cycbot | 493c11cff84d5664f7a8b80238bfc5e1d40c5c5a534fdcfe3f0f557eb9e1ddb7

General

Target

d933b96bdbf6362c640d7c97fe9f213a_JaffaCakes118.exe
Size

170KB
MD5

d933b96bdbf6362c640d7c97fe9f213a
SHA1

727ba56215856493a986a3a0eb0c8b6d338dfed0
SHA256

493c11cff84d5664f7a8b80238bfc5e1d40c5c5a534fdcfe3f0f557eb9e1ddb7
SHA512

928d2e9d812e2756d0402841c25621d76933d88c218cdeb2d47352b4cd615831944865ed89ae28105f63681501d272aa165b2ec2fa136495ac4667738adfff54
SSDEEP

3072:TWTp7FGUqNppEwIXBMB/2Uj3WOrnI5Gg7VVhrY+flZNOR6Z4wk:TWTpZZqhETxMURceSu

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1672-14-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral1/memory/2336-15-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral1/memory/2336-80-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral1/memory/2184-82-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral1/memory/2336-183-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	d933b96bdbf6362c640d7c97fe9f213a_JaffaCakes118.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2336-2-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1672-12-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1672-14-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2336-15-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2336-80-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2184-82-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2336-183-0x0000000000400000-0x0000000000444000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d933b96bdbf6362c640d7c97fe9f213a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d933b96bdbf6362c640d7c97fe9f213a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d933b96bdbf6362c640d7c97fe9f213a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 1672	2336	d933b96bdbf6362c640d7c97fe9f213a_JaffaCakes118.exe	30
PID 2336 wrote to memory of 1672	2336	d933b96bdbf6362c640d7c97fe9f213a_JaffaCakes118.exe	30
PID 2336 wrote to memory of 1672	2336	d933b96bdbf6362c640d7c97fe9f213a_JaffaCakes118.exe	30
PID 2336 wrote to memory of 1672	2336	d933b96bdbf6362c640d7c97fe9f213a_JaffaCakes118.exe	30
PID 2336 wrote to memory of 2184	2336	d933b96bdbf6362c640d7c97fe9f213a_JaffaCakes118.exe	33
PID 2336 wrote to memory of 2184	2336	d933b96bdbf6362c640d7c97fe9f213a_JaffaCakes118.exe	33
PID 2336 wrote to memory of 2184	2336	d933b96bdbf6362c640d7c97fe9f213a_JaffaCakes118.exe	33
PID 2336 wrote to memory of 2184	2336	d933b96bdbf6362c640d7c97fe9f213a_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\d933b96bdbf6362c640d7c97fe9f213a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d933b96bdbf6362c640d7c97fe9f213a_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\d933b96bdbf6362c640d7c97fe9f213a_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d933b96bdbf6362c640d7c97fe9f213a_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1672
- C:\Users\Admin\AppData\Local\Temp\d933b96bdbf6362c640d7c97fe9f213a_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d933b96bdbf6362c640d7c97fe9f213a_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\E33C.83B

Filesize
600B

MD5
50ae1003849d7f4f5e56d4c58838f252

SHA1
2ab8d6922ce314e096a423427429ed133f9af664

SHA256
52125ec25edbc799aa409d3e3bbd2855174c90c47f2533d740a490118803e449

SHA512
c87ea2bd07eb62c8071e21b6dcaa98610045c5a25ab3974be9fbb5c60f962d92d490d2cf08a0308be415b3d87903dc46317d99c7311cf76df7302ac87b0b76a9

Download Submit
C:\Users\Admin\AppData\Roaming\E33C.83B

Filesize
996B

MD5
da07f2e0be5baf9c260596ddce33847a

SHA1
f068edb3ec63100cf1876d5cde04d99350beeb0e

SHA256
014ca15bcc1ba155f1d34e51a8d6a2455a04fa33d4ce8732d95da2d3e5d59f6f

SHA512
d27f11c8ef52f0cfd0af4bd2f6064b7e09c2acf085fa9273612c2fda2f2a87f926c5a05dbf9e680b7e06d5b1e9d4131f12918ccdd27f634a077a5ffd08e675b8

Download Submit
memory/1672-12-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1672-14-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2184-82-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2336-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2336-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2336-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2336-80-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2336-183-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads