cycbot | ab2e7570287a4ec38ad19bfad8991501c5edd58f0582b68a69275270ff6493c1

General

Target

fbd644dbe1203eb4a7a0f0f002f2e421_JaffaCakes118.exe
Size

166KB
MD5

fbd644dbe1203eb4a7a0f0f002f2e421
SHA1

7761777af35b9ac68595eaa9de86deec012e03cc
SHA256

ab2e7570287a4ec38ad19bfad8991501c5edd58f0582b68a69275270ff6493c1
SHA512

79e50f0b91ffebb459f05c1066cc487e9143c7945062e887f80d9636a11d64ad50dd0663261a80aa601ff0c707a55015defa4501a21a2d0d44794da5cfb76d94
SSDEEP

3072:/8bn/Y5Juwre8zMmU/BAQepx2ztPR9FgRkKmKJ8eW:/0nwKC0meAX2tj2DJ8eW

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1700-15-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2360-16-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2280-85-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2360-86-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2360-187-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	fbd644dbe1203eb4a7a0f0f002f2e421_JaffaCakes118.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1700-15-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1700-13-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2360-2-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2360-16-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2280-84-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2280-85-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2360-86-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2360-187-0x0000000000400000-0x0000000000445000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbd644dbe1203eb4a7a0f0f002f2e421_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbd644dbe1203eb4a7a0f0f002f2e421_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbd644dbe1203eb4a7a0f0f002f2e421_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 1700	2360	fbd644dbe1203eb4a7a0f0f002f2e421_JaffaCakes118.exe	31
PID 2360 wrote to memory of 1700	2360	fbd644dbe1203eb4a7a0f0f002f2e421_JaffaCakes118.exe	31
PID 2360 wrote to memory of 1700	2360	fbd644dbe1203eb4a7a0f0f002f2e421_JaffaCakes118.exe	31
PID 2360 wrote to memory of 1700	2360	fbd644dbe1203eb4a7a0f0f002f2e421_JaffaCakes118.exe	31
PID 2360 wrote to memory of 2280	2360	fbd644dbe1203eb4a7a0f0f002f2e421_JaffaCakes118.exe	33
PID 2360 wrote to memory of 2280	2360	fbd644dbe1203eb4a7a0f0f002f2e421_JaffaCakes118.exe	33
PID 2360 wrote to memory of 2280	2360	fbd644dbe1203eb4a7a0f0f002f2e421_JaffaCakes118.exe	33
PID 2360 wrote to memory of 2280	2360	fbd644dbe1203eb4a7a0f0f002f2e421_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\fbd644dbe1203eb4a7a0f0f002f2e421_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fbd644dbe1203eb4a7a0f0f002f2e421_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\fbd644dbe1203eb4a7a0f0f002f2e421_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fbd644dbe1203eb4a7a0f0f002f2e421_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1700
- C:\Users\Admin\AppData\Local\Temp\fbd644dbe1203eb4a7a0f0f002f2e421_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fbd644dbe1203eb4a7a0f0f002f2e421_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\7C4E.A6C

Filesize
1KB

MD5
ba3b8b28bf65bdbd708ce05a2259693d

SHA1
9354c3d1c9ad3d8a6a95f35b306cf06722b41018

SHA256
45f893a79f41f9ef62cbdfe443bde43ffce88b3b3379608323ee9a3e163b43df

SHA512
6e98f68b02d65f2af1ed886306834ecf440d4968552d09f9863cb616ce1995891ee7b6f5ef6fe53c961a6d735527637010c82aa02f7f551ec114b4f7f51946c3

Download Submit
C:\Users\Admin\AppData\Roaming\7C4E.A6C

Filesize
600B

MD5
ce8320c9a64b54d78142f4be249a58cc

SHA1
6c09d1a965189c381295dff83b9a7c2ce084c8c7

SHA256
138a2370d02eec052cdb55330ee4eeccb94c6161fc1f16d9395d56065332a996

SHA512
1db9d0544d7be976a311682906c4a4ef2a314983b779da3ac448343c53324cbca999c1b49b0341e25782c0160967ed1ceba91cbe458e47bdfd345f132a74218f

Download Submit
C:\Users\Admin\AppData\Roaming\7C4E.A6C

Filesize
996B

MD5
5bba3ff08436bb7728dacb8efd807b19

SHA1
6b284fdb649fb01070e8a29aae3401ec7b102656

SHA256
f451d504f1c93fffac459eb042a4218a9f06a8b31fe48561f2a0e17b2d21ffd6

SHA512
b74f5431e25aab72386d67a9970442fe883f481559d639970fd4419e2ac302cf60e1c7baeda3d3219f68ddbf3963846723d0d7b126f081dce24732fa6209db2c

Download Submit
memory/1700-13-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1700-12-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1700-15-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2280-85-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2280-84-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2360-2-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2360-86-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2360-16-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2360-1-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2360-187-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads