cycbot | 624bb3c5b685ebbab1a0c687b742cd798a681b2a1361ea23266cf0605b596101

General

Target

ecb4cd4c703777c1723f356b55a5684f_JaffaCakes118.exe
Size

183KB
MD5

ecb4cd4c703777c1723f356b55a5684f
SHA1

a96f93f51e62ba65232f6e616b0d483e63ce3cb8
SHA256

624bb3c5b685ebbab1a0c687b742cd798a681b2a1361ea23266cf0605b596101
SHA512

48878cc22d65933917f07e9f63e7c2718ac6da3282fcfbd727dadaf78be94dbef963c28f8fa392e11d106b4d561297eef2ee33a72a62401555781f66e8eb11ea
SSDEEP

3072:Iu95IaH1zODs+0V/ZpAFgRpPEIZx0kI1FwofOrUDflMiGZm3fZB:IuAG1zxdVxpR+X1Fwofu+Mium3f

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2248-6-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot
behavioral1/memory/2884-14-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot
behavioral1/memory/2360-74-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot
behavioral1/memory/2884-75-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot
behavioral1/memory/2884-179-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	ecb4cd4c703777c1723f356b55a5684f_JaffaCakes118.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2884-2-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2248-5-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2248-6-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2884-14-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2360-74-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2884-75-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2884-179-0x0000000000400000-0x0000000000443000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecb4cd4c703777c1723f356b55a5684f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecb4cd4c703777c1723f356b55a5684f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecb4cd4c703777c1723f356b55a5684f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2248	2884	ecb4cd4c703777c1723f356b55a5684f_JaffaCakes118.exe	30
PID 2884 wrote to memory of 2248	2884	ecb4cd4c703777c1723f356b55a5684f_JaffaCakes118.exe	30
PID 2884 wrote to memory of 2248	2884	ecb4cd4c703777c1723f356b55a5684f_JaffaCakes118.exe	30
PID 2884 wrote to memory of 2248	2884	ecb4cd4c703777c1723f356b55a5684f_JaffaCakes118.exe	30
PID 2884 wrote to memory of 2360	2884	ecb4cd4c703777c1723f356b55a5684f_JaffaCakes118.exe	32
PID 2884 wrote to memory of 2360	2884	ecb4cd4c703777c1723f356b55a5684f_JaffaCakes118.exe	32
PID 2884 wrote to memory of 2360	2884	ecb4cd4c703777c1723f356b55a5684f_JaffaCakes118.exe	32
PID 2884 wrote to memory of 2360	2884	ecb4cd4c703777c1723f356b55a5684f_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\ecb4cd4c703777c1723f356b55a5684f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ecb4cd4c703777c1723f356b55a5684f_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin\AppData\Local\Temp\ecb4cd4c703777c1723f356b55a5684f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ecb4cd4c703777c1723f356b55a5684f_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2248
- C:\Users\Admin\AppData\Local\Temp\ecb4cd4c703777c1723f356b55a5684f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ecb4cd4c703777c1723f356b55a5684f_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\A50D.85C

Filesize
996B

MD5
d662807deec527b538a68d7867213f92

SHA1
0ba01e62efebab548dd2b13c183496214a5672d5

SHA256
784ccaca610b277c204fede372ac5cb83a189dd2cd5068d1ceb7212d11b901ac

SHA512
c6f4c388849378ba48a4d0aacd52b2ff5c2962cca1d3607cf3dedb41d9050f92d23f6bc8928ef67ad7e1a9d6aef61caa496f972a5fd9466043c2def9c1e6a96a

Download Submit
C:\Users\Admin\AppData\Roaming\A50D.85C

Filesize
300B

MD5
15adbe73dc2a673c4deca6a9462a03b1

SHA1
6e3696e93cd1adde5a01e81c2a731490b30cb1c1

SHA256
16f03d206a67f839975416d656567acf7d5e9dabaa8b0836474dc69b30311939

SHA512
a9a8d5a721f7d6e8a2d0d00bde89fe551455436df71e3896f5232d7ddc56fa1853d5e5a0e9590c460b8c1af44cd9e17541c14aae3ef9577f322596e2b7379c30

Download Submit
C:\Users\Admin\AppData\Roaming\A50D.85C

Filesize
600B

MD5
1df72b323938d1f9dc35f6d3b8c49fb2

SHA1
85ace849c90e82e0cc597b170e6475ffb618766a

SHA256
a0068dc00ddb63bf822adb8a17e7c10d9b60416c3c83e408440d5da1af7ff51b

SHA512
0030e4c1cb36fb98bd66b6e1ad78bb4e6709c2e7751ff2a8d21d20427a11dc1f11e714f642a46f4511bc097b960cb627bd7fba3da84b93632b719468842d6eaa

Download Submit
memory/2248-5-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2248-6-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2360-74-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2884-1-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2884-2-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2884-14-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2884-75-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2884-179-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads