cycbot | 1383b00e223f3e560894307cdfa57205dfa62ac7e155ddc08990b0446d59ea19

General

Target

JaffaCakes118_31a1d77061d5aead3dd3c0831ef43689.exe
Size

197KB
MD5

31a1d77061d5aead3dd3c0831ef43689
SHA1

f05b2ca574a00c843d2319e255fd4545b3366562
SHA256

1383b00e223f3e560894307cdfa57205dfa62ac7e155ddc08990b0446d59ea19
SHA512

605398bb769a7f0994a7ac6be99204f29073663829868a0f5cace7065eb667b1a33abd74762c62748ecbf381388c4fd3f7d8bec320311d555b90ec0f0e949cc2
SSDEEP

3072:8SMgm67GU+5mNR1+E2tmVprtnzc2jREcUrgpTcEZW/q4evRlOEAh3:8SMgm8j+o1vtzjREvrgpFZWC4AxA

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1952-6-0x0000000000400000-0x000000000048C000-memory.dmp	family_cycbot
behavioral1/memory/1952-8-0x0000000000400000-0x000000000048C000-memory.dmp	family_cycbot
behavioral1/memory/2336-16-0x0000000000400000-0x000000000048C000-memory.dmp	family_cycbot
behavioral1/memory/2752-77-0x0000000000400000-0x000000000048C000-memory.dmp	family_cycbot
behavioral1/memory/2336-78-0x0000000000400000-0x000000000048C000-memory.dmp	family_cycbot
behavioral1/memory/2336-178-0x0000000000400000-0x000000000048C000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_31a1d77061d5aead3dd3c0831ef43689.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2336-2-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/1952-6-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/1952-8-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/1952-5-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2336-16-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2752-77-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2336-78-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2336-178-0x0000000000400000-0x000000000048C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_31a1d77061d5aead3dd3c0831ef43689.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_31a1d77061d5aead3dd3c0831ef43689.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_31a1d77061d5aead3dd3c0831ef43689.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 1952	2336	JaffaCakes118_31a1d77061d5aead3dd3c0831ef43689.exe	30
PID 2336 wrote to memory of 1952	2336	JaffaCakes118_31a1d77061d5aead3dd3c0831ef43689.exe	30
PID 2336 wrote to memory of 1952	2336	JaffaCakes118_31a1d77061d5aead3dd3c0831ef43689.exe	30
PID 2336 wrote to memory of 1952	2336	JaffaCakes118_31a1d77061d5aead3dd3c0831ef43689.exe	30
PID 2336 wrote to memory of 2752	2336	JaffaCakes118_31a1d77061d5aead3dd3c0831ef43689.exe	33
PID 2336 wrote to memory of 2752	2336	JaffaCakes118_31a1d77061d5aead3dd3c0831ef43689.exe	33
PID 2336 wrote to memory of 2752	2336	JaffaCakes118_31a1d77061d5aead3dd3c0831ef43689.exe	33
PID 2336 wrote to memory of 2752	2336	JaffaCakes118_31a1d77061d5aead3dd3c0831ef43689.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_31a1d77061d5aead3dd3c0831ef43689.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_31a1d77061d5aead3dd3c0831ef43689.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_31a1d77061d5aead3dd3c0831ef43689.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_31a1d77061d5aead3dd3c0831ef43689.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1952
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_31a1d77061d5aead3dd3c0831ef43689.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_31a1d77061d5aead3dd3c0831ef43689.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\3D3A.5E5

Filesize
1KB

MD5
ed79f3023258674ac37b6742319c4472

SHA1
60447c890185258453bb42bb02272eb17a0eacf9

SHA256
b158d5c3ea0d7cb6823d4d223e9ac3646c3436440b58a6c598cab437f7eed959

SHA512
b9aa508a6cb5b102e6c1d9f33e321ab6b060c3e866f9c8da7434387927c906261073ff45caa27c23a7caf377a2e196e3ae8036bc819af87e2cbac38abcb1f3b2

Download Submit
C:\Users\Admin\AppData\Roaming\3D3A.5E5

Filesize
600B

MD5
f133cef924948ce02e87bf223dd185f9

SHA1
5efcaa2dfd4999242d86b756c15c567711ab2e95

SHA256
28d03d027e365caf16067f1de70eb3eccffcb7ff15da41880a67358583b65ab1

SHA512
efe8a4aca991293ebcf73abe1c24b8d2428d4da9e1b4bfc9799ade50ec18e306c9d7f4e220db5184ecf66e004b45b9313e14e7db6b12440cfc02772987f32b9e

Download Submit
C:\Users\Admin\AppData\Roaming\3D3A.5E5

Filesize
996B

MD5
ba286cebcc39e2803f1b581f2fe88442

SHA1
cf1d7ac0b63dd682ec6e07698c86f9ecce52baf6

SHA256
b3aeed3dcbcda961a536d77386b0f5edb739e29545d61630b4cb0ed93bd1ead1

SHA512
ecc3a5ec9209a52e8061581b313b94a1bba07d6d2f496d752bcd2c7b613ede19553646f9b9b6c511ee433ce31925a6238aace6d33d9b7304603df207b77e5551

Download Submit
memory/1952-8-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1952-5-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1952-6-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2336-16-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2336-1-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2336-78-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2336-2-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2336-178-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2752-75-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2752-77-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2752-141-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads