cycbot | e6fe59b6a7ad957d5b8a67ae641a0008a6764c486f414a07860f738afb014f3d

General

Target

d2ca6453a391b7d8eb00d63e274ea843_JaffaCakes118.exe
Size

172KB
MD5

d2ca6453a391b7d8eb00d63e274ea843
SHA1

14e107604480aeca6d669304cd08b65424a7247a
SHA256

e6fe59b6a7ad957d5b8a67ae641a0008a6764c486f414a07860f738afb014f3d
SHA512

c7908d6e481ddda83074fd391baf3f721fb3e3db75f7b6fcb2c49c592d749d7f9e5e7d018f6684957ab5d6e398716d16170059d0eebf70708de5ad3bb6846c55
SSDEEP

3072:jq2M5+r3HZODwPm33bKAi5z5U8BRyCkfMTJAVw3zNB1/F3e/K0ih34:+2M5sOSu2JKCyW1/FeS0ihI

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2776-9-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral1/memory/2776-11-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral1/memory/2624-16-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral1/memory/2088-87-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral1/memory/2624-146-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral1/memory/2624-195-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	d2ca6453a391b7d8eb00d63e274ea843_JaffaCakes118.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2624-1-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2624-2-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2776-8-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2776-9-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2776-11-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2624-16-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2088-87-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2624-146-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2624-195-0x0000000000400000-0x0000000000444000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2ca6453a391b7d8eb00d63e274ea843_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2ca6453a391b7d8eb00d63e274ea843_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2ca6453a391b7d8eb00d63e274ea843_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 2776	2624	d2ca6453a391b7d8eb00d63e274ea843_JaffaCakes118.exe	30
PID 2624 wrote to memory of 2776	2624	d2ca6453a391b7d8eb00d63e274ea843_JaffaCakes118.exe	30
PID 2624 wrote to memory of 2776	2624	d2ca6453a391b7d8eb00d63e274ea843_JaffaCakes118.exe	30
PID 2624 wrote to memory of 2776	2624	d2ca6453a391b7d8eb00d63e274ea843_JaffaCakes118.exe	30
PID 2624 wrote to memory of 2088	2624	d2ca6453a391b7d8eb00d63e274ea843_JaffaCakes118.exe	32
PID 2624 wrote to memory of 2088	2624	d2ca6453a391b7d8eb00d63e274ea843_JaffaCakes118.exe	32
PID 2624 wrote to memory of 2088	2624	d2ca6453a391b7d8eb00d63e274ea843_JaffaCakes118.exe	32
PID 2624 wrote to memory of 2088	2624	d2ca6453a391b7d8eb00d63e274ea843_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\d2ca6453a391b7d8eb00d63e274ea843_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d2ca6453a391b7d8eb00d63e274ea843_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Users\Admin\AppData\Local\Temp\d2ca6453a391b7d8eb00d63e274ea843_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d2ca6453a391b7d8eb00d63e274ea843_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2776
- C:\Users\Admin\AppData\Local\Temp\d2ca6453a391b7d8eb00d63e274ea843_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d2ca6453a391b7d8eb00d63e274ea843_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\4C9C.2C7

Filesize
600B

MD5
632cd504639a53ede1b1d05706b9f7bc

SHA1
65fdbf1f9641ef9de12e21074f4ec11cfe3954b0

SHA256
b61961c159ae643295129aa096ad535789df276a3e83f7b39c6a97896b2e76aa

SHA512
f2884e5aa2348d56c0626bded6530024786bd3dfbea409577eb1b8440028c489e5dc819568e385fcaac966566b7d737a956bed6cc3d13f9355280ef73ee7bf4c

Download Submit
C:\Users\Admin\AppData\Roaming\4C9C.2C7

Filesize
1KB

MD5
95ceb0242bb5a09a556460a6a44ab343

SHA1
170392d534671b77d770f307740bf313721679bf

SHA256
ffec2bc174ad14b60cb8e9cc6c672019597e2aa9cb25141dd8b5fcac75dc78c0

SHA512
8e5706b2a663326e94a9ed11feb20955b8c03bd8552788ca51232339ca58f844ac4a84bc301f8921ef1b40c704c834c73a77d7f66bb80ac0f06021cb0f2bc885

Download Submit
C:\Users\Admin\AppData\Roaming\4C9C.2C7

Filesize
996B

MD5
f7cd996d2d1d3f3950a03d716ec3bacb

SHA1
0d72d759587827c0bd189300739fc4aa16e640e9

SHA256
e17dd83377bbab316c3d376e89ed7174a9629d6c0d7c9c192a13034166d34de9

SHA512
5b4da3bda45a51d5f7158860426a3be954cbf00c9145efeeff115cfcc2a41a867711f7d900c6071c6da51308c10a1d5c3f11dc2581d40fa8703e1e49d4aba3f0

Download Submit
memory/2088-87-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2088-85-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2624-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2624-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2624-146-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2624-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2624-195-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2776-11-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2776-9-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2776-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads