cycbot | d1f3de6e126cf7c820584a2e831c1173c94ca71683f4909fefa57da860c729ab

General

Target

e56bd279edd15266f11a5e3bb081e104_JaffaCakes118.exe
Size

164KB
MD5

e56bd279edd15266f11a5e3bb081e104
SHA1

84b61f645ea8e3d7cae0218bab928364b76dcf13
SHA256

d1f3de6e126cf7c820584a2e831c1173c94ca71683f4909fefa57da860c729ab
SHA512

9b51ab6c78c4dc7560c4e41daa3ed3f95d8092b95af334d9f1904edc08b5622f194e2341e21feaa34ac319e646a8fb8d25e3a0f87068481c4e52d9271f80bdbf
SSDEEP

3072:ENKOAQ+iq4PLId7Uqxo09anlkupJjcdMScUITd3h+YI:EgmzTINXdotJBScPxox

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2756-20-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral1/memory/572-21-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral1/memory/1708-82-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral1/memory/572-83-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral1/memory/572-176-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	e56bd279edd15266f11a5e3bb081e104_JaffaCakes118.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/572-1-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/572-2-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2756-18-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2756-17-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2756-20-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/572-21-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1708-82-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/572-83-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/572-176-0x0000000000400000-0x0000000000444000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e56bd279edd15266f11a5e3bb081e104_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e56bd279edd15266f11a5e3bb081e104_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e56bd279edd15266f11a5e3bb081e104_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 572 wrote to memory of 2756	572	e56bd279edd15266f11a5e3bb081e104_JaffaCakes118.exe	29
PID 572 wrote to memory of 2756	572	e56bd279edd15266f11a5e3bb081e104_JaffaCakes118.exe	29
PID 572 wrote to memory of 2756	572	e56bd279edd15266f11a5e3bb081e104_JaffaCakes118.exe	29
PID 572 wrote to memory of 2756	572	e56bd279edd15266f11a5e3bb081e104_JaffaCakes118.exe	29
PID 572 wrote to memory of 1708	572	e56bd279edd15266f11a5e3bb081e104_JaffaCakes118.exe	31
PID 572 wrote to memory of 1708	572	e56bd279edd15266f11a5e3bb081e104_JaffaCakes118.exe	31
PID 572 wrote to memory of 1708	572	e56bd279edd15266f11a5e3bb081e104_JaffaCakes118.exe	31
PID 572 wrote to memory of 1708	572	e56bd279edd15266f11a5e3bb081e104_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\e56bd279edd15266f11a5e3bb081e104_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e56bd279edd15266f11a5e3bb081e104_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:572
- C:\Users\Admin\AppData\Local\Temp\e56bd279edd15266f11a5e3bb081e104_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e56bd279edd15266f11a5e3bb081e104_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2756
- C:\Users\Admin\AppData\Local\Temp\e56bd279edd15266f11a5e3bb081e104_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e56bd279edd15266f11a5e3bb081e104_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\BB64.886

Filesize
597B

MD5
51cc3ea8e2e2ac1d499bc8029a31da20

SHA1
e97377f2344aa32cf932985f492615c8a48e40cd

SHA256
680a14b2b2c9fa8baa128a954695e3a686443498291df1e6fba41f5a761137e1

SHA512
8d344c0985385181de3d8eafa13ab02d0a88dfaa342f8e542199b7a0d48f9eeaafce89d2963eb16ad1a69e206c950268b483d01a9fb6151f29d11e4ce5454dcc

Download Submit
C:\Users\Admin\AppData\Roaming\BB64.886

Filesize
897B

MD5
6e06954e695986b279ad9772b21e95d3

SHA1
6a11cdcf795375c5a693d9059ee4907792afeabe

SHA256
a57ca775fea514035208b4589a34c9aee3137964008f53fdfd65f120eba9598a

SHA512
19c6b2327d146bf23c2afd8f1f9a64967515a1eda0f086a2cba65425bf396d6193be8ee94c742597e08f6d100caebaad2d56627f996b42fdc480978509e5c061

Download Submit
C:\Users\Admin\AppData\Roaming\BB64.886

Filesize
1KB

MD5
8383d7c18767c13aba8f1aa8158b1360

SHA1
e58f2f15dcf91d1ba5b6fb9679939bf02e2e9c3c

SHA256
323bd9f5d9aff70b52f5c230dc66a593bd5ce8527648b1d25d527e7066cf6d52

SHA512
ccb14350ba631b70326e48641bdad256ffad9ae828f0b1d2d92ceb7b59941f4dcfeb32a189c7db62514932321d1d8c3eac2cb886588c800bbe21b9acd544241b

Download Submit
memory/572-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/572-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/572-176-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/572-83-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/572-21-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1708-82-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1708-80-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2756-20-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2756-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2756-18-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads