cycbot | 8850b727f8482bbf8a4b5fbfb7e79df6c66836365fa86c49f3ee2f6a0f6306a2

General

Target

JaffaCakes118_69e4502eecbc587f03a0af483fc5c4e9.exe
Size

165KB
MD5

69e4502eecbc587f03a0af483fc5c4e9
SHA1

1ed044044987a6e41c4494b81317aad5ab1717ef
SHA256

8850b727f8482bbf8a4b5fbfb7e79df6c66836365fa86c49f3ee2f6a0f6306a2
SHA512

be93584c5b4ddafdb44096c935b017d9085d954c7cc72c2669e301e2dd88e5be73e41892ed10f1de138f1720a4862ceeb33b381afd8f697e0f391d188d145ffd
SSDEEP

3072:26wzTbiNJa0QyDNKKRh9IXAoStBYAeTCRKnOs4E55FmGxSGf2V+:CzKN00QfOtHKIvElmKfq+

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2120-17-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2512-18-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2512-19-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral1/memory/1340-141-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2512-143-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2512-317-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\2B635\\1F41D.exe"	JaffaCakes118_69e4502eecbc587f03a0af483fc5c4e9.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2512-3-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2120-14-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2120-15-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2120-17-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2512-18-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2512-19-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/1340-141-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1340-142-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2512-143-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2512-317-0x0000000000400000-0x0000000000490000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_69e4502eecbc587f03a0af483fc5c4e9.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2120	2512	JaffaCakes118_69e4502eecbc587f03a0af483fc5c4e9.exe	30
PID 2512 wrote to memory of 2120	2512	JaffaCakes118_69e4502eecbc587f03a0af483fc5c4e9.exe	30
PID 2512 wrote to memory of 2120	2512	JaffaCakes118_69e4502eecbc587f03a0af483fc5c4e9.exe	30
PID 2512 wrote to memory of 2120	2512	JaffaCakes118_69e4502eecbc587f03a0af483fc5c4e9.exe	30
PID 2512 wrote to memory of 1340	2512	JaffaCakes118_69e4502eecbc587f03a0af483fc5c4e9.exe	33
PID 2512 wrote to memory of 1340	2512	JaffaCakes118_69e4502eecbc587f03a0af483fc5c4e9.exe	33
PID 2512 wrote to memory of 1340	2512	JaffaCakes118_69e4502eecbc587f03a0af483fc5c4e9.exe	33
PID 2512 wrote to memory of 1340	2512	JaffaCakes118_69e4502eecbc587f03a0af483fc5c4e9.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_69e4502eecbc587f03a0af483fc5c4e9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_69e4502eecbc587f03a0af483fc5c4e9.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_69e4502eecbc587f03a0af483fc5c4e9.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_69e4502eecbc587f03a0af483fc5c4e9.exe startC:\Program Files (x86)\LP\1DB2\A42.exe%C:\Program Files (x86)\LP\1DB2
  2⤵
  PID:2120
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_69e4502eecbc587f03a0af483fc5c4e9.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_69e4502eecbc587f03a0af483fc5c4e9.exe startC:\Program Files (x86)\3534F\lvvm.exe%C:\Program Files (x86)\3534F
  2⤵
  PID:1340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\2B635\534F.B63

Filesize
996B

MD5
1fd623492b8203c98ea580760fd351f9

SHA1
d3fa8358a2cb8b43ab542a12c310b86c6b75a395

SHA256
23afe7c8eed0fec2da4a6671e469d9eeb16d7485b296b26447f094cf0a9db10f

SHA512
dd727fc94c1712f6d2c5ab8a4899fe503b36d8bbbb410db2147f46952433d188139561e6238d8d77958a37e4e8571a25b2984fbd0646aceaf30c084770314cf2

Download Submit
C:\Users\Admin\AppData\Roaming\2B635\534F.B63

Filesize
600B

MD5
87cfafb675db816c09f65bd00686637c

SHA1
0c75be40efacb3f59e32c9ea908a9451f34300f8

SHA256
32c359738bac1b160bc0f5be5a3ab01d7475c52f17892d13015757343cb01390

SHA512
48e9eceed52ce1bbb6112ac9b2175baaf332cf6455f2dfc010204a494cf1465942661a0e2ec09069b43d901371d8fdabb60845f094c52b7d9252ea2a1c079d06

Download Submit
C:\Users\Admin\AppData\Roaming\2B635\534F.B63

Filesize
1KB

MD5
0dc05f42d7030881487d75001090cd76

SHA1
1b08f021412e0f318341f40a9ef059a4bc2c13fa

SHA256
546911ca7aba416431b3ffa4974256bddf2ca362d36677b1cdb095ee2c20d6db

SHA512
b64126dc30832039f7ff86078fac1c2696cce909e4afb8c0962743e4715bcabae81633f42dc577f97f82e4a6921820a80aba62b65b33b4d30498cd3f64b1b1f9

Download Submit
C:\Users\Admin\AppData\Roaming\2B635\534F.B63

Filesize
1KB

MD5
e10decbc6ab60d74898078b25966ecdf

SHA1
a904c3c2088c69fa587d7feabda47de983cd0cd6

SHA256
dc5eedaaaff453682e35256c698942383955a1b745613020649f91ce801ab8a0

SHA512
1858d88d474420a66b5b41caf642f6cd4e09d20e5484f8dfd3649600ce872b1d2fbcbdf3259c635dddd026b3e91770005b3e0c87c91710515a41654450c04aae

Download Submit
memory/1340-141-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1340-142-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2120-17-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2120-15-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2120-14-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2512-3-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2512-18-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2512-19-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2512-0-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2512-143-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2512-2-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2512-317-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads