cycbot | dec2698415f4f89f7f947ab66397519d80bc215a063aefcdc4cfed3a57e756d8

General

Target

f7d897eb2899503400e756b2ee5c5ac9_JaffaCakes118.exe
Size

157KB
MD5

f7d897eb2899503400e756b2ee5c5ac9
SHA1

5cc8d56f3e4cd3b9743619b925b8fe5fb5f0be26
SHA256

dec2698415f4f89f7f947ab66397519d80bc215a063aefcdc4cfed3a57e756d8
SHA512

ea8a3fd31d85eeb8aaadcbb5c77abab777c54eb59c35c05a44767254f26ca5b555bb8c4602e72603eeecc78a88414ba57d40d43b95c770310b4967289b0efb59
SSDEEP

3072:pHYNBi9HJxPGU8XX1JFcB5bp7ssxA+DN6i0ZxsM4kuKuP0oL+9Fx6V4TrqvL/G:ZYNBi9HJxuHz6B7DzDN69Cg+cShL

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2800-7-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2660-18-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2660-83-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/1752-85-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2660-203-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	f7d897eb2899503400e756b2ee5c5ac9_JaffaCakes118.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2660-1-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2800-7-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2660-18-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2660-83-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1752-85-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2660-203-0x0000000000400000-0x0000000000442000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7d897eb2899503400e756b2ee5c5ac9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7d897eb2899503400e756b2ee5c5ac9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7d897eb2899503400e756b2ee5c5ac9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2800	2660	f7d897eb2899503400e756b2ee5c5ac9_JaffaCakes118.exe	30
PID 2660 wrote to memory of 2800	2660	f7d897eb2899503400e756b2ee5c5ac9_JaffaCakes118.exe	30
PID 2660 wrote to memory of 2800	2660	f7d897eb2899503400e756b2ee5c5ac9_JaffaCakes118.exe	30
PID 2660 wrote to memory of 2800	2660	f7d897eb2899503400e756b2ee5c5ac9_JaffaCakes118.exe	30
PID 2660 wrote to memory of 1752	2660	f7d897eb2899503400e756b2ee5c5ac9_JaffaCakes118.exe	32
PID 2660 wrote to memory of 1752	2660	f7d897eb2899503400e756b2ee5c5ac9_JaffaCakes118.exe	32
PID 2660 wrote to memory of 1752	2660	f7d897eb2899503400e756b2ee5c5ac9_JaffaCakes118.exe	32
PID 2660 wrote to memory of 1752	2660	f7d897eb2899503400e756b2ee5c5ac9_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\f7d897eb2899503400e756b2ee5c5ac9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f7d897eb2899503400e756b2ee5c5ac9_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Users\Admin\AppData\Local\Temp\f7d897eb2899503400e756b2ee5c5ac9_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f7d897eb2899503400e756b2ee5c5ac9_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2800
- C:\Users\Admin\AppData\Local\Temp\f7d897eb2899503400e756b2ee5c5ac9_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f7d897eb2899503400e756b2ee5c5ac9_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\EC0D.F49

Filesize
597B

MD5
bf603974d598d6ea096ace1fb56d561c

SHA1
325ccc19a59ee3b1a5325055cfa83afc1c8575e0

SHA256
48c7e315e35be2c441111f291afe470543c02dbb0f707985643ec29495df1006

SHA512
f236ef452509e4a24e275c68ac4b1dfb860b7a2e1230d12940cde987dcdeb057aed945f516aa2d3dd6e4c973dce0491232201cdbdafa1293074b4096523e2be8

Download Submit
C:\Users\Admin\AppData\Roaming\EC0D.F49

Filesize
1KB

MD5
1d0508c66d3ce5643a908d00f33ed0ca

SHA1
ebba6d1777cf15f68d09c0371572d7ef1c0be49e

SHA256
9288f457db62c282b0f91bf14eeef9cdfcf65808b9c138fc69d7833607b6fb71

SHA512
393ab4d59aa45c160498f50bf44eb2a4c9ab933154360bc94bd1bd3774c7b788a34433c404ec269525d60f357235289b5c0d66c7f6aee4aff375912a604dcde6

Download Submit
C:\Users\Admin\AppData\Roaming\EC0D.F49

Filesize
897B

MD5
102eb94423d0777518272f067a9edebe

SHA1
7894be11508fcea3c80b5e83ef9a6e66699a8057

SHA256
5d2332ef22e163430c9d28d98ce0ededcb498aef75cd6c9706378c3962c003bb

SHA512
2f353e98360d3c813999ac107fcc108a17ff3141e80b9c4b15e183addeabae9ce1b810f6a98a1afe8c77ea8f282de94d655c740f50cad916e40aa64d47b436d0

Download Submit
C:\Users\Admin\AppData\Roaming\EC0D.F49

Filesize
1KB

MD5
3ed1d704a4bcb73d17d7c82fb2fbb042

SHA1
b8a3313924cffb59e9589048acaca9aba3125c7e

SHA256
c232ab03b76a6041de0f0977ff258e3e5c46a457d4030f186815568d924d4bba

SHA512
796f718b6d815832b96b0d7e6dce188d8ac7e7488f46bf694ae78e26a2a7fbc1d0a716e2cadae23c736f61fcea631b8cd7f1da6f6735dd5be23a348f3655fbb9

Download Submit
memory/1752-85-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2660-1-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2660-18-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2660-83-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2660-203-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2800-6-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2800-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads