cycbot | 46939db3634db384bfa9de3d8abbc41ff0fe5f51e5d64d9f46857ba17db9d242

General

Target

JaffaCakes118_36f5642aed63bd489989d73594f97004.exe
Size

211KB
MD5

36f5642aed63bd489989d73594f97004
SHA1

cf2a732d268d0a9c6e6afddb98484234b771b7a4
SHA256

46939db3634db384bfa9de3d8abbc41ff0fe5f51e5d64d9f46857ba17db9d242
SHA512

22843c5e4dcc7b244950e8e9d9ecd31ac8ee910d30b961e195765a78bfb679ba62609b35a6b9cb17af8e2d86e6f8cded0b356fe619d8b457c092e94c345c93f1
SSDEEP

6144:VILqZ+2To+fS2UKb9Tc4sUVd6/TlXsKcs4t+HScB:VeqZbT821RAUVdeTlXws4o

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/2384-114-0x0000000000400000-0x0000000000462000-memory.dmp	family_cycbot
behavioral2/memory/968-161-0x0000000000400000-0x0000000000462000-memory.dmp	family_cycbot
behavioral2/memory/968-162-0x0000000000400000-0x000000000045F000-memory.dmp	family_cycbot
behavioral2/memory/3500-292-0x0000000000400000-0x0000000000462000-memory.dmp	family_cycbot
behavioral2/memory/968-468-0x0000000000400000-0x0000000000462000-memory.dmp	family_cycbot
behavioral2/memory/968-469-0x0000000000400000-0x0000000000462000-memory.dmp	family_cycbot

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/968-2-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral2/memory/2384-113-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral2/memory/2384-114-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral2/memory/968-161-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral2/memory/968-162-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/3500-292-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral2/memory/968-468-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral2/memory/968-469-0x0000000000400000-0x0000000000462000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_36f5642aed63bd489989d73594f97004.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ielowutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Control Panel 2 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ForegroundLockTimeout = "0"	JaffaCakes118_36f5642aed63bd489989d73594f97004.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ForegroundLockTimeout = "52228420"	JaffaCakes118_36f5642aed63bd489989d73594f97004.exe

Modifies Internet Explorer Automatic Crash Recovery 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AutoRecover = "2"	JaffaCakes118_36f5642aed63bd489989d73594f97004.exe

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	JaffaCakes118_36f5642aed63bd489989d73594f97004.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	JaffaCakes118_36f5642aed63bd489989d73594f97004.exe

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7A62123A-DBFD-11EF-9361-7ECF469E42CC} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	JaffaCakes118_36f5642aed63bd489989d73594f97004.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AutoRecover = "2"	JaffaCakes118_36f5642aed63bd489989d73594f97004.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0978d460a70db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1375248039"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005d8fa1d3b672af4caa8c0d907005240d00000000020000000000106600000001000020000000c321fb581e25360f71fa4d6fc85f3eed9117ef34111a611af15e535b336a61b3000000000e8000000002000020000000309331eaf0c43b9b52380055785dcbeaf31e00102ccab0215b5108c694d0bdf6200000009e978ee27d5bbb35e5bf81dd9b75bc0ad8ccd92274b370032d87d3c37f32991e40000000d7f03370a157bf053a096b2bb60ef61705170df97aafc146b978dee295da9705ae63dc6c3fea874ae762441e35bc40adde3ba475f7ec985ed274f17f2198115b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31158282"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no"	JaffaCakes118_36f5642aed63bd489989d73594f97004.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "about:blank"	JaffaCakes118_36f5642aed63bd489989d73594f97004.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3628	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3628	iexplore.exe
3628	iexplore.exe
3580	IEXPLORE.EXE
3580	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 2384	968	JaffaCakes118_36f5642aed63bd489989d73594f97004.exe	82
PID 968 wrote to memory of 2384	968	JaffaCakes118_36f5642aed63bd489989d73594f97004.exe	82
PID 968 wrote to memory of 2384	968	JaffaCakes118_36f5642aed63bd489989d73594f97004.exe	82
PID 3628 wrote to memory of 3580	3628	iexplore.exe	85
PID 3628 wrote to memory of 3580	3628	iexplore.exe	85
PID 3628 wrote to memory of 3580	3628	iexplore.exe	85
PID 968 wrote to memory of 3500	968	JaffaCakes118_36f5642aed63bd489989d73594f97004.exe	87
PID 968 wrote to memory of 3500	968	JaffaCakes118_36f5642aed63bd489989d73594f97004.exe	87
PID 968 wrote to memory of 3500	968	JaffaCakes118_36f5642aed63bd489989d73594f97004.exe	87

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_36f5642aed63bd489989d73594f97004.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_36f5642aed63bd489989d73594f97004.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer Automatic Crash Recovery
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of WriteProcessMemory
PID:968
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_36f5642aed63bd489989d73594f97004.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_36f5642aed63bd489989d73594f97004.exe startC:\Program Files (x86)\LP\2CCE\F46.exe%C:\Program Files (x86)\LP\2CCE
  2⤵
  PID:2384
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_36f5642aed63bd489989d73594f97004.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_36f5642aed63bd489989d73594f97004.exe startC:\Users\Admin\AppData\Roaming\ED75D\9E42C.exe%C:\Users\Admin\AppData\Roaming\ED75D
  2⤵
  PID:3500

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:1392

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3628 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

5

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ED75D\DF97.D75

Filesize
600B

MD5
185632e3fdfb701f8a6cf542014246d7

SHA1
9dc4bda4234eed71691fbad7d8bdcd1b2ac392ef

SHA256
6beae111450b45234047d9ee28a5a69831b64b34759bcf9023c23c7ebde30d39

SHA512
3e18342df605009fcaf01e758669a63c6bba105220ea9bb9888700e726d0b1f49a1735b3e4d5ed4e102e4cf35b463bf33cd2b4e44a0ab5446fc34c010fef4194

Download Submit
C:\Users\Admin\AppData\Roaming\ED75D\DF97.D75

Filesize
996B

MD5
8681e72fd2df976abb5b11771412c764

SHA1
afe04a060b5332de7f36a766004a2fce16f0428d

SHA256
a1bf4ebfb81ee1c53409dacbda0f7317a52ad722d04b09d20a1e6cb185def731

SHA512
001a8260c47273c48b53328ed6f3a231e99c21ca1b5a684f95f13b8c216c0520ebebc226b22411c418054ec1fa04651fccb9baaec919e42ba82b34655ec2ba5f

Download Submit
C:\Users\Admin\AppData\Roaming\ED75D\DF97.D75

Filesize
1KB

MD5
ca4ac737222241b9ebbb7afa7b9f3e6f

SHA1
f69547aaafbb43928639ee2ebf95ed71dafe3d14

SHA256
a5889d9ab6ba2be6804e903fcd342440f70c1aa92709f5dbe455223321f3d165

SHA512
039d06eeb3dd26cd913e587b188ba36aea8bf906ecacc69745831db5a1c9a1d1fb04082e862376c2f7bef6fce95d1ccf84252dfe0f71082db851cbcdf7ec490e

Download Submit
C:\Users\Admin\AppData\Roaming\ED75D\DF97.D75

Filesize
300B

MD5
5d73bef6f06f4144f24bc3748b6e16c1

SHA1
eedc004c67a0396e45db6e30f2d3a64f1743286b

SHA256
124408a24e130d6601631e17a739d23cdacdab43b0888f9bd74ea3ffaf64f0d0

SHA512
30d1eeed6aadfe51809e326e9b519823f10ee0c1639f921800a6639c117aa8f68dbde704f2c32d6d66318479045033ce04aad974e483314d5076f6ca41a2a3e8

Download Submit
memory/968-2-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/968-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/968-469-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/968-468-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/968-161-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/968-162-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2384-112-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2384-114-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2384-113-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3500-292-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads