cycbot | 7c46c16981a05b5c13e6ca25ca97536b7a1c587cff7b33e558d7315af4756411

General

Target

JaffaCakes118_44a4faacbcbdc4cd5246af1085d5b323.exe
Size

165KB
MD5

44a4faacbcbdc4cd5246af1085d5b323
SHA1

12222e8c2145f4b360267e480c22c68b7b714c82
SHA256

7c46c16981a05b5c13e6ca25ca97536b7a1c587cff7b33e558d7315af4756411
SHA512

07e384b5ce81f1b9ed443578393cf0e227cb7411b340aae8a33a25d5493cba3e35150b57175dd9effa3d8fa081c282fc83cc96ad561efa579aaa7606b665e42c
SSDEEP

3072:hMMbRiYd8r+FnuJ2PaCZwXPlbPXHVO2oBvQ6xNDCnz1dShLeA184Uum9xVp:hzb0YdE3Ehih1PoBI6HDw11A184UTxV

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2228-16-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2424-17-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral1/memory/2424-18-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/324-133-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2424-134-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2424-272-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\4770C\\222BB.exe"	JaffaCakes118_44a4faacbcbdc4cd5246af1085d5b323.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2424-3-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2228-16-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2228-14-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2424-17-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2424-18-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/324-132-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/324-133-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2424-134-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2424-272-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_44a4faacbcbdc4cd5246af1085d5b323.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_44a4faacbcbdc4cd5246af1085d5b323.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_44a4faacbcbdc4cd5246af1085d5b323.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2228	2424	JaffaCakes118_44a4faacbcbdc4cd5246af1085d5b323.exe	28
PID 2424 wrote to memory of 2228	2424	JaffaCakes118_44a4faacbcbdc4cd5246af1085d5b323.exe	28
PID 2424 wrote to memory of 2228	2424	JaffaCakes118_44a4faacbcbdc4cd5246af1085d5b323.exe	28
PID 2424 wrote to memory of 2228	2424	JaffaCakes118_44a4faacbcbdc4cd5246af1085d5b323.exe	28
PID 2424 wrote to memory of 324	2424	JaffaCakes118_44a4faacbcbdc4cd5246af1085d5b323.exe	30
PID 2424 wrote to memory of 324	2424	JaffaCakes118_44a4faacbcbdc4cd5246af1085d5b323.exe	30
PID 2424 wrote to memory of 324	2424	JaffaCakes118_44a4faacbcbdc4cd5246af1085d5b323.exe	30
PID 2424 wrote to memory of 324	2424	JaffaCakes118_44a4faacbcbdc4cd5246af1085d5b323.exe	30

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44a4faacbcbdc4cd5246af1085d5b323.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44a4faacbcbdc4cd5246af1085d5b323.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44a4faacbcbdc4cd5246af1085d5b323.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44a4faacbcbdc4cd5246af1085d5b323.exe startC:\Program Files (x86)\LP\BBA4\ADB.exe%C:\Program Files (x86)\LP\BBA4
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2228
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44a4faacbcbdc4cd5246af1085d5b323.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44a4faacbcbdc4cd5246af1085d5b323.exe startC:\Program Files (x86)\0C67E\lvvm.exe%C:\Program Files (x86)\0C67E
  2⤵
  - System Location Discovery: System Language Discovery
  PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\4770C\C67E.770

Filesize
996B

MD5
0247d038bef126ad1367708179e80478

SHA1
27a73feadfc5bd9f23d13580bd7676ac07b44ed9

SHA256
f64fcabcbd5a56dd72f202ac9b6947555bfebafe3fe620d562c053dff1d9c9b1

SHA512
fd441f982a37fcfce516485e29311cc349278566e9f8c52b0b5fd8d3a99f4c0cf831e9f0876725ee5b996ea4e06823e29ab97fac0537b7c9977751173d1ef459

Download Submit
C:\Users\Admin\AppData\Roaming\4770C\C67E.770

Filesize
600B

MD5
c6c65196f1f293124f577c652640c660

SHA1
f8145c4c7383a767bdfba54948d930e12c3e6226

SHA256
88890df06bd4e705477883b4a3d6116f1d899b54d95454ec70ea29368a66b585

SHA512
289bf14447de8a3c25e2396ac3cb89e9670e4fb75681e96d84c682161a341a027cb3a7b3619370e7576891390e66d3b3b65c080a26d4b0334146eb1f15757b0f

Download Submit
C:\Users\Admin\AppData\Roaming\4770C\C67E.770

Filesize
1KB

MD5
0104265447ac285af48b594551cd481c

SHA1
a3d90ffb0d57a738a00d8a38bf43eb6fc64a6468

SHA256
98d07389bdd10fad4eea222270e02d79b74f8bd4f54d68723144d93f83b0915f

SHA512
84be1cb837450bcc6c1acee82db5d2e60c082869b5b8861c0c35305ef4ec159dea5812df9ef48383121f7c575fedbce139d9a40559be98844e12f31f97cff2d3

Download Submit
memory/324-133-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/324-132-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2228-16-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2228-14-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2424-18-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2424-17-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2424-0-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2424-134-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2424-3-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2424-2-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2424-272-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads