cycbot | f39a6af90a53670d4889f2854f5c0ac12b0169f11e576695d53df2c4452e69e1

General

Target

JaffaCakes118_2d870ecab50618836d2e82fd2b079ac3.exe
Size

164KB
MD5

2d870ecab50618836d2e82fd2b079ac3
SHA1

1d3fb6d5315fa4f13e54d0c68689cf41c609dbc1
SHA256

f39a6af90a53670d4889f2854f5c0ac12b0169f11e576695d53df2c4452e69e1
SHA512

96a6d4542d72c3fcbe8ef69db08aa191ccfdbe0c758f03aa3de637190973001f71c9f22149c92daabed588acedbc260d3d796c1eb81a11d905aab187be9b44aa
SSDEEP

3072:2i45ZS79MttrBQU2Pz4M/pX5/7sLY0829z3uIfKP9:2iCZS7ky0anEtuc8

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2324-17-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2428-18-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2428-19-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral1/memory/584-119-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2428-120-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2428-306-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\7E2D3\\94FC8.exe"	JaffaCakes118_2d870ecab50618836d2e82fd2b079ac3.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2428-3-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2324-14-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2324-15-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2324-17-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2428-18-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2428-19-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/584-117-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/584-119-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2428-120-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2428-306-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2d870ecab50618836d2e82fd2b079ac3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2d870ecab50618836d2e82fd2b079ac3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2d870ecab50618836d2e82fd2b079ac3.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2324	2428	JaffaCakes118_2d870ecab50618836d2e82fd2b079ac3.exe	28
PID 2428 wrote to memory of 2324	2428	JaffaCakes118_2d870ecab50618836d2e82fd2b079ac3.exe	28
PID 2428 wrote to memory of 2324	2428	JaffaCakes118_2d870ecab50618836d2e82fd2b079ac3.exe	28
PID 2428 wrote to memory of 2324	2428	JaffaCakes118_2d870ecab50618836d2e82fd2b079ac3.exe	28
PID 2428 wrote to memory of 584	2428	JaffaCakes118_2d870ecab50618836d2e82fd2b079ac3.exe	30
PID 2428 wrote to memory of 584	2428	JaffaCakes118_2d870ecab50618836d2e82fd2b079ac3.exe	30
PID 2428 wrote to memory of 584	2428	JaffaCakes118_2d870ecab50618836d2e82fd2b079ac3.exe	30
PID 2428 wrote to memory of 584	2428	JaffaCakes118_2d870ecab50618836d2e82fd2b079ac3.exe	30

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2d870ecab50618836d2e82fd2b079ac3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2d870ecab50618836d2e82fd2b079ac3.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2d870ecab50618836d2e82fd2b079ac3.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2d870ecab50618836d2e82fd2b079ac3.exe startC:\Program Files (x86)\LP\C887\747.exe%C:\Program Files (x86)\LP\C887
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2324
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2d870ecab50618836d2e82fd2b079ac3.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2d870ecab50618836d2e82fd2b079ac3.exe startC:\Program Files (x86)\D31C2\lvvm.exe%C:\Program Files (x86)\D31C2
  2⤵
  - System Location Discovery: System Language Discovery
  PID:584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\7E2D3\31C2.E2D

Filesize
996B

MD5
ba51eca2dc857fbfb393625065d2dbbb

SHA1
452e0f640aded6157bb7a596b233b929c7630284

SHA256
99af483f8bd7f9e77feaf00f03bfa9a52753cd85c7e42306d83924b589d4c1f0

SHA512
eb72e245d3dcd0dd697dceb2ff5733da7e11c5d34bd4893ffda8883fc3f49046e9ce53b25d48b1ab7695f91516f4481b6cbaed1294de920d849d6f3e16086c94

Download Submit
C:\Users\Admin\AppData\Roaming\7E2D3\31C2.E2D

Filesize
600B

MD5
81aa5f6aa8ec9796bcd91772142b9325

SHA1
1e99726cef1c49177214cd440621bbdf46bcd4e8

SHA256
5fc4bb140fc7df62f799ced5e085e5ae59c3af028ffe5b4468cbe47d9914034b

SHA512
bcb1016e37e1c450b2c2cddffd3e309461baa64a97a007dac075a6135aa5f71e5f7b3ea289a1fcf03ecd3f95c6d50ebe24b1814c505173001f3718a3f38f3c5a

Download Submit
C:\Users\Admin\AppData\Roaming\7E2D3\31C2.E2D

Filesize
1KB

MD5
26951122ed8b01a09d00d6ad2341ecdb

SHA1
9eda771883d10a4b3c087b3fd50d5ecb1250661f

SHA256
0162f361829807ae75b1d4d80ef58b97b850cfe159396cf5fcde3a11a07a9de7

SHA512
3fb254f0cdb1f2d9c4b913b6acab4403cb2e9710d6dde8d0013a68c4d12dea23a6d5148f626057cd7c09f912051cd44cb5e38257a080479f47b8e8f57909990d

Download Submit
memory/584-119-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/584-117-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2324-14-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2324-17-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2324-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2428-18-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2428-19-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2428-0-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2428-120-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2428-3-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2428-2-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2428-306-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads