cycbot | a88b4f4a12e3f45fd4b1962f8728d01f9d3545c3a50a222aa65414c537fd4c02

General

Target

JaffaCakes118_6cea710c094d4c67a99dc1e384bc08ca.exe
Size

200KB
MD5

6cea710c094d4c67a99dc1e384bc08ca
SHA1

3b5062bf6a692a95f467d7f2be88df65074edfa6
SHA256

a88b4f4a12e3f45fd4b1962f8728d01f9d3545c3a50a222aa65414c537fd4c02
SHA512

4766a2cd0863b0ca3d91bfc7ed1bc7a7f4b7bf59d572004aa3164dd4545d2dfd70738ab5c2c1f49af26ee18c88ebd7d97bdae6ebd4ed33f052bd41f57dacdc20
SSDEEP

6144:C1mobZDoArfYgvnBB1SS1UxSgXcoFA12:CCsYEnBBx4co9

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1272-8-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/2104-16-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/2388-87-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/2104-88-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/2104-189-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_6cea710c094d4c67a99dc1e384bc08ca.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2104-2-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/1272-5-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/1272-6-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/1272-8-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2104-16-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2388-87-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2104-88-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2104-189-0x0000000000400000-0x000000000048D000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6cea710c094d4c67a99dc1e384bc08ca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6cea710c094d4c67a99dc1e384bc08ca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6cea710c094d4c67a99dc1e384bc08ca.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 1272	2104	JaffaCakes118_6cea710c094d4c67a99dc1e384bc08ca.exe	30
PID 2104 wrote to memory of 1272	2104	JaffaCakes118_6cea710c094d4c67a99dc1e384bc08ca.exe	30
PID 2104 wrote to memory of 1272	2104	JaffaCakes118_6cea710c094d4c67a99dc1e384bc08ca.exe	30
PID 2104 wrote to memory of 1272	2104	JaffaCakes118_6cea710c094d4c67a99dc1e384bc08ca.exe	30
PID 2104 wrote to memory of 2388	2104	JaffaCakes118_6cea710c094d4c67a99dc1e384bc08ca.exe	32
PID 2104 wrote to memory of 2388	2104	JaffaCakes118_6cea710c094d4c67a99dc1e384bc08ca.exe	32
PID 2104 wrote to memory of 2388	2104	JaffaCakes118_6cea710c094d4c67a99dc1e384bc08ca.exe	32
PID 2104 wrote to memory of 2388	2104	JaffaCakes118_6cea710c094d4c67a99dc1e384bc08ca.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6cea710c094d4c67a99dc1e384bc08ca.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6cea710c094d4c67a99dc1e384bc08ca.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6cea710c094d4c67a99dc1e384bc08ca.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6cea710c094d4c67a99dc1e384bc08ca.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1272
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6cea710c094d4c67a99dc1e384bc08ca.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6cea710c094d4c67a99dc1e384bc08ca.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\FCDE.EEC

Filesize
600B

MD5
9d4b556a068b21a6e62889fc7c5c83ec

SHA1
dfd9938dbd1c84c13f29dacc38da429760ddb932

SHA256
68a35e5f41351f89e64cb707a90bbc948e2815fc344170c1b4320c591c2c3267

SHA512
ba792c5282490dcb3542fd56b03c861f54e8864034302b7ab8e8b1a8e0767b1703b614c3c70c300daa495288345b79612729476f3484cbdbdff710a4dcec2e01

Download Submit
C:\Users\Admin\AppData\Roaming\FCDE.EEC

Filesize
1KB

MD5
8d5b9b74f29a3824491fd70999046491

SHA1
ba4568d78a12ab3eaf5ce394cf6844a391102d4d

SHA256
a22e7b45eff74f0a1536a3eb821d195c419e14835dd9d815275d3e032a9fb7bc

SHA512
7333287b9f577cb6e9f74a8e347beb5cfc2fd29896fb5fd5f7f54af4135c110be7f68d43eb784d624205cd4468eef9b8eb5de1944c6a111741efaef8d6bba718

Download Submit
C:\Users\Admin\AppData\Roaming\FCDE.EEC

Filesize
996B

MD5
38c583dc0398a78e3618822c04461728

SHA1
36c9b5151a787f6ed1685372b33243238ec36d0e

SHA256
32961930d73cf5bf21d05e87e5b805de7d78412ed05fb1bd81bacbd9cef3cd76

SHA512
e2255c628cd0c19a728559f6c84817fe38223420aa7a262c2f87689ac8317a02b19c30eb3a7d1b0eab9268735541d2aa9e2bb5580222db068732c9030888d3d2

Download Submit
memory/1272-5-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1272-6-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1272-8-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2104-16-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2104-1-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2104-88-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2104-2-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2104-189-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2388-85-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2388-87-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2388-153-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads