cycbot | 753c4ea12c9956a951c53bdc3513f83fe3208286509c23e0740a51e40ee6563d

General

Target

922e759e6a460205f2cbb6bc9750fc9e_JaffaCakes118.exe
Size

166KB
MD5

922e759e6a460205f2cbb6bc9750fc9e
SHA1

8d82ecfe1301fa24e74316f63533d517dafe1805
SHA256

753c4ea12c9956a951c53bdc3513f83fe3208286509c23e0740a51e40ee6563d
SHA512

26c968326b945631bf98ad52dc9ef8d666bb28e32565d285d47454aa5fbdb2b5f69696505a1e665bfb63604bdd7e55a2c4c28437ffe99e256593f17269436bab
SSDEEP

3072:mTN49AHExCCAQYNaz0ZCm3BhsHA4rwozQqjhEt+ov:zbxlvz0ZCoYwIjzov

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2780-14-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2780-13-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2736-15-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2736-79-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/1600-83-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2736-90-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	922e759e6a460205f2cbb6bc9750fc9e_JaffaCakes118.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2736-1-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2780-11-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2780-14-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2780-13-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2736-15-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2736-79-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1600-83-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2736-90-0x0000000000400000-0x0000000000445000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	922e759e6a460205f2cbb6bc9750fc9e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	922e759e6a460205f2cbb6bc9750fc9e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	922e759e6a460205f2cbb6bc9750fc9e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2780	2736	922e759e6a460205f2cbb6bc9750fc9e_JaffaCakes118.exe	30
PID 2736 wrote to memory of 2780	2736	922e759e6a460205f2cbb6bc9750fc9e_JaffaCakes118.exe	30
PID 2736 wrote to memory of 2780	2736	922e759e6a460205f2cbb6bc9750fc9e_JaffaCakes118.exe	30
PID 2736 wrote to memory of 2780	2736	922e759e6a460205f2cbb6bc9750fc9e_JaffaCakes118.exe	30
PID 2736 wrote to memory of 1600	2736	922e759e6a460205f2cbb6bc9750fc9e_JaffaCakes118.exe	32
PID 2736 wrote to memory of 1600	2736	922e759e6a460205f2cbb6bc9750fc9e_JaffaCakes118.exe	32
PID 2736 wrote to memory of 1600	2736	922e759e6a460205f2cbb6bc9750fc9e_JaffaCakes118.exe	32
PID 2736 wrote to memory of 1600	2736	922e759e6a460205f2cbb6bc9750fc9e_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\922e759e6a460205f2cbb6bc9750fc9e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\922e759e6a460205f2cbb6bc9750fc9e_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Users\Admin\AppData\Local\Temp\922e759e6a460205f2cbb6bc9750fc9e_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\922e759e6a460205f2cbb6bc9750fc9e_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2780
- C:\Users\Admin\AppData\Local\Temp\922e759e6a460205f2cbb6bc9750fc9e_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\922e759e6a460205f2cbb6bc9750fc9e_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\9F95.235

Filesize
600B

MD5
8a97a8dbb81baf9aee5545aac03b729f

SHA1
ac52fa20df68971afb3dfdc2f748faa78eb9134f

SHA256
799d6308a2d135762d15a0a137b152440032df71e65b26e7259e03f50485e2b6

SHA512
4be4f9ea5069136b74a51118cf0d634a838d3ea0109b51501f19fcfc063274f97ea189f15a4191153b4e4dab48568d7919e34c2f77b597d69589d1e55bfb885a

Download Submit
C:\Users\Admin\AppData\Roaming\9F95.235

Filesize
996B

MD5
f0ed8341eed57f3be741b4575367b6b4

SHA1
716019287e8a3374bf340090704c5545d4ea9e50

SHA256
cd07967f128c3226caa7299e1414bc1e9874380ec22d30e2a7219c8e9a74c642

SHA512
b64d9aa21b443b447a74505bdea80f51e45857709127e64f4f51dc121ba767e712151b93aca8ce0983e5c85b7db749654a9d99e95f423240022c374c33db8fc9

Download Submit
C:\Users\Admin\AppData\Roaming\9F95.235

Filesize
1KB

MD5
be7eba2c0a2629f825661ca282978fe0

SHA1
9870158c53b0e681e75779d1625aa9e64a32730e

SHA256
7a70e89a000665328a6fea91cedffbcae03aa61b4b526d88925aa1a4e57bec0a

SHA512
0111829bd53023ee013941c31acf65ef5c1330a33991a0389f9db2f316e5c3ab58c154674c3a037ea440dbada223f1d53eb85925cb96515eb1b845ea6d2bf338

Download Submit
memory/1600-81-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1600-83-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2736-1-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2736-15-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2736-79-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2736-90-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2780-11-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2780-14-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2780-13-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads