cycbot | 3b847aad854ebbbbd6255deecd49db6d2989c32c0c840b8d67481b6deb4bd657

General

Target

f7a587bd4b88d4b94d4b16047947a5c7_JaffaCakes118.exe
Size

163KB
MD5

f7a587bd4b88d4b94d4b16047947a5c7
SHA1

bc29bb636f70d2874e87597a6dfeaf81f3b8a47c
SHA256

3b847aad854ebbbbd6255deecd49db6d2989c32c0c840b8d67481b6deb4bd657
SHA512

c26e59cf46bdddbc47576689c5951a17f9ff5a8cd2b59111c27fc0af7209d1a849d1bb60a4ee0da00f25f60670e9cd4554b54262e903e2a4d4e69dd47c0dcbb0
SSDEEP

3072:kLdq4yiuPJDlbNxoK1/QMvMcIKBInFwJGe+XFcgHPyPSrh4/lv5BKN:kLk4yiuPJDlbDoK1/QMvMoInwG7XcKyM

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/844-10-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral1/memory/2344-15-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral1/memory/2344-84-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral1/memory/2204-88-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral1/memory/2344-197-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	f7a587bd4b88d4b94d4b16047947a5c7_JaffaCakes118.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2344-2-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/844-10-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/844-8-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2344-15-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2344-84-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2204-87-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2204-88-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2344-197-0x0000000000400000-0x0000000000444000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7a587bd4b88d4b94d4b16047947a5c7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7a587bd4b88d4b94d4b16047947a5c7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7a587bd4b88d4b94d4b16047947a5c7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 844	2344	f7a587bd4b88d4b94d4b16047947a5c7_JaffaCakes118.exe	30
PID 2344 wrote to memory of 844	2344	f7a587bd4b88d4b94d4b16047947a5c7_JaffaCakes118.exe	30
PID 2344 wrote to memory of 844	2344	f7a587bd4b88d4b94d4b16047947a5c7_JaffaCakes118.exe	30
PID 2344 wrote to memory of 844	2344	f7a587bd4b88d4b94d4b16047947a5c7_JaffaCakes118.exe	30
PID 2344 wrote to memory of 2204	2344	f7a587bd4b88d4b94d4b16047947a5c7_JaffaCakes118.exe	32
PID 2344 wrote to memory of 2204	2344	f7a587bd4b88d4b94d4b16047947a5c7_JaffaCakes118.exe	32
PID 2344 wrote to memory of 2204	2344	f7a587bd4b88d4b94d4b16047947a5c7_JaffaCakes118.exe	32
PID 2344 wrote to memory of 2204	2344	f7a587bd4b88d4b94d4b16047947a5c7_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\f7a587bd4b88d4b94d4b16047947a5c7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f7a587bd4b88d4b94d4b16047947a5c7_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Users\Admin\AppData\Local\Temp\f7a587bd4b88d4b94d4b16047947a5c7_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f7a587bd4b88d4b94d4b16047947a5c7_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:844
- C:\Users\Admin\AppData\Local\Temp\f7a587bd4b88d4b94d4b16047947a5c7_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f7a587bd4b88d4b94d4b16047947a5c7_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ACF5.8E4

Filesize
1KB

MD5
84df9675204dfece46ac392784ee253c

SHA1
9007a99157737184e0b577b066b0d0534ff5fa54

SHA256
c70db55dc811a4eedf74b27103fa4a95bb0d3f275197ebf8fd71a35d7b26118f

SHA512
09bd5142d5ff618c9cca2ee5fc834a92da6595e7a6ffbfad30016b04a780ae3e9ee253dc815c62fa2bc3239f6e9792eceb4461d560705dc33c2a6f5c72347956

Download Submit
C:\Users\Admin\AppData\Roaming\ACF5.8E4

Filesize
600B

MD5
c4a90e4bb4de8e53df5026db51e4d79a

SHA1
ec97cefdaab36a18d4e23c85fa7723968dc8c671

SHA256
6e8d3891309c37c2def5a1da4c1fd2d2917bd4486e5e9442cd956f3b6113c857

SHA512
2f5d180a1e1ceecb3041cda2081b7ae81e99288f949606d2dad254046322bd400a8b1e70ded407426fbdc625964103c9092130c4e56473e8fe846f877adcddcc

Download Submit
C:\Users\Admin\AppData\Roaming\ACF5.8E4

Filesize
996B

MD5
1c18792f6d6267010b43a200d763cd7e

SHA1
817f9cf7459c6aab848caa8f435172d5bed0c005

SHA256
20b40ebe7c9ee535b7dc1395d0a90120da058c4894b0f0a7771cc77edac25293

SHA512
bdb9dbe6cca15254701e18a68c12481940e555a21300459cb00f98145935562fb79ca3658c57a7d83133c3d88537efff65935777a080f046a3bc76495d21c602

Download Submit
memory/844-10-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/844-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2204-88-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2204-87-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2204-86-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2344-84-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2344-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2344-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2344-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2344-197-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads