cycbot | 0c254a5df3a474d7ff36de9220565bd3605dc4e4d9dd179926aebc52aab238ef

General

Target

JaffaCakes118_502c929aa329a43618e5487d4d3254ff.exe
Size

171KB
MD5

502c929aa329a43618e5487d4d3254ff
SHA1

0b0de715af30242478d9e295151c674a9d508bbe
SHA256

0c254a5df3a474d7ff36de9220565bd3605dc4e4d9dd179926aebc52aab238ef
SHA512

dfbe68bbcb69931c5f8a0edddd3078cfd751f3bf53e3983f7d9b0fbca0b453db7c992daba0e115bd6830378b6e241b56f7e047fcdf6b38979a2724f42b55a732
SSDEEP

3072:pgRhPXq8b/aW2S7AxN9jt2qidhoFgug7S57a5XeOl8Zjx6lyf1chWj23U:pf8b/aFS7e9jtydhoFgug755XFuZV6ll

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2768-9-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2252-20-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2252-84-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2100-87-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2252-190-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_502c929aa329a43618e5487d4d3254ff.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2252-1-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2768-9-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2768-7-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2252-20-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2252-84-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2100-86-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2100-87-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2252-190-0x0000000000400000-0x000000000046A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_502c929aa329a43618e5487d4d3254ff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_502c929aa329a43618e5487d4d3254ff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_502c929aa329a43618e5487d4d3254ff.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2768	2252	JaffaCakes118_502c929aa329a43618e5487d4d3254ff.exe	30
PID 2252 wrote to memory of 2768	2252	JaffaCakes118_502c929aa329a43618e5487d4d3254ff.exe	30
PID 2252 wrote to memory of 2768	2252	JaffaCakes118_502c929aa329a43618e5487d4d3254ff.exe	30
PID 2252 wrote to memory of 2768	2252	JaffaCakes118_502c929aa329a43618e5487d4d3254ff.exe	30
PID 2252 wrote to memory of 2100	2252	JaffaCakes118_502c929aa329a43618e5487d4d3254ff.exe	32
PID 2252 wrote to memory of 2100	2252	JaffaCakes118_502c929aa329a43618e5487d4d3254ff.exe	32
PID 2252 wrote to memory of 2100	2252	JaffaCakes118_502c929aa329a43618e5487d4d3254ff.exe	32
PID 2252 wrote to memory of 2100	2252	JaffaCakes118_502c929aa329a43618e5487d4d3254ff.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_502c929aa329a43618e5487d4d3254ff.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_502c929aa329a43618e5487d4d3254ff.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_502c929aa329a43618e5487d4d3254ff.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_502c929aa329a43618e5487d4d3254ff.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2768
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_502c929aa329a43618e5487d4d3254ff.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_502c929aa329a43618e5487d4d3254ff.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\E9C9.C33

Filesize
597B

MD5
5cbb1db1e7cb0686a2d36dd7a91c1514

SHA1
414576a66f766d7b23b9962261ee52e4f38846fe

SHA256
fce30b4b36bb3219eb08e67751fc71e23ed3f3bec12adde1b0cfbcc82c38d17e

SHA512
da524ea2f9b8c78f3f218b76606957c7d78c1dad56dd9ebb7d38b47586938b948938317d5ea611109ba7a75f9ec56ba92e0d76b97a6e9ddef3b3a4f3cd6dc7f7

Download Submit
C:\Users\Admin\AppData\Roaming\E9C9.C33

Filesize
1KB

MD5
d8f9479e0865ec1fa986d4230785f44b

SHA1
6a29974031ec5ee8320a407ae90ff2b1a945f44d

SHA256
1df4fb4a06c24f8ea2d805da2d432b073afcd1b5641ef5fad8dcf201c6625585

SHA512
349567c25d1414e0d4769538dacb830e55033f9d8f3f04a5015558caf8dbf5bb5afc0835d6890f54d31789207616049478d32a66d9309c4c68372d9d958e2e6d

Download Submit
C:\Users\Admin\AppData\Roaming\E9C9.C33

Filesize
897B

MD5
7dc615a3508e7ee7b1d7bd7507897ab7

SHA1
12e6a22629d9ba2033772395b152c14adc81a66f

SHA256
9b2c1d8efd178c51b702772ae7667bfcabb3711d18cfdf1c865e4ce1df42f7f8

SHA512
a3c219ced3d686de41692801e6fefb273186fb17d4500e4338fa3da8721555538d4b585cdcfb32ca43ec0f0f39e73febdf3f386b570c609c12253bf8ee362f8f

Download Submit
C:\Users\Admin\AppData\Roaming\E9C9.C33

Filesize
1KB

MD5
91089ba7beafd91dbac21cd00f693b6b

SHA1
4a15e79041739110230821bc5abb516b4614ab05

SHA256
a33ee8453455d9abb45860f51f34bb61de58043dfa435c0b0a4a708d13e66b06

SHA512
b0f73c75b487b67e33cc5442d6af94aa36126714ab972d907467c1c960af71ad97802d1329babaeea35f638c91a0f90532acce47d2c92d4a3caf131b8a4d74f4

Download Submit
memory/2100-87-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2100-86-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2252-20-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2252-84-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2252-1-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2252-190-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2768-7-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2768-9-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2768-6-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads