cycbot | e9732b3134c86949f6bb3b983a490bdd77a8edfe1b6f3122a3560341948a644f

General

Target

ed14d36ef751292185845576e9310e1b_JaffaCakes118.exe
Size

191KB
MD5

ed14d36ef751292185845576e9310e1b
SHA1

af05b4d1399e6b101ac91d0a1024c7838b15d09c
SHA256

e9732b3134c86949f6bb3b983a490bdd77a8edfe1b6f3122a3560341948a644f
SHA512

128a4fcff995814705ccacf3ba527b4718eefb48e0a259af97609ccd0729499d3f51bdeeb184e8d2d2e02da33ecca9ed4410a916a64e4424a5124bebd7e387a1
SSDEEP

3072:u8Jms5o+YrlOhGOyy8KaBiQbBvEBGhxXEvIxntMut9jwJRF8ejb+O8Ak9NJ:u8JmCF3h7yhKuH1vEQFEvINSuDjkgqKl

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1384-6-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/1448-14-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/1448-79-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2228-83-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/1448-182-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	ed14d36ef751292185845576e9310e1b_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process
PID 1448 set thread context of 0	1448	ed14d36ef751292185845576e9310e1b_JaffaCakes118.exe
PID 1384 set thread context of 0	1384	ed14d36ef751292185845576e9310e1b_JaffaCakes118.exe
PID 2228 set thread context of 0	2228	ed14d36ef751292185845576e9310e1b_JaffaCakes118.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1448-2-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1384-5-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1384-6-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1448-14-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1448-79-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2228-82-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2228-83-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1448-182-0x0000000000400000-0x0000000000445000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed14d36ef751292185845576e9310e1b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed14d36ef751292185845576e9310e1b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed14d36ef751292185845576e9310e1b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 1384	1448	ed14d36ef751292185845576e9310e1b_JaffaCakes118.exe	31
PID 1448 wrote to memory of 1384	1448	ed14d36ef751292185845576e9310e1b_JaffaCakes118.exe	31
PID 1448 wrote to memory of 1384	1448	ed14d36ef751292185845576e9310e1b_JaffaCakes118.exe	31
PID 1448 wrote to memory of 1384	1448	ed14d36ef751292185845576e9310e1b_JaffaCakes118.exe	31
PID 1448 wrote to memory of 2228	1448	ed14d36ef751292185845576e9310e1b_JaffaCakes118.exe	33
PID 1448 wrote to memory of 2228	1448	ed14d36ef751292185845576e9310e1b_JaffaCakes118.exe	33
PID 1448 wrote to memory of 2228	1448	ed14d36ef751292185845576e9310e1b_JaffaCakes118.exe	33
PID 1448 wrote to memory of 2228	1448	ed14d36ef751292185845576e9310e1b_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\ed14d36ef751292185845576e9310e1b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ed14d36ef751292185845576e9310e1b_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Users\Admin\AppData\Local\Temp\ed14d36ef751292185845576e9310e1b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ed14d36ef751292185845576e9310e1b_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1384
- C:\Users\Admin\AppData\Local\Temp\ed14d36ef751292185845576e9310e1b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ed14d36ef751292185845576e9310e1b_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\FD28.B30

Filesize
1KB

MD5
1d7ecb126a93395bfac5e6ea23581c7e

SHA1
eeec1fec1a7b236490d71166f1a91e32d0462f6c

SHA256
35cec7c54eb5b66dab1280847d4a9624a3baf01f8408c8d0088d5e22e3a470da

SHA512
10781f39d5119c8c515f84873f4e64aab4a0821bb07b4305bcc5450b0e23246d851998ebd0269fe22c174f9436fbd6e11a327f85e65978289d307379bf8fe851

Download Submit
C:\Users\Admin\AppData\Roaming\FD28.B30

Filesize
600B

MD5
6533809fd296da42236b0c2b21e74f53

SHA1
29daf987e5b5be2594b0ad185db3c6007c0e4797

SHA256
cd959a5625f2637ff195dc99fb69c77768b60dce6f63e2df194698c454b5e32a

SHA512
7247efd57006c5cdb17135386b55cd97ef0186ea20c922935c7017e8bf2e05eaba185afc1c6b559f8e71bcf799a15c7d00c77223cad7ff34ce905fdee233c706

Download Submit
C:\Users\Admin\AppData\Roaming\FD28.B30

Filesize
996B

MD5
d22c95f36b8f33819ef99398b8a1b8b4

SHA1
e3f90093d22055bf671125694b61b0d3134e618e

SHA256
f96ded1bb3d78961d405bf0c3bf80a847bfc944121779c2bddbe456fdfd6171d

SHA512
0173efac05ebd70eb97c677f31ebb678381a9e6736d39039f9427ece27e2e6cb2ece0a946e4b102c0967f1c0829246e3b88f31b9a5de4d57bd65316723de80ac

Download Submit
memory/1384-5-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1384-6-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1448-79-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1448-1-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1448-14-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1448-2-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1448-182-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2228-82-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2228-81-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2228-83-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads