
134371452c0eddd75972963b1bffae224034f901

SHA256
18c4943f872f5a87f4ce1e67170ddd3df1ba4cd518beffe2c4d15372d10f4f62

SHA512
cfee6578bd258df24a1265e4a96acfbee09687a96a9372fb61860002e391522f60b43f23b7b22d79ff7245892e6efb0b3ee765bfdd26b33a77d476eea5614300

Download Submit
C:\Users\Admin\AppData\Roaming\D664.7EB

Filesize
600B

MD5
a09b166aeb3f290521f2f3361f417b88

SHA1
5b05823edb034b260de4ec42328a2725ee15c844

SHA256
d841cf69ca12a4b1e51ed9d32bda5cfbd7e1d8115d927755092ef75f0723db03

SHA512
3282ba56c6273d79ee29af02279ea8349b28455fc62ad806f043e7dcff58fc9da30d63ed62e0b28223f8ff3372419f29a27afa8fbdb6989aa61035c1c29d6219

Download Submit
C:\Users\Admin\AppData\Roaming\D664.7EB

Filesize
996B

MD5
bc376cfcd473ea7029b551311eb52762

SHA1
c39678b8f70cebb4a827e690b761c883d4fcfc9f

SHA256
324578408194149c781dc24e03febae7e261ac82190302dd27ad72494cbe6176

SHA512
8c35d6e829d6a0e610d7a240241c5ee1321832d347a0744bb865ed4f7b11b8f661973c51ff75a216c87030cc8211c31bded8bb37bff68449415225cae86ffb39

Download Submit
memory/968-83-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/968-82-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/968-81-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1628-6-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1628-8-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1628-5-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2736-16-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2736-1-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2736-84-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2736-2-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2736-182-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads