cycbot | 0a072b687be59ac2fdb3ef967bf24d99d35d2ac2ec694672f6ee53fb60914e12

General

Target

JaffaCakes118_95330e4ff1e5e47f9ffccef84c3100f6.exe
Size

191KB
MD5

95330e4ff1e5e47f9ffccef84c3100f6
SHA1

b2d37df5411dcb4c0b154e58df8793d7bf5c4312
SHA256

0a072b687be59ac2fdb3ef967bf24d99d35d2ac2ec694672f6ee53fb60914e12
SHA512

d16d752bd9cf8aa9286a5c2ed991a76afa1ca4beac2efadfa673030224ae096caec2d9754da0a01c2fc66114b618458e4d81249a286c3ba3a1269c118aeb4713
SSDEEP

3072:jnQXX6kjGj8wzH8Joea0Bwg4fOJgbvyWN2q0lzDlAGbP+1L/yxKGIfZ7XnxT:jn46kjGxHGaOdMTyWN27lzS/0KG8Z7XZ

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2404-12-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2404-13-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2376-14-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2376-87-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2484-90-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2376-188-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_95330e4ff1e5e47f9ffccef84c3100f6.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2376-2-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2404-12-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2404-13-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2376-14-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2376-87-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2484-89-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2484-90-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2376-188-0x0000000000400000-0x0000000000490000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95330e4ff1e5e47f9ffccef84c3100f6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95330e4ff1e5e47f9ffccef84c3100f6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95330e4ff1e5e47f9ffccef84c3100f6.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2404	2376	JaffaCakes118_95330e4ff1e5e47f9ffccef84c3100f6.exe	30
PID 2376 wrote to memory of 2404	2376	JaffaCakes118_95330e4ff1e5e47f9ffccef84c3100f6.exe	30
PID 2376 wrote to memory of 2404	2376	JaffaCakes118_95330e4ff1e5e47f9ffccef84c3100f6.exe	30
PID 2376 wrote to memory of 2404	2376	JaffaCakes118_95330e4ff1e5e47f9ffccef84c3100f6.exe	30
PID 2376 wrote to memory of 2484	2376	JaffaCakes118_95330e4ff1e5e47f9ffccef84c3100f6.exe	32
PID 2376 wrote to memory of 2484	2376	JaffaCakes118_95330e4ff1e5e47f9ffccef84c3100f6.exe	32
PID 2376 wrote to memory of 2484	2376	JaffaCakes118_95330e4ff1e5e47f9ffccef84c3100f6.exe	32
PID 2376 wrote to memory of 2484	2376	JaffaCakes118_95330e4ff1e5e47f9ffccef84c3100f6.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95330e4ff1e5e47f9ffccef84c3100f6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95330e4ff1e5e47f9ffccef84c3100f6.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95330e4ff1e5e47f9ffccef84c3100f6.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95330e4ff1e5e47f9ffccef84c3100f6.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2404
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95330e4ff1e5e47f9ffccef84c3100f6.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95330e4ff1e5e47f9ffccef84c3100f6.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\0EBD.120

Filesize
1KB

MD5
b7ba6a3c3d853821dae931f0e6f86640

SHA1
15ddc59a73ccf294e0624397ae578eb44fc27d36

SHA256
5232f55a783c8612356b55c9a1b728322f0ab5bac98ba7a892c36ff65de3beb3

SHA512
9abf0db0e73466ad7ddc907488cab05b411f4335314c732535cbce83b397857c37b217caf134e69a9823c7af0448ea4a4fc43d70ec952f1b68a16f4d55f1933e

Download Submit
C:\Users\Admin\AppData\Roaming\0EBD.120

Filesize
600B

MD5
547e27fb3706bc3d4287c796a3394288

SHA1
0fbe67fc3074550844aa3679ca18b78f9fc238f1

SHA256
e3f3cbdc3afe2c67dedfb832c72a6cb9f252cd951f6309e507378fe9f8e5bd74

SHA512
7f6600f40c7ea1d081a0f5822b4f7f590edf695bdc17e3012c8d08733b82be1898cd7ff1d94ebc43cf42ac883b645dae1e4ba1b31a980f8888119e71aa09be09

Download Submit
C:\Users\Admin\AppData\Roaming\0EBD.120

Filesize
996B

MD5
b63e75e0679b6db4bde7e967c3e1bbb4

SHA1
8256837b2e12f4f43a047705638a3634f5395f1f

SHA256
0da3a2d378c1cfe94b4679fc6b68746d9fdf8e62a88fb7869c13abba712ab89a

SHA512
5ed2407917efbf239c4000a4300f2867d8edfa9a05fcd4a00ab30a706d269469b64ace2ca5833fa7d9e5af6a3f31ba6ae763485f670b81505386d01cb0bf3a1c

Download Submit
memory/2376-1-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2376-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2376-14-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2376-87-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2376-188-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2404-12-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2404-13-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2484-89-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2484-90-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads