cycbot | f5295c773bbbd5a41425a5c739b729467541d5147988b4ba75f7a4935755f74e

General

Target

c776740e3d9467a378e3091ec49fc89b_JaffaCakes118.exe
Size

180KB
MD5

c776740e3d9467a378e3091ec49fc89b
SHA1

69c031fe483f3a36522be631abb64cc65638010e
SHA256

f5295c773bbbd5a41425a5c739b729467541d5147988b4ba75f7a4935755f74e
SHA512

4bc093dbfeb0dbb23e7af61adb12d92e7e0bc61156573fda02192025c082afda55c6e44c25a2d0c59c3bf738d3c5c74c498cfdaa8a7b170d309faa9077896fe7
SSDEEP

3072:zsSH+JRKjA2HLadFMeOknXzmwMPFWdkuG59kjeWZCIErpGBjBTa+nudzSHmR:QbkA2reFXTnjgFyS9QoxKjBTtgzOm

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1576-7-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2528-16-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/1868-93-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2528-94-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2528-190-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	c776740e3d9467a378e3091ec49fc89b_JaffaCakes118.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2528-2-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1576-5-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1576-7-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2528-16-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1868-93-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2528-94-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2528-190-0x0000000000400000-0x0000000000442000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c776740e3d9467a378e3091ec49fc89b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c776740e3d9467a378e3091ec49fc89b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c776740e3d9467a378e3091ec49fc89b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 1576	2528	c776740e3d9467a378e3091ec49fc89b_JaffaCakes118.exe	31
PID 2528 wrote to memory of 1576	2528	c776740e3d9467a378e3091ec49fc89b_JaffaCakes118.exe	31
PID 2528 wrote to memory of 1576	2528	c776740e3d9467a378e3091ec49fc89b_JaffaCakes118.exe	31
PID 2528 wrote to memory of 1576	2528	c776740e3d9467a378e3091ec49fc89b_JaffaCakes118.exe	31
PID 2528 wrote to memory of 1868	2528	c776740e3d9467a378e3091ec49fc89b_JaffaCakes118.exe	33
PID 2528 wrote to memory of 1868	2528	c776740e3d9467a378e3091ec49fc89b_JaffaCakes118.exe	33
PID 2528 wrote to memory of 1868	2528	c776740e3d9467a378e3091ec49fc89b_JaffaCakes118.exe	33
PID 2528 wrote to memory of 1868	2528	c776740e3d9467a378e3091ec49fc89b_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\c776740e3d9467a378e3091ec49fc89b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c776740e3d9467a378e3091ec49fc89b_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Users\Admin\AppData\Local\Temp\c776740e3d9467a378e3091ec49fc89b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\c776740e3d9467a378e3091ec49fc89b_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1576
- C:\Users\Admin\AppData\Local\Temp\c776740e3d9467a378e3091ec49fc89b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\c776740e3d9467a378e3091ec49fc89b_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\503D.8E7

Filesize
1KB

MD5
e9d8d25e265c6a446572b2b5b025e670

SHA1
a61160ba6c0365282d78105972a2b3c3ea4c83c5

SHA256
500e489609ea3e185c91257e70376d604d0228d2d67b53969db7f3ba5fcf5e31

SHA512
bd7d0799191704ecf2ccc452cd5f072c6e579e6a0a0855c3386870baf725d3f7bdae14fe7eac951df4296418c877e6bb8c80314cdeeeb44af6ccb49dd2ec4037

Download Submit
C:\Users\Admin\AppData\Roaming\503D.8E7

Filesize
600B

MD5
fe04abcdd16ea64dbc0c108e86fe03e5

SHA1
f9f14a0ef2090d937839763c8005b0f200035b0a

SHA256
e25518c7718a37bb2b57063a275285b1c01baae683901b01ad7616e94a039bf2

SHA512
9772ba5a0241ae7d019f54f7949989ccb8276af7c7f008626b09f36527967d45d4d0886f709fd9a895e1f753aedb396fa9c1673a6369ddbdde7a0b702cf08369

Download Submit
C:\Users\Admin\AppData\Roaming\503D.8E7

Filesize
1KB

MD5
b93ad770b2dbfa93614500925fdb643a

SHA1
b15b19b65f9c47257aa9de75f3fb6b2d116de37c

SHA256
63aa6d4dbd5881ef2be99d1252897a0c8548620e7b42ea76942770035877e60c

SHA512
a2700e8d76cfceb63e65c01653bafacc789ff3531489f0814deefd435bdf94946175758e70dde8fbaffa022f66a712cd3f538eb0197d18581199f20766f024ff

Download Submit
memory/1576-5-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1576-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1868-93-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2528-1-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2528-2-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2528-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2528-94-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2528-190-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads