cycbot | a58e967d716e66cd2f5610f005f9b0ef0f321382499cfd29329fa9b2c99f1932

General

Target

e28a73bc2adecb253f3bdb21d5ac12a0_JaffaCakes118.exe
Size

188KB
MD5

e28a73bc2adecb253f3bdb21d5ac12a0
SHA1

7e1f9261f2575ad90b960e7025ba786735469ad8
SHA256

a58e967d716e66cd2f5610f005f9b0ef0f321382499cfd29329fa9b2c99f1932
SHA512

f37d0308cacb612ca0973ecc01a91cbbf7ecc291bf61b2711bbe224bbe9f4abd34f9eaebc41ad9da7ee511c8102f41b4035ce718ca0fd8ed114eba3f346c7015
SSDEEP

3072:7hy0apPSsn3doKkwOZeFqVSWtmf6DnLUbUZIl+OJ0MFxvAlAUWPlbRnqoOMow0Ee:s9xbNCwtYV4MLg5jJ0MnAa5BRbOst8bB

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2836-5-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2776-14-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/1148-79-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/1148-78-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2776-80-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2776-185-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	e28a73bc2adecb253f3bdb21d5ac12a0_JaffaCakes118.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2776-2-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2836-6-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2836-5-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2776-14-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1148-79-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1148-78-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2776-80-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2776-185-0x0000000000400000-0x0000000000445000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e28a73bc2adecb253f3bdb21d5ac12a0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e28a73bc2adecb253f3bdb21d5ac12a0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e28a73bc2adecb253f3bdb21d5ac12a0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2836	2776	e28a73bc2adecb253f3bdb21d5ac12a0_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2836	2776	e28a73bc2adecb253f3bdb21d5ac12a0_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2836	2776	e28a73bc2adecb253f3bdb21d5ac12a0_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2836	2776	e28a73bc2adecb253f3bdb21d5ac12a0_JaffaCakes118.exe	30
PID 2776 wrote to memory of 1148	2776	e28a73bc2adecb253f3bdb21d5ac12a0_JaffaCakes118.exe	32
PID 2776 wrote to memory of 1148	2776	e28a73bc2adecb253f3bdb21d5ac12a0_JaffaCakes118.exe	32
PID 2776 wrote to memory of 1148	2776	e28a73bc2adecb253f3bdb21d5ac12a0_JaffaCakes118.exe	32
PID 2776 wrote to memory of 1148	2776	e28a73bc2adecb253f3bdb21d5ac12a0_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\e28a73bc2adecb253f3bdb21d5ac12a0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e28a73bc2adecb253f3bdb21d5ac12a0_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Users\Admin\AppData\Local\Temp\e28a73bc2adecb253f3bdb21d5ac12a0_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e28a73bc2adecb253f3bdb21d5ac12a0_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2836
- C:\Users\Admin\AppData\Local\Temp\e28a73bc2adecb253f3bdb21d5ac12a0_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e28a73bc2adecb253f3bdb21d5ac12a0_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\39BD.44F

Filesize
1KB

MD5
2aba9189ad5589e0d5f396933d6424a2

SHA1
12ffa325d8616ebe859fc701eb3171f292df6dec

SHA256
dd0b154510e5c3e3e47e355eb9a4afc7d081d294ebf8dbb12c33e873369d46a4

SHA512
81b6743fa45a7bb0717da3a1cab1ae60751a635534e00301a266a70ce6987b2a7fcab537ade2b146f7b4cdcfb3fdeb4ddbf224393f537622c0f44d88b44efb6c

Download Submit
C:\Users\Admin\AppData\Roaming\39BD.44F

Filesize
600B

MD5
3d5e90dbea8e8036352ce711c077287b

SHA1
9fefdc1af8c48b66eb9d3443a1f471a053c55340

SHA256
d67add39a0006853181eb55b175f4b797b185fb350f0e86779207683bf114051

SHA512
ac2ac9432ade276605e5588effe8bd263e687ece2490b9af7fa4e752425fc5e47f719697f886ab55b402c853c3e311619fa21b2c813214a4a3b9e60d02b5ed12

Download Submit
C:\Users\Admin\AppData\Roaming\39BD.44F

Filesize
996B

MD5
9030dc8cdf86e3ec8a39f15ce4a2925c

SHA1
00dd2de6a9701672e6bb49b2c052541717e9f4be

SHA256
fb1a20fab8fbb2201cb33559d8d29d9ddebad9db93ee9d5501902b4f208e3960

SHA512
b70d805d1e633b73bb6526074cbed2fcd2bb0f39095ac66cbd7c22fd8953d0849c11057fdcdbc4d0031eb3cd5a72f4a805eea74d6517f493c379c76151ff7eac

Download Submit
memory/1148-79-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1148-78-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2776-1-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2776-2-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2776-14-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2776-80-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2776-185-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2836-6-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2836-5-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads