cycbot | bea012d79dc80d6316c2434ca935e2c74c508abc6d1ccc66c9a2cd3c0a8e4cef

General

Target

9518408136fd1813904953e0f8149aea_JaffaCakes118.exe
Size

163KB
MD5

9518408136fd1813904953e0f8149aea
SHA1

441fa6e913678e7b20fc0cd0e254aec90db758f6
SHA256

bea012d79dc80d6316c2434ca935e2c74c508abc6d1ccc66c9a2cd3c0a8e4cef
SHA512

06935dc029867674a7b5d595e1d81362eb72d61882b243d90c0238b3ec154b599ae6ffeec7b84cfd8a28deb195d7ab5bbca3eed53868815e57fbac4ec08d95e4
SSDEEP

3072:6kChIFvQrNax4gjA8W8+iTJk8mHUcmUUf0L0a+8CPPAt:6kO4jxXvtMmUUcMzP

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

Processes:

resource	yara_rule
behavioral1/memory/2680-15-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral1/memory/2400-16-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral1/memory/2788-90-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral1/memory/2400-91-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral1/memory/2400-161-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9518408136fd1813904953e0f8149aea_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	9518408136fd1813904953e0f8149aea_JaffaCakes118.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2400-2-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2680-15-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2680-13-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2400-16-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2788-90-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2400-91-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2400-161-0x0000000000400000-0x0000000000444000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9518408136fd1813904953e0f8149aea_JaffaCakes118.exe9518408136fd1813904953e0f8149aea_JaffaCakes118.exe9518408136fd1813904953e0f8149aea_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9518408136fd1813904953e0f8149aea_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9518408136fd1813904953e0f8149aea_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9518408136fd1813904953e0f8149aea_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9518408136fd1813904953e0f8149aea_JaffaCakes118.exe

description	pid	Process	procid_target
PID 2400 wrote to memory of 2680	2400	9518408136fd1813904953e0f8149aea_JaffaCakes118.exe	30
PID 2400 wrote to memory of 2680	2400	9518408136fd1813904953e0f8149aea_JaffaCakes118.exe	30
PID 2400 wrote to memory of 2680	2400	9518408136fd1813904953e0f8149aea_JaffaCakes118.exe	30
PID 2400 wrote to memory of 2680	2400	9518408136fd1813904953e0f8149aea_JaffaCakes118.exe	30
PID 2400 wrote to memory of 2788	2400	9518408136fd1813904953e0f8149aea_JaffaCakes118.exe	32
PID 2400 wrote to memory of 2788	2400	9518408136fd1813904953e0f8149aea_JaffaCakes118.exe	32
PID 2400 wrote to memory of 2788	2400	9518408136fd1813904953e0f8149aea_JaffaCakes118.exe	32
PID 2400 wrote to memory of 2788	2400	9518408136fd1813904953e0f8149aea_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\9518408136fd1813904953e0f8149aea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9518408136fd1813904953e0f8149aea_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Local\Temp\9518408136fd1813904953e0f8149aea_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\9518408136fd1813904953e0f8149aea_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2680
- C:\Users\Admin\AppData\Local\Temp\9518408136fd1813904953e0f8149aea_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\9518408136fd1813904953e0f8149aea_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\A534.C0C

Filesize
1KB

MD5
f7d4b7585d433b05b7fde3f7bd1bd716

SHA1
aa5bdff37bc164f1ada201411ce0507d703f060d

SHA256
5545248064af90bbc1806c8f7ae5e4111ca90accc842b0dbb67cbb10b23986dc

SHA512
46f283970ea62bd664462a2216c6db8b5a81564dfeecbadb1bdbd4eaeeda2b65c5a56df3b8ed1b7a098f2c6067f72a37babddcddf83625a55b8fbb07f92fbfa7

Download Submit
C:\Users\Admin\AppData\Roaming\A534.C0C

Filesize
600B

MD5
54a9f27174aae5f99999910af6ac3971

SHA1
b3170fd2d8178f8099e2de1ea620575dd820ad5d

SHA256
d9435c8970e911526b037eba5e95e742fbb81f2f43ed050b975470f83109f84d

SHA512
03f3fa6f5e5bad52285f2190c2e6a13ba11674b31a74ef405a1c5527238d68faaf0b78dd75fe37335bd72c32db501f074e0c63518c98a8e68401203cef01c9e4

Download Submit
C:\Users\Admin\AppData\Roaming\A534.C0C

Filesize
996B

MD5
813f6227036373a227645a8bd00f73b6

SHA1
e9326df0d03e667abd94f261277d39a24385308f

SHA256
c8c44bff2da7d622fb1d3b9fbb1e35b6b840ae6e62292e010e54159b55c2ff4e

SHA512
05c07dcf5683968cb46106530276264b66fe0f2368159f92b997c81285dab1324e692f026f8d33cbb64f4c6b109140c6564aded9173cba069648efd194ad25a5

Download Submit
memory/2400-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2400-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2400-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2400-91-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2400-161-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2680-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2680-13-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2680-12-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2788-90-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads