cycbot | 364bb35da47df0549c7a28f8287249491e016871d6ad3a4c42d84753e486cd49

General

Target

JaffaCakes118_968559a3f40862d2ab72c2ae77bb8cd8.exe
Size

174KB
MD5

968559a3f40862d2ab72c2ae77bb8cd8
SHA1

5a1e676f480045ee7a3743625b050eebd8e4d478
SHA256

364bb35da47df0549c7a28f8287249491e016871d6ad3a4c42d84753e486cd49
SHA512

c233cc6a64ce3891683ad8f43a722a6cefe3bb9f6bb3aea185e3e44bbff2732bae74f499209fc1f9a271821582e2316b8bb1c70ce2a3526aa1939d60675bc444
SSDEEP

3072:htEOlJjDTg/ZstvyMDlccDGdvnYS4G2VrP5CqDqjnwfbGF8e6R1P6/XjVC:hOoJjng/Zs5DGdvnY+oEqzggRR6PjV

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2020-6-0x0000000000400000-0x0000000000483000-memory.dmp	family_cycbot
behavioral1/memory/1944-14-0x0000000000400000-0x0000000000483000-memory.dmp	family_cycbot
behavioral1/memory/2528-80-0x0000000000400000-0x0000000000483000-memory.dmp	family_cycbot
behavioral1/memory/1944-81-0x0000000000400000-0x0000000000483000-memory.dmp	family_cycbot
behavioral1/memory/1944-166-0x0000000000400000-0x0000000000483000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_968559a3f40862d2ab72c2ae77bb8cd8.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1944-2-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral1/memory/2020-6-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral1/memory/2020-7-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral1/memory/1944-14-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral1/memory/2528-78-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral1/memory/2528-80-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral1/memory/1944-81-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral1/memory/1944-166-0x0000000000400000-0x0000000000483000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_968559a3f40862d2ab72c2ae77bb8cd8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_968559a3f40862d2ab72c2ae77bb8cd8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_968559a3f40862d2ab72c2ae77bb8cd8.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 2020	1944	JaffaCakes118_968559a3f40862d2ab72c2ae77bb8cd8.exe	30
PID 1944 wrote to memory of 2020	1944	JaffaCakes118_968559a3f40862d2ab72c2ae77bb8cd8.exe	30
PID 1944 wrote to memory of 2020	1944	JaffaCakes118_968559a3f40862d2ab72c2ae77bb8cd8.exe	30
PID 1944 wrote to memory of 2020	1944	JaffaCakes118_968559a3f40862d2ab72c2ae77bb8cd8.exe	30
PID 1944 wrote to memory of 2528	1944	JaffaCakes118_968559a3f40862d2ab72c2ae77bb8cd8.exe	33
PID 1944 wrote to memory of 2528	1944	JaffaCakes118_968559a3f40862d2ab72c2ae77bb8cd8.exe	33
PID 1944 wrote to memory of 2528	1944	JaffaCakes118_968559a3f40862d2ab72c2ae77bb8cd8.exe	33
PID 1944 wrote to memory of 2528	1944	JaffaCakes118_968559a3f40862d2ab72c2ae77bb8cd8.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_968559a3f40862d2ab72c2ae77bb8cd8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_968559a3f40862d2ab72c2ae77bb8cd8.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_968559a3f40862d2ab72c2ae77bb8cd8.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_968559a3f40862d2ab72c2ae77bb8cd8.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2020
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_968559a3f40862d2ab72c2ae77bb8cd8.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_968559a3f40862d2ab72c2ae77bb8cd8.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\8F71.898

Filesize
1KB

MD5
fbefdb98f2ac35ecea90377009094a65

SHA1
ae345baf4fd098f61c27c8196441db0d1c4b64ee

SHA256
15da49ccd94016bb5328270de2ef8b2e356ca8230fdb4146b37d769d41f0dc18

SHA512
e205fc86bb93d3bc86901de6b4cf22126021825ccfb654ee31ce931bb65042ab54ecf2d6369f17b9fa782ae4f08f883cc8f081a21bdeda489ae0eb8a8a33cf55

Download Submit
C:\Users\Admin\AppData\Roaming\8F71.898

Filesize
600B

MD5
1c226b01555f10e9198f4b2f38736995

SHA1
034862a293e1a2a96e919424b0afe202625230fb

SHA256
5e7ae569274e39c0532cbbecc20fb3b57b75a52b2b4acbc72d4e08926159d88f

SHA512
060477cd61a711d718c20b75784d472aaf34a628351866e3cc42d8349b91ffce84a5753ba6ed1488eaf4fd8240d0e4853ca42434e64c459aa321dcb6facfdd68

Download Submit
C:\Users\Admin\AppData\Roaming\8F71.898

Filesize
996B

MD5
519880687d426caad50b3cdecc35fcee

SHA1
688209c728d6b338d3529b3608d46d7159186c61

SHA256
eb02a5c2305e4446959a07fcce448f1ac3f7a35f772428c247d4e547e1261c3b

SHA512
f81a4a31f4ff9892f1797948fc1ba8546571cc9b5e340dbd299437b87664364cd83ed98bdddc7f000973a15e3449f7a9777fa9692d92bc0aefc961cab2648fe5

Download Submit
memory/1944-81-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1944-14-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1944-1-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1944-2-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1944-166-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2020-5-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2020-7-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2020-6-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2528-78-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2528-80-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads