cycbot | cf6bf3538ecfcb163be8e124a73540604731b246f8d15fa4ffab184edd539b2d

General

Target

d4b92584e58e5cddd62081ab7f46bcc8_JaffaCakes118.exe
Size

186KB
MD5

d4b92584e58e5cddd62081ab7f46bcc8
SHA1

74407ca367afb0e1cdc5a1218ea97a69a30b59d0
SHA256

cf6bf3538ecfcb163be8e124a73540604731b246f8d15fa4ffab184edd539b2d
SHA512

6be0a4542def4cf1f82300c7f2fbb071918ea038f5127d26061159019b369296a8ac104181d20b50486de5fbe95ca8dc436d6bcf4e032c48f3e0aa9586e3c0ac
SSDEEP

3072:UAD1/iHffLvRJwIdlznF6A1gFMHDxVXT9nE3TVd:UAD1/gffbv1JDFOV

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2716-13-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2756-14-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2756-79-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/1340-82-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2756-199-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	d4b92584e58e5cddd62081ab7f46bcc8_JaffaCakes118.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2756-2-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2716-12-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2716-13-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2756-14-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2756-79-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1340-81-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1340-82-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2756-199-0x0000000000400000-0x000000000044B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4b92584e58e5cddd62081ab7f46bcc8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2716	2756	d4b92584e58e5cddd62081ab7f46bcc8_JaffaCakes118.exe	31
PID 2756 wrote to memory of 2716	2756	d4b92584e58e5cddd62081ab7f46bcc8_JaffaCakes118.exe	31
PID 2756 wrote to memory of 2716	2756	d4b92584e58e5cddd62081ab7f46bcc8_JaffaCakes118.exe	31
PID 2756 wrote to memory of 2716	2756	d4b92584e58e5cddd62081ab7f46bcc8_JaffaCakes118.exe	31
PID 2756 wrote to memory of 1340	2756	d4b92584e58e5cddd62081ab7f46bcc8_JaffaCakes118.exe	33
PID 2756 wrote to memory of 1340	2756	d4b92584e58e5cddd62081ab7f46bcc8_JaffaCakes118.exe	33
PID 2756 wrote to memory of 1340	2756	d4b92584e58e5cddd62081ab7f46bcc8_JaffaCakes118.exe	33
PID 2756 wrote to memory of 1340	2756	d4b92584e58e5cddd62081ab7f46bcc8_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\d4b92584e58e5cddd62081ab7f46bcc8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d4b92584e58e5cddd62081ab7f46bcc8_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Local\Temp\d4b92584e58e5cddd62081ab7f46bcc8_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d4b92584e58e5cddd62081ab7f46bcc8_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:2716
- C:\Users\Admin\AppData\Local\Temp\d4b92584e58e5cddd62081ab7f46bcc8_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d4b92584e58e5cddd62081ab7f46bcc8_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:1340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\4F9D.4E0

Filesize
1KB

MD5
c4198479fa9f073824e82f64b2bb68e2

SHA1
f63b8d32cbe54c84daa61d88de951fc2c1f64930

SHA256
728263e527b585ca23959225c9cfe7a71a5a8b5c6b6b8710d41fa4af2ff83780

SHA512
1db88637ead0481d3f90d0636124abcd171c97d36773ce5e38d3154f9eab6e13942aec02fa214a74e9636ea0f0aaf022e02683a15edd9d3b6c0c9b9bd61603cb

Download Submit
C:\Users\Admin\AppData\Roaming\4F9D.4E0

Filesize
600B

MD5
62c3c1faecc6ccd920fb10628caa38f6

SHA1
52e85f5aee44b6f925ce1d871267cded10711a5c

SHA256
85aeb9960c8b08647948fe842e87411554a8460d08d863fd264a1bffbf6ec4d7

SHA512
549cd5afbc0582fdae3670f1f8ecf151861c3e627c8567e989ea7b54fdf1c3689792c2aa04bc1f1987de9ba798529f290503409f012defb175c4cae654e705f1

Download Submit
C:\Users\Admin\AppData\Roaming\4F9D.4E0

Filesize
1KB

MD5
dfe06a992306492c43980b2d60eb2d69

SHA1
641178f3d3dbaa0312e6426a6dac6d0995a47cb0

SHA256
cfac81dc3efdae402afbcafe76682ccf49982c38b29fa80bf7ce1e9d0ad0b669

SHA512
1546b516d5d0d0f9bca5c915b238aecdbc001d94dc1cc11bf43f496ac7e0e6e0da23266ad9a3ffd969d2ee14a450d6f8b20589f99eebd06b97139c542d358fc0

Download Submit
C:\Users\Admin\AppData\Roaming\4F9D.4E0

Filesize
996B

MD5
55c6188dd8ec3ed5cdfc831102dc2785

SHA1
0c359023966af032496e57fb0acb179595878d10

SHA256
f5c9a2b14200d2c1d1852a479f1a857582c62773dead4cb892b3e5de1265a8e0

SHA512
64945f951bc7da761094d7805fa31d88ef4c76b1bd5c5005463adb49417815099b10f7e1df150a4b4a61992d1d59e8c7190e68e79c1e97c6280609212ba85a7b

Download Submit
memory/1340-82-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1340-81-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2716-13-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2716-12-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2756-14-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2756-79-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2756-1-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2756-2-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2756-199-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads