cycbot | 600318101dd03ac2e5bc7849966ad6db1173cc729269e3e787f9891e292f878f

General

Target

JaffaCakes118_48b47d2a8c639a43bcd5a8d59354a3bb.exe
Size

178KB
MD5

48b47d2a8c639a43bcd5a8d59354a3bb
SHA1

ac982fa715c0c0413232c8bb9528e1e2cc023fb1
SHA256

600318101dd03ac2e5bc7849966ad6db1173cc729269e3e787f9891e292f878f
SHA512

caeba0d4c710f9cee18403a938d79fc5f7bc6b0be0bf9155fe27149c8de1424eb505cadf0d01d1b8f5a3d2857f7cc4f47a0cceb655343b290b3ed2e244809422
SSDEEP

3072:PVOac/87f+NybvE0w1iCnN80uAzcaB08V8ek/XJenvsu+tRFutNMG6t72mhrscJ:P77foMEVZNGAzcaBd6x1tRFyNA20scJ

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1748-15-0x0000000000400000-0x000000000046F000-memory.dmp	family_cycbot
behavioral1/memory/3012-16-0x0000000000400000-0x000000000046F000-memory.dmp	family_cycbot
behavioral1/memory/3012-75-0x0000000000400000-0x000000000046F000-memory.dmp	family_cycbot
behavioral1/memory/1752-79-0x0000000000400000-0x000000000046F000-memory.dmp	family_cycbot
behavioral1/memory/3012-186-0x0000000000400000-0x000000000046F000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_48b47d2a8c639a43bcd5a8d59354a3bb.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3012-2-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/1748-15-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/1748-14-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/3012-16-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/3012-75-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/1752-77-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/1752-79-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/3012-186-0x0000000000400000-0x000000000046F000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_48b47d2a8c639a43bcd5a8d59354a3bb.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 1748	3012	JaffaCakes118_48b47d2a8c639a43bcd5a8d59354a3bb.exe	30
PID 3012 wrote to memory of 1748	3012	JaffaCakes118_48b47d2a8c639a43bcd5a8d59354a3bb.exe	30
PID 3012 wrote to memory of 1748	3012	JaffaCakes118_48b47d2a8c639a43bcd5a8d59354a3bb.exe	30
PID 3012 wrote to memory of 1748	3012	JaffaCakes118_48b47d2a8c639a43bcd5a8d59354a3bb.exe	30
PID 3012 wrote to memory of 1752	3012	JaffaCakes118_48b47d2a8c639a43bcd5a8d59354a3bb.exe	32
PID 3012 wrote to memory of 1752	3012	JaffaCakes118_48b47d2a8c639a43bcd5a8d59354a3bb.exe	32
PID 3012 wrote to memory of 1752	3012	JaffaCakes118_48b47d2a8c639a43bcd5a8d59354a3bb.exe	32
PID 3012 wrote to memory of 1752	3012	JaffaCakes118_48b47d2a8c639a43bcd5a8d59354a3bb.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48b47d2a8c639a43bcd5a8d59354a3bb.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48b47d2a8c639a43bcd5a8d59354a3bb.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48b47d2a8c639a43bcd5a8d59354a3bb.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48b47d2a8c639a43bcd5a8d59354a3bb.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:1748
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48b47d2a8c639a43bcd5a8d59354a3bb.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48b47d2a8c639a43bcd5a8d59354a3bb.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\669C.0B2

Filesize
1KB

MD5
b03486a2ba0c80e40080b02c1e5ca0df

SHA1
4043e3e8e6742c6398e337e0f36ed037218f2eff

SHA256
c86aeffce98b15e165eca1e88f506370c6a14107a3be8b2f0304c7d1bbe743e8

SHA512
8f7ccf80f25d5c1a782527b50a740278634ab8a7dede60a03b491eecad8306526962e2be556a24636de96f318eb17b23d7b7f268b2b0f7367c56fed276756a07

Download Submit
C:\Users\Admin\AppData\Roaming\669C.0B2

Filesize
600B

MD5
66f8279c6ee3753cf0333e3a071eab33

SHA1
6927513e9d7f23ac79cbf5f9e950b1050d82bea3

SHA256
493531aef2d111fd6108c7baf602aa98459d84bbf0e253c98b8d5b6cdc707233

SHA512
40e7353d7fbd4c47485d4625d45fcf841269a8c81bebd9a18db1de8ec6b9cfa44b2777a27c0b27da411f6bbf7b5a9d2a614b9ec2eb00da4a8b9f565b8fc2bd5c

Download Submit
C:\Users\Admin\AppData\Roaming\669C.0B2

Filesize
996B

MD5
8281c92b668ab204748bb00a39d2144f

SHA1
d0f564b849a0d5ee400b9de482f95ac89ee9e076

SHA256
6115259904b29dc718288873355c6d9154672985c5ad11e6d01cccdf5e11bf5a

SHA512
452ca4a8968aea56dfe3ad348a17114ea44a46b5e7405821816a6e59857205f6e38f4fb095ca04fbe2b80a290c0965db1805125bf2afb766864f465d32ee2048

Download Submit
memory/1748-15-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1748-14-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1748-12-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1752-77-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1752-79-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3012-16-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3012-1-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3012-75-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3012-2-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3012-186-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads