cycbot | 213da0ba0be697eb8379fc446d5a2678035c8a4d636980ad433cb71e056bedeb

General

Target

JaffaCakes118_97ac1f8eac4cdad0940e9ce8a36ff010.exe
Size

184KB
MD5

97ac1f8eac4cdad0940e9ce8a36ff010
SHA1

028667cb29e9cb79b9630d4cd417209dcb3155be
SHA256

213da0ba0be697eb8379fc446d5a2678035c8a4d636980ad433cb71e056bedeb
SHA512

d91e05530759694fb1895055e4107a9195da9957547ccd8f9fd061b9bef19c7df32404690398fd7c4ff0817bd4deacd25210b05788647aebd9af005ce72da6f6
SSDEEP

3072:E4rMtcfV0bYmNpeTZrjfErMPG7MKM+Y2Yl95d4Ld87dQm8iivh6Q1yr:ZrMt2ONajsTMKM+Y2I5G58xvQ1y

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2900-8-0x0000000000400000-0x0000000000466000-memory.dmp	family_cycbot
behavioral1/memory/1628-18-0x0000000000400000-0x0000000000466000-memory.dmp	family_cycbot
behavioral1/memory/1492-86-0x0000000000400000-0x0000000000466000-memory.dmp	family_cycbot
behavioral1/memory/1628-87-0x0000000000400000-0x0000000000466000-memory.dmp	family_cycbot
behavioral1/memory/1628-172-0x0000000000400000-0x0000000000466000-memory.dmp	family_cycbot
behavioral1/memory/1628-211-0x0000000000400000-0x0000000000466000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_97ac1f8eac4cdad0940e9ce8a36ff010.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1628-2-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2900-6-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2900-8-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1628-18-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1492-84-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1492-86-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1628-87-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1628-172-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1628-211-0x0000000000400000-0x0000000000466000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_97ac1f8eac4cdad0940e9ce8a36ff010.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_97ac1f8eac4cdad0940e9ce8a36ff010.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_97ac1f8eac4cdad0940e9ce8a36ff010.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2900	1628	JaffaCakes118_97ac1f8eac4cdad0940e9ce8a36ff010.exe	30
PID 1628 wrote to memory of 2900	1628	JaffaCakes118_97ac1f8eac4cdad0940e9ce8a36ff010.exe	30
PID 1628 wrote to memory of 2900	1628	JaffaCakes118_97ac1f8eac4cdad0940e9ce8a36ff010.exe	30
PID 1628 wrote to memory of 2900	1628	JaffaCakes118_97ac1f8eac4cdad0940e9ce8a36ff010.exe	30
PID 1628 wrote to memory of 1492	1628	JaffaCakes118_97ac1f8eac4cdad0940e9ce8a36ff010.exe	32
PID 1628 wrote to memory of 1492	1628	JaffaCakes118_97ac1f8eac4cdad0940e9ce8a36ff010.exe	32
PID 1628 wrote to memory of 1492	1628	JaffaCakes118_97ac1f8eac4cdad0940e9ce8a36ff010.exe	32
PID 1628 wrote to memory of 1492	1628	JaffaCakes118_97ac1f8eac4cdad0940e9ce8a36ff010.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97ac1f8eac4cdad0940e9ce8a36ff010.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97ac1f8eac4cdad0940e9ce8a36ff010.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97ac1f8eac4cdad0940e9ce8a36ff010.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97ac1f8eac4cdad0940e9ce8a36ff010.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2900
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97ac1f8eac4cdad0940e9ce8a36ff010.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97ac1f8eac4cdad0940e9ce8a36ff010.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\7172.6A3

Filesize
1KB

MD5
3629779f9a8be517c76fba8ae754f896

SHA1
bedbdb8fafa861f8475816a54a7f5398c9cfb7b1

SHA256
e3913568fcfa934f12adefc951d0bcd6bd5e9fefb23b014ad54ba7cbc1fd7d9f

SHA512
dcc4afb79cd945f008ed0cceebec37b6b4f73351614e0c5e8957ba0119ec068522cbc1c9a615af76fec37c8eb8876de23d94c4d2ee84ad3c5de516677a0c7b6c

Download Submit
C:\Users\Admin\AppData\Roaming\7172.6A3

Filesize
897B

MD5
5ef30819e5162ff8d14cdeccb45e11d5

SHA1
172bb693a885f808465e2b53ebb5fc7d9f897143

SHA256
f43a19a03d4ff785965985b5e349eff803b4c89a95260cf0e19f93f487abe4e6

SHA512
e3d6dfadffab41d62344d1364f6bbd7e1579b8fd8ca71de1f6279bd8c50378864c4b718e2c852936f12e5047858f86c5aea0447d6eed79da058231da5849ac10

Download Submit
C:\Users\Admin\AppData\Roaming\7172.6A3

Filesize
1KB

MD5
9b3f2f4204896b44aab6e8bccbcfe2f2

SHA1
b0bc887a0b4ba7d992aa480bfa05d79e319c97a5

SHA256
aaedad2c0c86842f2729ceac4d12c1a3bf8dd395dd02579e44da4f137d8e64cb

SHA512
11e27a1e855e6444751ccc861d1de9156d6b853ee4c42d25db9aa04b3f222ea133e4f89953d057a82cd60b7590547affdf02860ee74d0e3afe00fa814d7a24ed

Download Submit
memory/1492-84-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1492-86-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1628-18-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1628-1-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1628-87-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1628-2-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1628-172-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1628-211-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2900-8-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2900-6-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads