cycbot | 02ca76069d2748de5cce697e5dbe797e86b2e2778b1a1ba067c72fba34b8624f

General

Target

f9be20890befb85ec738b41a206f1146_JaffaCakes118.exe
Size

182KB
MD5

f9be20890befb85ec738b41a206f1146
SHA1

466195fb4306f06b8fc49e8810e4d6f422b37fb1
SHA256

02ca76069d2748de5cce697e5dbe797e86b2e2778b1a1ba067c72fba34b8624f
SHA512

59be08a94f77894e6ee886414bef5738d08b94185b7b2c92eac9e60c883313e23424ebf7d14248c9858d1c92b20bcd3074ffc1c0555592ff2bf4c373720acc03
SSDEEP

3072:jSjPN+M8ZEmtX6heZbZRsIDqM88+PzTfW3+aZN+hIGXovqKvKjIYJaF0QF8X8h0M:On8OmtX6IZbZRsIGMIPzS3+aZN04S1I/

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2420-13-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot
behavioral1/memory/2420-14-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot
behavioral1/memory/3052-15-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot
behavioral1/memory/1064-78-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot
behavioral1/memory/3052-79-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot
behavioral1/memory/3052-183-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	f9be20890befb85ec738b41a206f1146_JaffaCakes118.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3052-2-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2420-13-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2420-12-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2420-14-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/3052-15-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1064-77-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1064-78-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/3052-79-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/3052-183-0x0000000000400000-0x0000000000443000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9be20890befb85ec738b41a206f1146_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9be20890befb85ec738b41a206f1146_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9be20890befb85ec738b41a206f1146_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2420	3052	f9be20890befb85ec738b41a206f1146_JaffaCakes118.exe	30
PID 3052 wrote to memory of 2420	3052	f9be20890befb85ec738b41a206f1146_JaffaCakes118.exe	30
PID 3052 wrote to memory of 2420	3052	f9be20890befb85ec738b41a206f1146_JaffaCakes118.exe	30
PID 3052 wrote to memory of 2420	3052	f9be20890befb85ec738b41a206f1146_JaffaCakes118.exe	30
PID 3052 wrote to memory of 1064	3052	f9be20890befb85ec738b41a206f1146_JaffaCakes118.exe	32
PID 3052 wrote to memory of 1064	3052	f9be20890befb85ec738b41a206f1146_JaffaCakes118.exe	32
PID 3052 wrote to memory of 1064	3052	f9be20890befb85ec738b41a206f1146_JaffaCakes118.exe	32
PID 3052 wrote to memory of 1064	3052	f9be20890befb85ec738b41a206f1146_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\f9be20890befb85ec738b41a206f1146_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f9be20890befb85ec738b41a206f1146_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\f9be20890befb85ec738b41a206f1146_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f9be20890befb85ec738b41a206f1146_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2420
- C:\Users\Admin\AppData\Local\Temp\f9be20890befb85ec738b41a206f1146_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f9be20890befb85ec738b41a206f1146_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\D50A.CA0

Filesize
1KB

MD5
8161a3a36c24c6091e7bbe58d088b3d9

SHA1
8a084fa39d446a00a66fea06bbc3ab698e11a7be

SHA256
33d32ccdb927005da5749a122014194d987ba241ed8abd7d8aff94515311c880

SHA512
75a66a9eb5d768c31d3d71e06da053640e02284bbaf6236a5996ddfda260acd7cf2ecb4737a7fb445ae40db4548c26ffbd013d90ec76900fe9eed665a9f71ff1

Download Submit
C:\Users\Admin\AppData\Roaming\D50A.CA0

Filesize
1KB

MD5
93e54f44f48965428282e46ea63ebfb2

SHA1
4aa860d33ee37eaedefd40af8c3040a67bb6debf

SHA256
2d047773d2fba35ab4d4879896e3454097b492c1ea8c09c8480197b800e0f295

SHA512
82c1a4ad9fd9e79e0919ae1a8b8325d4031c0f89fdc22897544d8592546a3a813dea1011f88c7ed360db7c702231c371c6b975c3f36571ded26ee38237586354

Download Submit
C:\Users\Admin\AppData\Roaming\D50A.CA0

Filesize
600B

MD5
61745779d90211f29105137f8eb0c7c2

SHA1
68ed18b9930ccecc4d56054c3c8867e167a3684a

SHA256
ca37cd7132435330cafbaee26fd5cdd3e865fd79d441104938f0671a10be3540

SHA512
d757ececb9c6e930dee4a2e4954ce7bf9431373639da6ff7643661e0881267369e0d719c6823b5e29893f7e1a2e9d03d7f01581d0b0f2a3cd513734fa3411906

Download Submit
C:\Users\Admin\AppData\Roaming\D50A.CA0

Filesize
996B

MD5
b040264c45bfc0f63a06832d4dc60ccf

SHA1
a0dea841a7668051c64171b92cdfd203045f52a6

SHA256
0068bc4256a0583c71f145712af573f6c8188d3a21d4c827080ea46aa2d8ad36

SHA512
e91e1f1e80e7ab2d884089d4dff177919b93399e5d53dabcc778d678926641fbeeec89000206bd67cac5039f038ba78ea9793bd4d13b3afa831db42cd7495426

Download Submit
memory/1064-78-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1064-76-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1064-77-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2420-14-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2420-12-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2420-13-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3052-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3052-1-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3052-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3052-2-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3052-183-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads