cycbot | 10cdc9b9502f48acdd743f03b4855e6418ed44e9a4ac1edbd8baf4b25dac08bf

General

Target

JaffaCakes118_3e06af248ddb559b61ca1f7f71dbf970.exe
Size

176KB
MD5

3e06af248ddb559b61ca1f7f71dbf970
SHA1

a8f2084281c715166e850eac0623886092906c26
SHA256

10cdc9b9502f48acdd743f03b4855e6418ed44e9a4ac1edbd8baf4b25dac08bf
SHA512

f731354bc3279bf39873a99c1768f09c7e6cf385ad38fec309390f0c1baf5b84522e64f168e7b3d99cf47c8268698b7221d0f4129f171f5e280903972c307a47
SSDEEP

3072:HvEnze6FODTkAnV4wNTPuLiZf923XHtN2c/9ZbH4R8qh6Z8PL0X8ue:snAywFg+CXNZ/9ZbHBZ8L0XJe

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 7 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2744-6-0x0000000000400000-0x0000000000485000-memory.dmp	family_cycbot
behavioral1/memory/2744-8-0x0000000000400000-0x0000000000485000-memory.dmp	family_cycbot
behavioral1/memory/2504-15-0x0000000000400000-0x0000000000485000-memory.dmp	family_cycbot
behavioral1/memory/1648-77-0x0000000000400000-0x0000000000485000-memory.dmp	family_cycbot
behavioral1/memory/2504-78-0x0000000000400000-0x0000000000485000-memory.dmp	family_cycbot
behavioral1/memory/2504-171-0x0000000000400000-0x0000000000485000-memory.dmp	family_cycbot
behavioral1/memory/2504-204-0x0000000000400000-0x0000000000485000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_3e06af248ddb559b61ca1f7f71dbf970.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2504-2-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2744-5-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2744-6-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2744-8-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2504-15-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/1648-75-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/1648-77-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2504-78-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2504-171-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2504-204-0x0000000000400000-0x0000000000485000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3e06af248ddb559b61ca1f7f71dbf970.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3e06af248ddb559b61ca1f7f71dbf970.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3e06af248ddb559b61ca1f7f71dbf970.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2744	2504	JaffaCakes118_3e06af248ddb559b61ca1f7f71dbf970.exe	30
PID 2504 wrote to memory of 2744	2504	JaffaCakes118_3e06af248ddb559b61ca1f7f71dbf970.exe	30
PID 2504 wrote to memory of 2744	2504	JaffaCakes118_3e06af248ddb559b61ca1f7f71dbf970.exe	30
PID 2504 wrote to memory of 2744	2504	JaffaCakes118_3e06af248ddb559b61ca1f7f71dbf970.exe	30
PID 2504 wrote to memory of 1648	2504	JaffaCakes118_3e06af248ddb559b61ca1f7f71dbf970.exe	32
PID 2504 wrote to memory of 1648	2504	JaffaCakes118_3e06af248ddb559b61ca1f7f71dbf970.exe	32
PID 2504 wrote to memory of 1648	2504	JaffaCakes118_3e06af248ddb559b61ca1f7f71dbf970.exe	32
PID 2504 wrote to memory of 1648	2504	JaffaCakes118_3e06af248ddb559b61ca1f7f71dbf970.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3e06af248ddb559b61ca1f7f71dbf970.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3e06af248ddb559b61ca1f7f71dbf970.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3e06af248ddb559b61ca1f7f71dbf970.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3e06af248ddb559b61ca1f7f71dbf970.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2744
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3e06af248ddb559b61ca1f7f71dbf970.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3e06af248ddb559b61ca1f7f71dbf970.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\4A30.FEF

Filesize
1KB

MD5
dffa258a7852cc0074e206ba8cdc2255

SHA1
ac49d88c2a091a3802e7ba7d04fd190cb12dda36

SHA256
2eeae896d98ccafa4e21e8ac0ca57bfdc55b6821be756a5e615d6d3c0bdb456d

SHA512
10402d7391283280d097575d2e588bb8c3ce53a9ebf0d0b0aab95df14529d4130110414e49e3b0933eb8d9c450943283bc0db3f4b7d33bc6b716556195923094

Download Submit
C:\Users\Admin\AppData\Roaming\4A30.FEF

Filesize
600B

MD5
f6782268183fcb967688b8ba1d10cacc

SHA1
162e8e6a46b9637924adc8041c4c53c58aa3538a

SHA256
429e9976b84f9c210334aeae23f9293be6fb45c8c2835fb742d1805ac7e7139f

SHA512
00ea1d55fc038ddf8b59903723579aaeb43efa11fbeefa0e8e9c1800d2ca44001d9a4da595b8c32b37bbbc15d2e9cfd47e84ad6796c663239b2e45b81553c8d2

Download Submit
C:\Users\Admin\AppData\Roaming\4A30.FEF

Filesize
996B

MD5
a1dd6fc54b397cf52cf9a758b3ef6c44

SHA1
d07628aeaa35860a082226eae3f14107ba3cfd33

SHA256
7bd1890037c4bd916ea36969b3ae81a1b0202b3c1284aec14203648d699323e2

SHA512
f1d412dd82d7cd536439d93e72fce471e16e283a22a64ea6c27bd08e2d1e35ef45e2675053b08bdee4bd4764d945d532284d6e04bd83cbf06b7af12378977930

Download Submit
memory/1648-77-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1648-75-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2504-78-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2504-15-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2504-1-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2504-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2504-171-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2504-204-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2744-8-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2744-6-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2744-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads