cycbot | 97e8f18076c4df6f5511015d7e6446b432d6fd3fa450d610a8ded518ebcd8a1a

General

Target

JaffaCakes118_3ace59e1019ae966e3d7e0b73ac2c8c3.exe
Size

165KB
MD5

3ace59e1019ae966e3d7e0b73ac2c8c3
SHA1

c7b87c0b515cd674aee691adbb00649cabe160d0
SHA256

97e8f18076c4df6f5511015d7e6446b432d6fd3fa450d610a8ded518ebcd8a1a
SHA512

4e06698fc314d1f9f14d3a01cf54a0839f9591024e721ede7f5be8dbe86c9c6f9b20b7cbcc7229a3e8e7a1989004a119d2484f1798d16ddac591dfc92640ebfd
SSDEEP

3072:UUggWvei+S23U56YAdTrs9iZAR/NUgiwtavxoqrVf1yZuS5uZVLq:UUPUedSueAdTKCAR/N/Oxn9kZuS5uz

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2796-15-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2736-16-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral1/memory/2736-17-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/1968-132-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2736-133-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2736-233-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\CCB4F\\85DB3.exe"	JaffaCakes118_3ace59e1019ae966e3d7e0b73ac2c8c3.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2736-3-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2796-14-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2796-15-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2736-16-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2736-17-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1968-131-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1968-132-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2736-133-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2736-233-0x0000000000400000-0x0000000000490000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3ace59e1019ae966e3d7e0b73ac2c8c3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3ace59e1019ae966e3d7e0b73ac2c8c3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3ace59e1019ae966e3d7e0b73ac2c8c3.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2796	2736	JaffaCakes118_3ace59e1019ae966e3d7e0b73ac2c8c3.exe	30
PID 2736 wrote to memory of 2796	2736	JaffaCakes118_3ace59e1019ae966e3d7e0b73ac2c8c3.exe	30
PID 2736 wrote to memory of 2796	2736	JaffaCakes118_3ace59e1019ae966e3d7e0b73ac2c8c3.exe	30
PID 2736 wrote to memory of 2796	2736	JaffaCakes118_3ace59e1019ae966e3d7e0b73ac2c8c3.exe	30
PID 2736 wrote to memory of 1968	2736	JaffaCakes118_3ace59e1019ae966e3d7e0b73ac2c8c3.exe	32
PID 2736 wrote to memory of 1968	2736	JaffaCakes118_3ace59e1019ae966e3d7e0b73ac2c8c3.exe	32
PID 2736 wrote to memory of 1968	2736	JaffaCakes118_3ace59e1019ae966e3d7e0b73ac2c8c3.exe	32
PID 2736 wrote to memory of 1968	2736	JaffaCakes118_3ace59e1019ae966e3d7e0b73ac2c8c3.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3ace59e1019ae966e3d7e0b73ac2c8c3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3ace59e1019ae966e3d7e0b73ac2c8c3.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3ace59e1019ae966e3d7e0b73ac2c8c3.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3ace59e1019ae966e3d7e0b73ac2c8c3.exe startC:\Program Files (x86)\LP\B3EC\5C1.exe%C:\Program Files (x86)\LP\B3EC
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2796
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3ace59e1019ae966e3d7e0b73ac2c8c3.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3ace59e1019ae966e3d7e0b73ac2c8c3.exe startC:\Program Files (x86)\4FAFB\lvvm.exe%C:\Program Files (x86)\4FAFB
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\CCB4F\FAFB.CB4

Filesize
996B

MD5
0defba8ccdd2b35b5ef6fa0d03e2cdb5

SHA1
5a93af1c2ec3e276bcf5a66b85bbccad8838dcbf

SHA256
954c96161a2e1160b6d444c904ea5ae536254ed4f9aac54ca14ecd1b0a1ddcef

SHA512
283aadfbf26de2705ec3cfd31aff176b5017a09d9bc9d62e2cc02474bfd6b8d98a3984f635e8527073b920559a394255e5681abd24569d75c678086c194ed984

Download Submit
C:\Users\Admin\AppData\Roaming\CCB4F\FAFB.CB4

Filesize
600B

MD5
1f3530ce9db2df0b33f81bc618e5fb06

SHA1
ab24e21c2915b3425fb2d3f7b1bb5c713460885c

SHA256
45850a7f548acd43932430428416204fe32a44a1da8f8e1992bb7935fa3ea491

SHA512
327b3cb338674722f3c27bdd14b790a61000e2886308672d81e53a3e2aedeaf98950d86256e1b03875df9110cb12b4d2534c932a6282ffbf65ae44b71c229ac6

Download Submit
C:\Users\Admin\AppData\Roaming\CCB4F\FAFB.CB4

Filesize
1KB

MD5
efca1ece7c8e817b86cfa86b7511ac3c

SHA1
8343b1b21525168e57d5d4b5d0c1889eb96c98a3

SHA256
7af701d15ce87ae2b5782a5798bd1368eebb0b1205a1151a761b4b87f77ad779

SHA512
6ee6149fedd2060f26d63e35400069c666076b9232d6acf2ed10364e67c717d957b8ebb8f0b45bcb9dbfa263439ffe6499a57ea1d63711b6230a8c2416aebadc

Download Submit
memory/1968-132-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1968-131-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2736-17-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2736-0-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2736-16-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2736-133-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2736-3-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2736-2-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2736-233-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2796-15-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2796-14-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads