cycbot | 76953bb546b98caa43033510fe78df1c05613d0dd4ba0a9643e6fb0a8a722e40

General

Target

fbf051aae49df5df85135777f9c4e067_JaffaCakes118.exe
Size

180KB
MD5

fbf051aae49df5df85135777f9c4e067
SHA1

282f19cdc28d75e4fae0fb0a1384a5e189065883
SHA256

76953bb546b98caa43033510fe78df1c05613d0dd4ba0a9643e6fb0a8a722e40
SHA512

bd634044afb01d4caeea3e4e96b6c8a6b27d1fee9474d28a39c4f6e905b4e800d28dd4b1dce5a6b9ff8a80a91e239601cf967ff2b5bd24200f07b1b84c064ea7
SSDEEP

3072:6woysfs2//cG0tIVe0rPar1CpXX1vsQKiAq0Q05XX1bRoPJcVOGx4N:6woFPh0r0rs1CpXFvsQel5VaiOGs

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2100-5-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot
behavioral1/memory/1832-12-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot
behavioral1/memory/308-83-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot
behavioral1/memory/1832-84-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot
behavioral1/memory/1832-191-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	fbf051aae49df5df85135777f9c4e067_JaffaCakes118.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1832-2-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2100-5-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1832-12-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/308-80-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/308-83-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/308-81-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1832-84-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1832-191-0x0000000000400000-0x0000000000443000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbf051aae49df5df85135777f9c4e067_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbf051aae49df5df85135777f9c4e067_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbf051aae49df5df85135777f9c4e067_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 2100	1832	fbf051aae49df5df85135777f9c4e067_JaffaCakes118.exe	30
PID 1832 wrote to memory of 2100	1832	fbf051aae49df5df85135777f9c4e067_JaffaCakes118.exe	30
PID 1832 wrote to memory of 2100	1832	fbf051aae49df5df85135777f9c4e067_JaffaCakes118.exe	30
PID 1832 wrote to memory of 2100	1832	fbf051aae49df5df85135777f9c4e067_JaffaCakes118.exe	30
PID 1832 wrote to memory of 308	1832	fbf051aae49df5df85135777f9c4e067_JaffaCakes118.exe	33
PID 1832 wrote to memory of 308	1832	fbf051aae49df5df85135777f9c4e067_JaffaCakes118.exe	33
PID 1832 wrote to memory of 308	1832	fbf051aae49df5df85135777f9c4e067_JaffaCakes118.exe	33
PID 1832 wrote to memory of 308	1832	fbf051aae49df5df85135777f9c4e067_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\fbf051aae49df5df85135777f9c4e067_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fbf051aae49df5df85135777f9c4e067_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Users\Admin\AppData\Local\Temp\fbf051aae49df5df85135777f9c4e067_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fbf051aae49df5df85135777f9c4e067_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2100
- C:\Users\Admin\AppData\Local\Temp\fbf051aae49df5df85135777f9c4e067_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fbf051aae49df5df85135777f9c4e067_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DF59.9C5

Filesize
600B

MD5
ea315eb843421e5d3d337fe4e1446701

SHA1
2d8f049cb5fccd6845c501d1a719809dcd3fcd7a

SHA256
98429ea864bc7b3bea0dbc813970b55e4db0a4624ad8973f9481eabd71144bf0

SHA512
ed9e9db22760a77b7a8978b3d52e9268e2b72f7b361c1fd7c4ff8e1807d1ce3ee5af07d0cf1b6272c83d4a8cca886f8751dfc587e487325775b9fac7c29d1a54

Download Submit
C:\Users\Admin\AppData\Roaming\DF59.9C5

Filesize
1KB

MD5
ef5fe622fc4125e6acffeca527092aa4

SHA1
ae4d43c00da27805fb49b3b6509e199560d8951d

SHA256
4985a29dae5c60e4493bb6b294fda8c9fd2c16fd55237a8bbb31d73312fcbb9c

SHA512
e34a678477d59bc250e5776809340b5f953ecd8133e2b7ff4602ae5603f8384fa3a3bde3deb0f3fc31af1efa3baace217d69927e31f1d55aa30d3a583e8906d1

Download Submit
C:\Users\Admin\AppData\Roaming\DF59.9C5

Filesize
996B

MD5
cf7efe693b0b93cb6402ff774f6165ca

SHA1
a85387a948b9cdaf6d12b2e85ab6b786c4e9bf72

SHA256
51ab913e70406e2421576ee1cd9601843ba33bc2cbcaa019167011bd0519e3ea

SHA512
5a741dc0b7f2c97b9487ddf3354b8f5c2e8caee6dc9cfd082593ee250f691b359b7a138aa1080ed07181dfb45961eecebf4e4491d62b769aa9b46644079c52e5

Download Submit
memory/308-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/308-83-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/308-81-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1832-1-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1832-2-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1832-12-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1832-84-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1832-191-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2100-5-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads