cycbot | c34383368cb894edcbef38a293f34a125f29349600d5697c063538059be473c1

General

Target

d28cfb99a15bf8f8644f94f45e76d678_JaffaCakes118.exe
Size

156KB
MD5

d28cfb99a15bf8f8644f94f45e76d678
SHA1

7dfd728a7c1d7b5b2e3c76607701ffe9c04607b0
SHA256

c34383368cb894edcbef38a293f34a125f29349600d5697c063538059be473c1
SHA512

de70ab498865bafdbd04fa7b5f263f462a17adc8d34c29b7b53148f4568ed479d8fe6356e5c5864a7aca40f82e0a53bb8a37c6049eaab6bc54f902fe305a933c
SSDEEP

3072:gBAFVNt24gRk4RSSYI2+SeK9H7QSwdqLeQ5ZzrCwHv94TmKsw7/:gBF4j4RSSc+SXwdqqEZzrzHv9KmK77

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1016-7-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2544-15-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2544-82-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/1708-84-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2544-185-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	d28cfb99a15bf8f8644f94f45e76d678_JaffaCakes118.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2544-2-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1016-5-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1016-7-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2544-15-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2544-82-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1708-84-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2544-185-0x0000000000400000-0x0000000000442000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d28cfb99a15bf8f8644f94f45e76d678_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d28cfb99a15bf8f8644f94f45e76d678_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d28cfb99a15bf8f8644f94f45e76d678_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 1016	2544	d28cfb99a15bf8f8644f94f45e76d678_JaffaCakes118.exe	29
PID 2544 wrote to memory of 1016	2544	d28cfb99a15bf8f8644f94f45e76d678_JaffaCakes118.exe	29
PID 2544 wrote to memory of 1016	2544	d28cfb99a15bf8f8644f94f45e76d678_JaffaCakes118.exe	29
PID 2544 wrote to memory of 1016	2544	d28cfb99a15bf8f8644f94f45e76d678_JaffaCakes118.exe	29
PID 2544 wrote to memory of 1708	2544	d28cfb99a15bf8f8644f94f45e76d678_JaffaCakes118.exe	31
PID 2544 wrote to memory of 1708	2544	d28cfb99a15bf8f8644f94f45e76d678_JaffaCakes118.exe	31
PID 2544 wrote to memory of 1708	2544	d28cfb99a15bf8f8644f94f45e76d678_JaffaCakes118.exe	31
PID 2544 wrote to memory of 1708	2544	d28cfb99a15bf8f8644f94f45e76d678_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\d28cfb99a15bf8f8644f94f45e76d678_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d28cfb99a15bf8f8644f94f45e76d678_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Local\Temp\d28cfb99a15bf8f8644f94f45e76d678_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d28cfb99a15bf8f8644f94f45e76d678_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1016
- C:\Users\Admin\AppData\Local\Temp\d28cfb99a15bf8f8644f94f45e76d678_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d28cfb99a15bf8f8644f94f45e76d678_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\D513.10B

Filesize
1KB

MD5
0f239773321277cede29779b1ab1a80e

SHA1
bdd0a0f8149f21b8f4956ab3945862c1936b10f9

SHA256
25bcdf6dcfab47c3a7c21c5ab50d031cf023505d848cd16522c55c82a93d818e

SHA512
7eaf668a3ada899221f1281c47082d0aa602515790ddcc38ed1f80cff3392788c038e51ba0f494d058ffefbe61a7260240722ef873cf29f0fc20752b2cfbdd4a

Download Submit
C:\Users\Admin\AppData\Roaming\D513.10B

Filesize
600B

MD5
75c33d803b042e892070f4ece911a08c

SHA1
5bd631d3f3b26b6ae3f0dbdf78b7cf8d02ea8b23

SHA256
225091652441f58b723130a6752998b298d34b99345eb4e29db94b1c894b900b

SHA512
fc27a927c780d591334d6b120795386306937c98016b4a146e61979e64049aed9d2383fd21797555a7197c610aadef92a96c5a53fe6e6e8549fd3dcdbfe5f7cc

Download Submit
C:\Users\Admin\AppData\Roaming\D513.10B

Filesize
996B

MD5
9b7a7483da9b3ffe6c7e4ce41ad1be96

SHA1
c16012b39347664f4cec2f55c66cd950c23ae360

SHA256
26f8a191cf63d21fe1338623a9fa265ff18a419e892b88d7b265721b241911ba

SHA512
aa32ac6d488979e6b63205f145525c15a702ee24eb03f9c681aa981a5aa7762c3a2e3eaf67ad5fdf0791a8e5f8d0ecfb71f0a38ce76f73ed0aec54fe6ebbe61b

Download Submit
memory/1016-5-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1016-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1708-84-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2544-1-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2544-2-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2544-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2544-82-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2544-185-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads