cycbot | bd68874a269bc8bc1d288363fe8fa5c8eabed3c68c559881250d75714e9e2dc2

General

Target

f502eef7ce2c0ea0f307511cbf71522b_JaffaCakes118.exe
Size

167KB
MD5

f502eef7ce2c0ea0f307511cbf71522b
SHA1

b0b8066f19911657405038497b5b917fda94d0f9
SHA256

bd68874a269bc8bc1d288363fe8fa5c8eabed3c68c559881250d75714e9e2dc2
SHA512

e61c82e2fcb9657e5a76277c4979d767bb5f10829fffb21d008a093774e2fedfb53f9bf894521bfc2900d42265c49cc553a4f7543185f78dfdc661cd81f7d5eb
SSDEEP

3072:qZDtpSLETxfdEH3qxyXSGMCa6IXWThRsZz6K/Hqm0v:kWCfdAqxyiGMBGhRtgHJm

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2096-20-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2640-21-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/3060-86-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2640-155-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2640-205-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	f502eef7ce2c0ea0f307511cbf71522b_JaffaCakes118.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2640-2-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2096-18-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2096-17-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2096-20-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2640-21-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/3060-84-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/3060-86-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2640-155-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2640-205-0x0000000000400000-0x0000000000445000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f502eef7ce2c0ea0f307511cbf71522b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f502eef7ce2c0ea0f307511cbf71522b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f502eef7ce2c0ea0f307511cbf71522b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2096	2640	f502eef7ce2c0ea0f307511cbf71522b_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2096	2640	f502eef7ce2c0ea0f307511cbf71522b_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2096	2640	f502eef7ce2c0ea0f307511cbf71522b_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2096	2640	f502eef7ce2c0ea0f307511cbf71522b_JaffaCakes118.exe	30
PID 2640 wrote to memory of 3060	2640	f502eef7ce2c0ea0f307511cbf71522b_JaffaCakes118.exe	32
PID 2640 wrote to memory of 3060	2640	f502eef7ce2c0ea0f307511cbf71522b_JaffaCakes118.exe	32
PID 2640 wrote to memory of 3060	2640	f502eef7ce2c0ea0f307511cbf71522b_JaffaCakes118.exe	32
PID 2640 wrote to memory of 3060	2640	f502eef7ce2c0ea0f307511cbf71522b_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\f502eef7ce2c0ea0f307511cbf71522b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f502eef7ce2c0ea0f307511cbf71522b_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Local\Temp\f502eef7ce2c0ea0f307511cbf71522b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f502eef7ce2c0ea0f307511cbf71522b_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2096
- C:\Users\Admin\AppData\Local\Temp\f502eef7ce2c0ea0f307511cbf71522b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f502eef7ce2c0ea0f307511cbf71522b_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5E7A.B6D

Filesize
597B

MD5
db65fc66948b9e0e1b04fe9406223324

SHA1
7b1a4ff88057450699a763169d50e447290dc550

SHA256
148982192eeb95fc8097a6916b07e66194695766c4a6f99b6b4fa3939f022c94

SHA512
b7ff201abae9d10e31681a80f6bac5001b9d7892beb30e3219595da685b513e648afc0e457c44d5e267987552a429a373d18921fa7fae56edc25d269da50a0b4

Download Submit
C:\Users\Admin\AppData\Roaming\5E7A.B6D

Filesize
1KB

MD5
788209305e38c35a2439fd6f5069cab3

SHA1
91652dccd61acd6763d7cdd3d881e87326fb9675

SHA256
7d9244050d973b37502fa165c0106d49536cd888d1c6b6bc30ffb3c6fb3c5f6f

SHA512
3a16a1c28560380ff812fdfd49c19e78596e4aaed55e44c5278de68320806cb0d710eb8ac010a99238cc68c5c7150642006ea23ec90b6e44fce9650ba295845a

Download Submit
C:\Users\Admin\AppData\Roaming\5E7A.B6D

Filesize
897B

MD5
f965b63e43ff6fa534380800bfe386eb

SHA1
894abb6dfc0cab6d3bef7681578eeccdfbf37e88

SHA256
1e4f762f07c4836fb8f95706f0957075409e4ff07b01c96318cf098e462a6660

SHA512
3cb796d4c4bf0b66a9fbbe8b372ef8aaec21ee60c1da7b422fecd06e12309d426ddceed428fccd89b43cb9a0988e7419d93b1d9e781fd602e4b22d64a71bf67e

Download Submit
C:\Users\Admin\AppData\Roaming\5E7A.B6D

Filesize
1KB

MD5
ac06e25d4b7fcae68fd8a3777143a52e

SHA1
07486544e13f6d2445c9ea27e3dd9a0f848cae17

SHA256
2ce60b7f81be1fe3874ef0f902f417e43051e1ec7c4d2c36ac346a90821fdbc6

SHA512
5748c33a049582fe266b46a813f745c739c5982d74354ed8eb6a8ad7f2ed135b71844ae0683286be8482e8dfa471393e147e032a230ba559614152fa5df901f4

Download Submit
memory/2096-18-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2096-17-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2096-20-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2640-21-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2640-1-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2640-155-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2640-2-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2640-205-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3060-84-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3060-86-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads