cycbot | cd9dd49d3c6c31b71fb3d635498f65065d18adb2da2164bfadfdfa7fb3d7030c

General

Target

e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exe
Size

162KB
MD5

e1e6cf942e867ee65c66c913751ad5e4
SHA1

092bdcb476d572875a1097c7c2e9d373cda81e56
SHA256

cd9dd49d3c6c31b71fb3d635498f65065d18adb2da2164bfadfdfa7fb3d7030c
SHA512

4a7d623538f71e8bd5521309acfcc12a7a962c51b6d724973af59215b1452e857fd0289b2fcd0a916ea4868b5417f3a8c2e5ffa19edfae801ec6b99e4f5a5b7c
SSDEEP

3072:wqmPFc2RTgZZ1uhpT5SX6wO3YqxdTcs33nLvKNDNSirly:xmPFc2RTWs/BSqfTcsLv2Si8

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2804-7-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2884-15-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2884-80-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/1988-83-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2884-188-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2884-2-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2804-5-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2804-7-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2884-15-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2884-80-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1988-83-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2884-188-0x0000000000400000-0x0000000000442000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2804	2884	e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exe	30
PID 2884 wrote to memory of 2804	2884	e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exe	30
PID 2884 wrote to memory of 2804	2884	e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exe	30
PID 2884 wrote to memory of 2804	2884	e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exe	30
PID 2884 wrote to memory of 1988	2884	e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exe	32
PID 2884 wrote to memory of 1988	2884	e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exe	32
PID 2884 wrote to memory of 1988	2884	e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exe	32
PID 2884 wrote to memory of 1988	2884	e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin\AppData\Local\Temp\e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2804
- C:\Users\Admin\AppData\Local\Temp\e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e1e6cf942e867ee65c66c913751ad5e4_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1506.124

Filesize
1KB

MD5
d6967f503f6f7fc0a9e2fdd705b47894

SHA1
a8952cdb2962d3e2b00a787929e52ca562271c96

SHA256
753a23571452683f14ecce83a50e5d99c02d85e0199fbb4c6f90d2ce9e252ce0

SHA512
72a5e412c7be1a983df786c052c57bb190b883fff9acc2276e8c4a9765ccb9d56a2be904071f8271fcd849c2e2aca404d83caf3be7f7a719aa5f2198651295d4

Download Submit
C:\Users\Admin\AppData\Roaming\1506.124

Filesize
600B

MD5
fdaa7c672302974ed6b34960be8e9b2c

SHA1
42ba89d4558454eb0c5f7e78ef5453bc179f3329

SHA256
667da9caa47019b2a4c7ae359c5b36c0dca97a26657e5c789c432d6b6256db06

SHA512
0d605689dc9b9fb018870327073712aef0d98b59750d863d2df2a609d3394ff6aa7e23eeb08f270a6e27eb19097865aca289c08ba6278f66ccbc12ff1f9e42f3

Download Submit
C:\Users\Admin\AppData\Roaming\1506.124

Filesize
996B

MD5
2869fbc19a73671dbb9a2a1884c088a6

SHA1
94a42d1ac11e8a4772cdafa2d281e2ce7442b9da

SHA256
6a4b999747dce61d928d2b2471868a04b73f6d4a003b202da16a61f795f66ed9

SHA512
bb69fdd7c3ddddbecd37a33922f8247b5250f300398938760e0da81655a983f8ba3978c0253a3cdabee3631ec04a7f492042217a17c4e66c76a644bf652ee952

Download Submit
memory/1988-83-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2804-5-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2804-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2884-1-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2884-2-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2884-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2884-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2884-188-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads