cycbot | 6d9f9e320e0c1d0d4d4f9d750ee8acb24804bda85246572a2cbf47304721452a

General

Target

f05841566fd46101e8ac0843bfe52af0_JaffaCakes118.exe
Size

174KB
MD5

f05841566fd46101e8ac0843bfe52af0
SHA1

82b433c81dd763598ba45a4d11feadc9b1d724ca
SHA256

6d9f9e320e0c1d0d4d4f9d750ee8acb24804bda85246572a2cbf47304721452a
SHA512

2a4309dbe9fd8d3613a5bbc9ce620f9333dfc801d8345e1d0ce07221fa43680b11e243b8b21d41f80dbbec3c77361425c9cb53909dfb523c1e74168f77d3337d
SSDEEP

3072:C22Azyo0VnGnAvTuXXwedA4Hk7iRnLQ9E594BeKLI8G:C2vQnG0iLA4fnLQ9k94

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2812-13-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/1400-14-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/1400-75-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2416-79-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/1400-192-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	f05841566fd46101e8ac0843bfe52af0_JaffaCakes118.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1400-2-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2812-12-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2812-13-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1400-14-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1400-75-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2416-77-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2416-79-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1400-192-0x0000000000400000-0x0000000000445000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f05841566fd46101e8ac0843bfe52af0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f05841566fd46101e8ac0843bfe52af0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f05841566fd46101e8ac0843bfe52af0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 2812	1400	f05841566fd46101e8ac0843bfe52af0_JaffaCakes118.exe	31
PID 1400 wrote to memory of 2812	1400	f05841566fd46101e8ac0843bfe52af0_JaffaCakes118.exe	31
PID 1400 wrote to memory of 2812	1400	f05841566fd46101e8ac0843bfe52af0_JaffaCakes118.exe	31
PID 1400 wrote to memory of 2812	1400	f05841566fd46101e8ac0843bfe52af0_JaffaCakes118.exe	31
PID 1400 wrote to memory of 2416	1400	f05841566fd46101e8ac0843bfe52af0_JaffaCakes118.exe	33
PID 1400 wrote to memory of 2416	1400	f05841566fd46101e8ac0843bfe52af0_JaffaCakes118.exe	33
PID 1400 wrote to memory of 2416	1400	f05841566fd46101e8ac0843bfe52af0_JaffaCakes118.exe	33
PID 1400 wrote to memory of 2416	1400	f05841566fd46101e8ac0843bfe52af0_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\f05841566fd46101e8ac0843bfe52af0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f05841566fd46101e8ac0843bfe52af0_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Users\Admin\AppData\Local\Temp\f05841566fd46101e8ac0843bfe52af0_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f05841566fd46101e8ac0843bfe52af0_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2812
- C:\Users\Admin\AppData\Local\Temp\f05841566fd46101e8ac0843bfe52af0_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f05841566fd46101e8ac0843bfe52af0_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DCE3.842

Filesize
1KB

MD5
a527fda67c7969424bf6e4476b8aaf42

SHA1
fa0e2896226701b72d46b37379b61eaae269e62a

SHA256
dee5b6118ba025eb1c4feefe1aea7e2f7665463bc97132f7f7604948032f90dc

SHA512
416e48c93ca1be631992b68d69a90ead1bec00ec0fb197514e02b929d4960354aca74638b2b34378f834002e2f87ce719197eb0738c006ac2a1ad0c40f089cc1

Download Submit
C:\Users\Admin\AppData\Roaming\DCE3.842

Filesize
600B

MD5
cf5415417ba536df97e3b2f3e6ca7d18

SHA1
6503e51f06778a878be59ddd707f378e4d9441f1

SHA256
015ed1bbec071b5dca670b445f76df032d07b4e52f78731e7e6ce4a5173d2f1a

SHA512
c020fe85ff1eeb0658e19939e8a69417c7108e7c371546b901b049503cb5b09a0ecf55ed3bf9befba19874cae5c66d618104784c2e60a91999defc6dedf4af06

Download Submit
C:\Users\Admin\AppData\Roaming\DCE3.842

Filesize
996B

MD5
def091c6032bb4a4695fceec3b9d4aa4

SHA1
3bca6d4c6e1ff69ca7af05cabdb283252dc5c303

SHA256
20de9a6b97a23617237f36e19f7e5afceafc42ebb4efb0ccdef77ee7e0679af7

SHA512
83418e8a2d068b0d107a3048dfc4a5f25b62c3f0725079599a8a4fbdfff22e7cd46af88a039605f6562eb7adec7e07d194bc451bcdfbacbf89c9a18f11b68423

Download Submit
memory/1400-1-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1400-2-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1400-14-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1400-75-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1400-192-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2416-77-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2416-79-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2812-12-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2812-13-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads