cycbot | b841c253a2fc6b627b2a278cd6d1fea9cf88fde99d28ef11a2644d0ed22f6480

General

Target

c9eac63f583edaca596e4102c3900771_JaffaCakes118.exe
Size

156KB
MD5

c9eac63f583edaca596e4102c3900771
SHA1

2c35aa8aeb1a5d898f05d5f1af8fe732bf4bdd24
SHA256

b841c253a2fc6b627b2a278cd6d1fea9cf88fde99d28ef11a2644d0ed22f6480
SHA512

0186f89a4a059416705c60b3d4dbd3337b8bc8bff8804e49dd66aa8d5de296a3a71c91c324c3b2374117d639a57f613408d0af54d441fc124683f59c78a83ac5
SSDEEP

3072:UfWtcjNULF5L1PBzQCZys7BDipPSfazCwrbjGuWQGOxv:QtjqLF5L1fZys7BDwPCcGu0Ot

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2084-7-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/1832-15-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/1832-79-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/832-83-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/1832-188-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	c9eac63f583edaca596e4102c3900771_JaffaCakes118.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1832-2-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2084-7-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2084-6-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1832-15-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1832-79-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/832-81-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/832-83-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1832-188-0x0000000000400000-0x0000000000442000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c9eac63f583edaca596e4102c3900771_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c9eac63f583edaca596e4102c3900771_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c9eac63f583edaca596e4102c3900771_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 2084	1832	c9eac63f583edaca596e4102c3900771_JaffaCakes118.exe	30
PID 1832 wrote to memory of 2084	1832	c9eac63f583edaca596e4102c3900771_JaffaCakes118.exe	30
PID 1832 wrote to memory of 2084	1832	c9eac63f583edaca596e4102c3900771_JaffaCakes118.exe	30
PID 1832 wrote to memory of 2084	1832	c9eac63f583edaca596e4102c3900771_JaffaCakes118.exe	30
PID 1832 wrote to memory of 832	1832	c9eac63f583edaca596e4102c3900771_JaffaCakes118.exe	33
PID 1832 wrote to memory of 832	1832	c9eac63f583edaca596e4102c3900771_JaffaCakes118.exe	33
PID 1832 wrote to memory of 832	1832	c9eac63f583edaca596e4102c3900771_JaffaCakes118.exe	33
PID 1832 wrote to memory of 832	1832	c9eac63f583edaca596e4102c3900771_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\c9eac63f583edaca596e4102c3900771_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c9eac63f583edaca596e4102c3900771_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Users\Admin\AppData\Local\Temp\c9eac63f583edaca596e4102c3900771_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\c9eac63f583edaca596e4102c3900771_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2084
- C:\Users\Admin\AppData\Local\Temp\c9eac63f583edaca596e4102c3900771_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\c9eac63f583edaca596e4102c3900771_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DD74.231

Filesize
1KB

MD5
56cb838122b8f3659161c0427c9ea9eb

SHA1
4578be94385eadc60ce7f54a28f64d975686cdf4

SHA256
e4bd9be936d3f0b19ae6fb2bb38214b6f9c5c6bb5fa4ff65508475441d2a1b8b

SHA512
d1a3e97ba3733acab0e220eea24c2f9f2d5b38f4786404f0add91c58cd16610d0288872e7fbb83a1f42de765c22dfbbc86845d1233effa325bb61fb712297deb

Download Submit
C:\Users\Admin\AppData\Roaming\DD74.231

Filesize
600B

MD5
3f953b184792bfc0e9786564913b18fd

SHA1
2fec42799370c6afaad3132d368b60baa5038135

SHA256
c886bf3bb397b2c34b8d044a5cd482295ed062c5e8a100894932371e7c5cf710

SHA512
8d70f7d490ec0d7e72520efdaee6d1734215e054d98376133a3842e0482f5652bc9baba3ab189bed37c21bfa49a19838cfcd7b1d6c0ee1bbe6b1075875142750

Download Submit
C:\Users\Admin\AppData\Roaming\DD74.231

Filesize
996B

MD5
962d7be1957443a7dc65d74b595b56bb

SHA1
1e9a0bb4c892ee29fb6e4b709180454afad3e1b0

SHA256
2fa2bc6baff2c25eaa3b229a5cbb9f6fae20cad6ff4e48a4a21756c814d200c3

SHA512
01500842b565031126477b2b795a4a854ab7e722d69b5bb33bfc40f0025060bf1a3037aa63fb204a16fed1212fd6e597a3249900a495d662c6c1a3b4fdb8e835

Download Submit
memory/832-81-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/832-83-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1832-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1832-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1832-1-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1832-2-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1832-188-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2084-5-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2084-6-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2084-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads