cycbot | 3e00a59f3c489f8f0030f312edec6c7324158227b55c0ab23a37d3515e6eb861

General

Target

JaffaCakes118_5dc07529222fbbaa09b22ca5686992d9.exe
Size

167KB
MD5

5dc07529222fbbaa09b22ca5686992d9
SHA1

55f444cc846d3dec13606b5efd75684127388e52
SHA256

3e00a59f3c489f8f0030f312edec6c7324158227b55c0ab23a37d3515e6eb861
SHA512

5fb6f6497c06fa45f17cf4dcff392d0986798b721a86c298668b32aceebe3eccbb09f3da83a038eeaae38862ed4605d1d56ff62d38890139aee1c14f7d2e1f9e
SSDEEP

3072:WT3agtQ2WNRHFggFgpRvTGQXb85vjX95URu1lWtvfdAZlQXuW0H:WrWPRSp9XbCjX95URLvlAZlQXuW

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 7 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2088-14-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2088-13-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2900-15-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/2900-16-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2900-77-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2956-81-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2900-178-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\EFC63\\D97D0.exe"	JaffaCakes118_5dc07529222fbbaa09b22ca5686992d9.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2900-2-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2088-12-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2088-14-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2088-13-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2900-15-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2900-16-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2900-77-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2956-80-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2956-81-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2900-178-0x0000000000400000-0x0000000000490000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5dc07529222fbbaa09b22ca5686992d9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5dc07529222fbbaa09b22ca5686992d9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5dc07529222fbbaa09b22ca5686992d9.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2088	2900	JaffaCakes118_5dc07529222fbbaa09b22ca5686992d9.exe	28
PID 2900 wrote to memory of 2088	2900	JaffaCakes118_5dc07529222fbbaa09b22ca5686992d9.exe	28
PID 2900 wrote to memory of 2088	2900	JaffaCakes118_5dc07529222fbbaa09b22ca5686992d9.exe	28
PID 2900 wrote to memory of 2088	2900	JaffaCakes118_5dc07529222fbbaa09b22ca5686992d9.exe	28
PID 2900 wrote to memory of 2956	2900	JaffaCakes118_5dc07529222fbbaa09b22ca5686992d9.exe	30
PID 2900 wrote to memory of 2956	2900	JaffaCakes118_5dc07529222fbbaa09b22ca5686992d9.exe	30
PID 2900 wrote to memory of 2956	2900	JaffaCakes118_5dc07529222fbbaa09b22ca5686992d9.exe	30
PID 2900 wrote to memory of 2956	2900	JaffaCakes118_5dc07529222fbbaa09b22ca5686992d9.exe	30

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5dc07529222fbbaa09b22ca5686992d9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5dc07529222fbbaa09b22ca5686992d9.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5dc07529222fbbaa09b22ca5686992d9.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5dc07529222fbbaa09b22ca5686992d9.exe startC:\Program Files (x86)\LP\D05E\18D.exe%C:\Program Files (x86)\LP\D05E
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2088
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5dc07529222fbbaa09b22ca5686992d9.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5dc07529222fbbaa09b22ca5686992d9.exe startC:\Program Files (x86)\63023\lvvm.exe%C:\Program Files (x86)\63023
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\EFC63\3023.FC6

Filesize
1KB

MD5
a2bfc41a4849df0ce09730e23e0524e6

SHA1
b5cceee5b9ce9b31a967070793ac0a4e9517d11a

SHA256
19d6008e70524e7e743321858528ab98df17d1bd0b0110aea115166fd05dc507

SHA512
d00c3dbf7feedfe8fb3ff1ba346a4bfcdd2c2ad506e922a96939d0e2429e71284b2a4cd9034894bea6908b44d97861b202a9605afd924514f0e8dcc43a39d6e9

Download Submit
C:\Users\Admin\AppData\Roaming\EFC63\3023.FC6

Filesize
600B

MD5
db5e9e3f8136812e1c96de61a5da7416

SHA1
3af590d3d1005406996d7f2f8264ceb24f1642bc

SHA256
9b170e172dffeb9232ac27a8a889700259ca1a2ba23eb63afde1aa3e18dbf9a7

SHA512
e5d29c79133f28b3ae677a9a0484f20b8f687dc5514505342460f3143d55397d540dfeb2be9fd1f7f5f9a3891be83fb843e001b33fd9ce2a1a8dbc62f0b75145

Download Submit
C:\Users\Admin\AppData\Roaming\EFC63\3023.FC6

Filesize
996B

MD5
e7f70a370794a6285d77c30dc199aa9b

SHA1
48459ce556b277fdd16934245e86c20bb5d4f40f

SHA256
717c4c93da189b92e55da056d246bcef68c006e50f3a14c323c7d5e303f4f24e

SHA512
d66f792c9f579d8d5e03a2941ef4f52d41bb731bf1dcfd484893b6c564df4a8038c639d9377dd3131b4b6ab5742bf94e7a7ceaf927f461bbf419663077134e57

Download Submit
memory/2088-12-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2088-14-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2088-13-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2900-16-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2900-1-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2900-77-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2900-15-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2900-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2900-178-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2956-80-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2956-79-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2956-81-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads