cycbot | d9d68d898dd9677a7d979389e5bbb136764de23b2f98fb3c5d35574c33abacdd

General

Target

ef8913924aa338b5a3cae3f01e907e75_JaffaCakes118.exe
Size

169KB
MD5

ef8913924aa338b5a3cae3f01e907e75
SHA1

9da1aab2560d09c545a3743bfb10d4186027ac07
SHA256

d9d68d898dd9677a7d979389e5bbb136764de23b2f98fb3c5d35574c33abacdd
SHA512

3f613568abcf4b75fc672a834cbdfcff9a4a6674a1e7789d1d093443914fa422de1a69ec9c954c3516f0113e5ed5138cf9ac14f7321ba8c784948f19105c3950
SSDEEP

3072:1RvGVZmEPb7Zyb2dUxjlFjtPTQHLDskp1eWZ6DuTKV6NZTJ7TyZufDqj:DvAPb7ZmvlBtuLwqeWZJTb9yZ8Dqj

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2764-6-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot
behavioral1/memory/3052-13-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot
behavioral1/memory/2108-73-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot
behavioral1/memory/3052-74-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot
behavioral1/memory/3052-168-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot
behavioral1/memory/3052-209-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	ef8913924aa338b5a3cae3f01e907e75_JaffaCakes118.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3052-2-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2764-5-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2764-6-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/3052-13-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2108-73-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/3052-74-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/3052-168-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/3052-209-0x0000000000400000-0x0000000000443000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef8913924aa338b5a3cae3f01e907e75_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef8913924aa338b5a3cae3f01e907e75_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef8913924aa338b5a3cae3f01e907e75_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2764	3052	ef8913924aa338b5a3cae3f01e907e75_JaffaCakes118.exe	31
PID 3052 wrote to memory of 2764	3052	ef8913924aa338b5a3cae3f01e907e75_JaffaCakes118.exe	31
PID 3052 wrote to memory of 2764	3052	ef8913924aa338b5a3cae3f01e907e75_JaffaCakes118.exe	31
PID 3052 wrote to memory of 2764	3052	ef8913924aa338b5a3cae3f01e907e75_JaffaCakes118.exe	31
PID 3052 wrote to memory of 2108	3052	ef8913924aa338b5a3cae3f01e907e75_JaffaCakes118.exe	33
PID 3052 wrote to memory of 2108	3052	ef8913924aa338b5a3cae3f01e907e75_JaffaCakes118.exe	33
PID 3052 wrote to memory of 2108	3052	ef8913924aa338b5a3cae3f01e907e75_JaffaCakes118.exe	33
PID 3052 wrote to memory of 2108	3052	ef8913924aa338b5a3cae3f01e907e75_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\ef8913924aa338b5a3cae3f01e907e75_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ef8913924aa338b5a3cae3f01e907e75_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\ef8913924aa338b5a3cae3f01e907e75_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ef8913924aa338b5a3cae3f01e907e75_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2764
- C:\Users\Admin\AppData\Local\Temp\ef8913924aa338b5a3cae3f01e907e75_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ef8913924aa338b5a3cae3f01e907e75_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1FD8.A03

Filesize
1KB

MD5
e27ab6fa62dee6bdbd60b8ad843294ca

SHA1
c7397b5edbc937b3c69ae31030c5de0d2d8d5ed5

SHA256
bac7c55b7a5fbfe451799b81877f73bd769b844af3a166afb6a9ce16885a63f4

SHA512
91cee77542b0ec55afb5083478697b24ee3b737745a94d4d6da170bc5e6549f6a2c7a66444ba5d0ea1edf671a245cd1b7b1c48415516a46fdc956e58046248d7

Download Submit
C:\Users\Admin\AppData\Roaming\1FD8.A03

Filesize
600B

MD5
b8192420d9b78acebae165925689f2d1

SHA1
22bc62f91deaed5d09545a8391086c6f19a6c784

SHA256
dbb0abaa2b21a4cdf2cfffb1553e60eb586491074d9a7538d48ffa53fa576040

SHA512
7527a507ba60f49743e54370fff86d4e96aa0ae575fc661f31148dbba21ce289c5c0f4cc10a3715fd2201bfa084f3bd29cd9fd711646277f1d7da9e9f8538fca

Download Submit
C:\Users\Admin\AppData\Roaming\1FD8.A03

Filesize
996B

MD5
ee684b81c60440eaeab3e78c8b2a84dc

SHA1
c44698f78344dda6fb1f9d6e4c3d297ec78b6a80

SHA256
6e4edd1dde80e90a853f099c3fbe42bbaab93b0bc7e6f4cc11709e98999831ab

SHA512
a3bdf48ed0daf916d7b04c9ddbaaf00eeb889ac0be23433b8b46532a74f2cf801dcd43250b311800a048e276c03fd593c5062ede15f0149bcd15359847533599

Download Submit
memory/2108-73-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2764-5-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2764-6-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3052-1-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3052-2-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3052-13-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3052-74-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3052-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3052-209-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads