cycbot | bbf473f2a751ab98548acfbd17c14d6bfdaed02bb4f170d4a0b239f257e60532

General

Target

d746ed616e2b46bb11331fe34b2b2982_JaffaCakes118.exe
Size

154KB
MD5

d746ed616e2b46bb11331fe34b2b2982
SHA1

4b4e43dceac86abcde1049db0ac13b0dfb49f037
SHA256

bbf473f2a751ab98548acfbd17c14d6bfdaed02bb4f170d4a0b239f257e60532
SHA512

8ba9bbfa2bc16e3fb782a54d9559a5c6f899ae7b67c19fa1062191db3a991fa474c176a5a1d3e954d4290af03d23c5d9eab7d90c967a7e0b88bfb0c41574bca1
SSDEEP

3072:d1aNLwIWD2m9VfZzDYVzGYrhWqLtn62ImCzQWossLBPWRbfoHb61tjweG0:L19VfWwYZh67rkWqLERbAHb61t/

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1072-8-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/1044-19-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/572-98-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/1044-165-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/1044-215-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	d746ed616e2b46bb11331fe34b2b2982_JaffaCakes118.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1044-1-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1072-6-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1072-8-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1044-19-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/572-98-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1044-165-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1044-215-0x0000000000400000-0x0000000000442000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d746ed616e2b46bb11331fe34b2b2982_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d746ed616e2b46bb11331fe34b2b2982_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d746ed616e2b46bb11331fe34b2b2982_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 1072	1044	d746ed616e2b46bb11331fe34b2b2982_JaffaCakes118.exe	28
PID 1044 wrote to memory of 1072	1044	d746ed616e2b46bb11331fe34b2b2982_JaffaCakes118.exe	28
PID 1044 wrote to memory of 1072	1044	d746ed616e2b46bb11331fe34b2b2982_JaffaCakes118.exe	28
PID 1044 wrote to memory of 1072	1044	d746ed616e2b46bb11331fe34b2b2982_JaffaCakes118.exe	28
PID 1044 wrote to memory of 572	1044	d746ed616e2b46bb11331fe34b2b2982_JaffaCakes118.exe	30
PID 1044 wrote to memory of 572	1044	d746ed616e2b46bb11331fe34b2b2982_JaffaCakes118.exe	30
PID 1044 wrote to memory of 572	1044	d746ed616e2b46bb11331fe34b2b2982_JaffaCakes118.exe	30
PID 1044 wrote to memory of 572	1044	d746ed616e2b46bb11331fe34b2b2982_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\d746ed616e2b46bb11331fe34b2b2982_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d746ed616e2b46bb11331fe34b2b2982_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Users\Admin\AppData\Local\Temp\d746ed616e2b46bb11331fe34b2b2982_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d746ed616e2b46bb11331fe34b2b2982_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1072
- C:\Users\Admin\AppData\Local\Temp\d746ed616e2b46bb11331fe34b2b2982_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d746ed616e2b46bb11331fe34b2b2982_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\B049.569

Filesize
593B

MD5
de80b13b525c39cf997ef9cbcf2bce7f

SHA1
6faddac48b78310e12a0574fb577e8681dc341b7

SHA256
2a20b37865ce65298c41bef9e956e6fb66aa2214da16233ddaf9f133ca6d6bcd

SHA512
4081652e036b00429510f4f55fb0551e38c9b42f34e0ccce4173b0447d3b5853c2c30f43a7e861e24d021b3db4506b275d50fd0e03dc78a611deef1fdc0fd5eb

Download Submit
C:\Users\Admin\AppData\Roaming\B049.569

Filesize
897B

MD5
a9034e6baa3e3520d8a0dd8e115bac40

SHA1
e27afb0bb95427ee720b5e60093565170bb3fedd

SHA256
f32f252af02752a5f32868fe4d135240e50c93440657414e6df70255a0f119be

SHA512
870689ee1899476905807cd3fcb9549a1cb94f71340c1a47886b6c1a727db4edbdb99b40ef0f9890305e7370d9aa8b7891cd8471b4445ef6e5bba8171650ad72

Download Submit
C:\Users\Admin\AppData\Roaming\B049.569

Filesize
1KB

MD5
95dc7ec95073be9914dd5d5366e01c0a

SHA1
b2aac8d0e13f974633d262577b181c9a7deec648

SHA256
45558c532236ba91b2d7dec9d2e3a07d9a32a53219adba09a25a56fb5af799e4

SHA512
739da418febb3832b7fe3f0af9bf3c963134d448bda3ef315da6f3e952d2589ccee60a5f5389e7793a0f53628709dfc5379c270c6fe1401397ab6646a692bae3

Download Submit
C:\Users\Admin\AppData\Roaming\B049.569

Filesize
1KB

MD5
2f1711d9dd6bf8149c1151d2dca115ac

SHA1
6397e767fa1cb17576c9beb5c0aac8882913f777

SHA256
870fa8d32d943b6e2f6dda95e66835317ef66ae1fcc43bfdedb635e3c7c96a95

SHA512
b505b82f26da11b243429b8a050977b530906c52be64fbf5e0164ffc9adf269682fa9641f676312709bd01c844c7497a77b823e08bbb78b38281441c16427bd0

Download Submit
memory/572-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/572-98-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1044-1-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1044-19-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1044-165-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1044-215-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1072-6-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1072-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads