cycbot | cd9c992440a77d5744ad385f4cc90b2163b3f61ca404bdf78344204ca39b6be8

General

Target

JaffaCakes118_93e99f83ba53b9891331439fd45eba2a.exe
Size

174KB
MD5

93e99f83ba53b9891331439fd45eba2a
SHA1

46419605c574518f7dcfe308965294204ce139e4
SHA256

cd9c992440a77d5744ad385f4cc90b2163b3f61ca404bdf78344204ca39b6be8
SHA512

989155ccc0831003866e9e1a36a2db85a84fb0dd65f7c6e6f1157cb5eeeb9fb5d937593d497a4b6edd65ef29f2735496f684cb9219995dd7724251c12fc80c46
SSDEEP

3072:yZvrhTo/4qZLpj4/+okzfGhbHbyNBWom11VR9M3pR9SF3qtHNYCro8H5P7liE:XT4/yzOhbuNBfc15MUFatqf8H5hiE

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2112-8-0x0000000000400000-0x0000000000483000-memory.dmp	family_cycbot
behavioral1/memory/1124-15-0x0000000000400000-0x0000000000483000-memory.dmp	family_cycbot
behavioral1/memory/2448-86-0x0000000000400000-0x0000000000483000-memory.dmp	family_cycbot
behavioral1/memory/1124-87-0x0000000000400000-0x0000000000483000-memory.dmp	family_cycbot
behavioral1/memory/1124-188-0x0000000000400000-0x0000000000483000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_93e99f83ba53b9891331439fd45eba2a.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1124-2-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral1/memory/2112-5-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral1/memory/2112-8-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral1/memory/2112-6-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral1/memory/1124-15-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral1/memory/2448-86-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral1/memory/1124-87-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral1/memory/1124-188-0x0000000000400000-0x0000000000483000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_93e99f83ba53b9891331439fd45eba2a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_93e99f83ba53b9891331439fd45eba2a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_93e99f83ba53b9891331439fd45eba2a.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 2112	1124	JaffaCakes118_93e99f83ba53b9891331439fd45eba2a.exe	30
PID 1124 wrote to memory of 2112	1124	JaffaCakes118_93e99f83ba53b9891331439fd45eba2a.exe	30
PID 1124 wrote to memory of 2112	1124	JaffaCakes118_93e99f83ba53b9891331439fd45eba2a.exe	30
PID 1124 wrote to memory of 2112	1124	JaffaCakes118_93e99f83ba53b9891331439fd45eba2a.exe	30
PID 1124 wrote to memory of 2448	1124	JaffaCakes118_93e99f83ba53b9891331439fd45eba2a.exe	33
PID 1124 wrote to memory of 2448	1124	JaffaCakes118_93e99f83ba53b9891331439fd45eba2a.exe	33
PID 1124 wrote to memory of 2448	1124	JaffaCakes118_93e99f83ba53b9891331439fd45eba2a.exe	33
PID 1124 wrote to memory of 2448	1124	JaffaCakes118_93e99f83ba53b9891331439fd45eba2a.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_93e99f83ba53b9891331439fd45eba2a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_93e99f83ba53b9891331439fd45eba2a.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_93e99f83ba53b9891331439fd45eba2a.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_93e99f83ba53b9891331439fd45eba2a.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2112
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_93e99f83ba53b9891331439fd45eba2a.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_93e99f83ba53b9891331439fd45eba2a.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DAD7.60F

Filesize
1KB

MD5
1d866390a29b970f267d5a963e4daa33

SHA1
9bf890df01deda069b0ea031717ec68e8b52bce4

SHA256
ce18aee7c4b6a72eebdad09c3fad12a07072266dd018f3602c5e8d3c550b1aa4

SHA512
03c7ec409a1615cf83a98a070539510dc9251ab2151f62e27f47970ef2804db2249fb00899a7ccfffa84cac747a113e1bc73de40f6a284fa164f1f1aafbcf835

Download Submit
C:\Users\Admin\AppData\Roaming\DAD7.60F

Filesize
600B

MD5
216e1c2d6e934caba9c2d071fd66906c

SHA1
67627f3e1b1197ccc321b80d31e1ad558d8ae413

SHA256
3737a713ab68103afa6047aac8e1371edda83c7a5edfdaf4676394ccf306b2df

SHA512
f364508863379e8981a3113f40b89b93156bce46167ac8cf910d85ebd25f41ddc8c46bb0e3f950b28b9ee3bc911d19cad78b6bfe59198b29faf63a6811ccf26d

Download Submit
C:\Users\Admin\AppData\Roaming\DAD7.60F

Filesize
996B

MD5
901271d60ee7751de481a1d91304d61d

SHA1
3acb07e35ef3e838345a680adad5c5cb0bcd8c36

SHA256
3eed352a6f0cf569b2d8b39995719b330fce5929a76d72eb3604433e0a163555

SHA512
5dc6f6a8b800c07e3ba25923ce1de0697c998448c4d1d47de4775868e487c498bb4f1a4be7e3e5c78a4db6734880fa54eb5be1794f0a7a66b06001ba46251e71

Download Submit
memory/1124-87-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1124-15-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1124-1-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1124-2-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1124-188-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2112-6-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2112-8-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2112-5-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2448-86-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2448-85-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads